This data protection and privacy statement is aimed at all persons who visit this website.

The controller for the processing described herein is: Lufthansa Innovation Hub GmbH, Brunnenstrasse 19-21, 10119 Berlin, Germany, represented by its managing director Christine Wang. E: welcome@lh-innovationhub.com.

The Group Data Protection Officer – FRA CJ/D can be reached as follows: datenschutz@dlh.de, Deutsche Lufthansa AG, Airportring – LAC, 60546 Frankfurt, Germany.

(1) Data subjects have the following rights with regard to the data stored concerning them personally: the right of access to information, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer any reason for storage, and the rights to restriction of processing and to data portability. Moreover, they have the right to lodge a complaint with the supervisory authority with jurisdiction over the controller.

(2) Where the processing is based on consent granted by the data subjects, the data subjects are permitted to withdraw that consent at any time, with effect for the future. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required.

(3) Where the processing is based on fulfilment of a legitimate interest, meaning on point (f) of Article 6(1) of the EU General Data Protection Regulation (GDPR), the data subjects are permitted to object to the processing at any time. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required. If the objection is justified, the processing will be discontinued. Where the legitimate interest lies in direct marketing, an objection is always deemed to be justified.

If you think that processing of personal data concerning you and carried out by us is unlawful or impermissible, you have the right to file a complaint with the supervisory authority responsible for us. You can contact this authority at:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219, 10969 Berlin

Tel.: +49 30 13889-0, Fax: +49 30 2155050, E: mailbox@datenschutz-berlin.de

If you have given us permission to process your personal data, we hereby inform you that you can revoke this permission at any time. To exercise your rights, you can contact us by e-mail at datenschutz@lh-innovationhub.com.

(1) Where personal data are transferred to bodies outside the European Union, the controller is obligated to communicate additional safeguards pursuant to Articles 44 et seqq. GDPR.

(2) Where the controller invokes what is known as an adequacy decision in the data protection and privacy statement that follows, this means the recipient is located in a country, territory, or specified sector that the European Commission has decided offers an adequate level of data protection. In these cases, the guarantee follows from Article 45 GDPR.

(3) Where the controller invokes what are known as the EU standard contractual clauses in the data protection and privacy statement that follows, this means that the recipient has undertaken a contractual commitment to observe the EU data protection principles on the basis of what are known as the EU standard contractual clauses. In these cases, the guarantee follows from Article 45 GDPR.

(4) Where the controller invokes what are known as binding corporate rules in the data protection and privacy statement that follows, this means the competent supervisory authority has approved the transfer. In these cases, the guarantee follows from Article 47 GDPR.

(5) Where, in the data protection and privacy statement that follows, the controller invokes the fact that the data subjects have expressly consented to the transfer of their data to a country outside the European Union, this means that they are aware of all of the associated risks and consent to the transfer nevertheless. In these cases, the guarantee follows from point (a) of Article 49 (1) GDPR. In this context, please note the following risks: There are no codified provisions of law on data protection and privacy that are comparable to the GDPR in the United States, the Republic of India, or the Russian Federation. The authorities there have given themselves extensive access to data, and the principle of proportionality stipulated in the EU does not apply. Moreover, these countries do not provide any effective legal protections for EU citizens.

(6) The foregoing information is provided by way of precaution only. It applies only if and insofar as the data protection and privacy statement that follows makes reference thereto.

(1) No automated decision making, including profiling, takes place.

(2) There is no legal obligation of processing except where point (c) of Article 6(1) GDPR is referenced below.

Unless otherwise indicated in this section (“Processing operations in conjunction with contracts”), the purpose of all processing operations described in this section is to establish, perform, and/or terminate contracts. The legal basis is as follows in the following cases:

a. for contracts that are not employment contracts, point (b) of Article 6(1) GDPR.

b. for employment contracts, Article 88 GDPR in conjunction with Sec. 26 (1) of the 2018 version of the German Federal Data Protection Act (BDSG 2018).

(1) Personal data whose processing is described in this section are processed for as long as they are needed in order to establish, perform, and/or terminate contracts. A longer period of storage that is independent of achieving the purpose described in the first sentence above may arise from paragraphs (2) through (5).

(2) The personal data are stored for three years, with this period commencing on December 31 of the calendar year in which the data have been collected. Notwithstanding the information above (processing operations in conjunction with contracts / purpose and legal basis), this processing serves the controller’s legitimate interest in defending itself against claims arising out of the contractual relationship within the regular limitation period. Therefore, the legal basis is point (f) of Article 6(1) GDPR by way of exception.

In brief: The data subject as employee of the Lufthansa Group has the possibility to visit this website. A login is necessary to verify the employment status. Necessary data are processed for verification purposes.

Processing in detail: The controller processes the data subject’s data to verify the relation to the Lufthansa Group. After first login by the data subject with his eBase credentials, the controller uses this data to create a profile on the website. This is necessary to use some of the functionalities on the website (e.g. Favorites). The verification of the data takes place with every new login by the data subject.

Data that are processed: The controller processes the data (email and name) which are entered for the data subject in the central directory.

Additional information concerning the legal basis: Processing of data follows Art. 6 lit.b GDPR as a contractual situation is given.

In brief: Technical cookies are necessary to use the website. No further cookies are used.

Processing in detail: Technical cookies are necessary for the data subject to access this website. This are text documents that are saved on the device of the data subject in order to verify the data subject.

Data that are processed: Technically necessary data for the identification of the user during a session.

Unless this section (“Processing operations with the consent of data subjects”) indicates otherwise, the processing operations are based solely on the consent of the data subjects. The relevant purpose is mentioned in the individual description of the processing. The legal basis is as follows in the following cases:

a. for data subjects that are not employees of the controllers, point (a) of Article 6(1) GDPR.

b. for employees of the controllers, Article 88 GDPR in conjunction with Sec. 26 (2) BDSG.

(1) Personal data whose processing is described in this section are processed until the relevant consent has been withdrawn.

(2) Notwithstanding paragraph (1) above, the controller retains the data showing that consent has been granted for three years, with this period commencing on December 31 of the calendar year in which the consent is withdrawn. Notwithstanding the information above (processing operations with the consent of data subjects / purpose and legal basis), this processing serves to fulfill the legal obligation to be able to prove that consent has been granted. The legal basis is point (c) of Article 6(1) GDPR in conjunction with Article 7(1) GDPR by way of exception in these cases. This obligation ceases to apply three years after the consent is withdrawn, and in any event no later than the expiration of the limitation period.

In brief: The data subject have the possibility to create a voluntary expert profile on the website. The data subject enters the necessary data for that expert profile to be listed on the website.

Processing in detail: If proactively selected, The controller processes the entered data by the data subject to create an expert profile and list it to the website and its audience. The data subject can create an expert profile without it being listed to the website and other users. The data subject must proactively choose to have its expert profile listed. A withdrawal from this listing is possible at any time.

Data that are processed: The controller processes the data that the data subject enters on a voluntary basis for this expert profile. This includes:

Also, the controller collects data in order to demonstrate that consent has been granted (opt-in status data) and, where applicable, data concerning withdrawal of consent.

In brief: The data subjects have the possibility to suggest resources to be published on the website. The contact data (name, email) of the data subject are processed for the creation of the resource.

Processing in detail: The controller processes the contact data (name, email) in order to be able to contact the data subject in case of questions to the suggested resource.

Data that are processed: The controller processes the contact data (name, email) from the data object’s profile. Also, the controller collects data in order to demonstrate that consent has been granted (opt-in status data).

In brief: Data subjects can order email content on this website. To this end, the contact details required for this are collected and used to deliver the content.

Processing and third-party providers in detail: The controller may process the data of data subjects in order to send them useful marketing information via email. This relates to an electronic circular published at regular and/or irregular intervals. At the start, the subjects provide the controller with those data that the controller requests in order to sign up. After the double opt-in procedure is carried out, the controller uses these data to conduct marketing outreach to data subjects via these emails. The data subject has the possibility to withdraw their consent at any time under the section “My account”.

Data that are processed: The controller processes the data that data subjects voluntarily disclose to the controller for this purpose (typically email and name), along with the data that the controller needs in order to demonstrate that consent has been granted (opt-in status data) and, where applicable, data concerning withdrawal of consent.

Additional information concerning consent as a legal basis: To obtain consent, the controller uses what is known as the “double opt-in” procedure. This means that after data subjects sign up, the controller sends them an email at the email address provided, asking them to confirm their consent. If they do not confirm that they have signed up within 30 days, their information is blocked and then automatically erased after one month. Beyond that, the controller stores the IP addresses they have used in each case, along with the times of the sign-up and confirmation. The purpose of this procedure is to prove that they have signed up and be able to investigate any possible misuse of their personal data. The legal basis of this processing is point (c) of Article 6(1) GDPR. According to this provision, this controller is permitted to process the data of data subjects if this is necessary to fulfill a legal obligation to which the controller is subject. The legal obligation follows from Article 7(1) or 5(1) GDPR. According to these provisions, this controller is legally obligated to document obtaining consent. This is possible only if the controller collects the data of data subjects for this for evidentiary purposes.

Third-party provider: The automation tool MailChimp from Rocket Science Group LLC (USA) is used. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://mailchimp.com/marketing-platform/ and https://mailchimp.com/features/email/. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.

Unless otherwise indicated in this section (“Processing operations with a legitimate interest”), the processing operations are based solely on a legitimate interest on the part of the controller or a third party. The relevant purpose is mentioned in the individual description of the processing. In these cases, the legal basis is point (f) of Article 6(1) GDPR.

Personal data whose processing is described in this section are processed until the legitimate interest no longer exists or the data subjects have legitimately objected thereto, whichever comes first.

In brief: If and when data subjects assert rights toward this controller (such as requests for access to information), the controller processes the communication data associated with this in order to handle this in the interest of data subjects and to be able to defend itself, where applicable, against civil-law claims and accusations that carry fines or criminal penalties.

Processing in detail: If and when the data subjects assert claims of any kind against this controller, the data are processed as follows:

The legitimate interest in the case of sections 1 through 3 above follows from the interest of data subjects in their claims being processed and the controller’s interest in avoiding claims and sanctions. The legitimate interest in the case of section 4 above follows from the controller’s need to be able to defend itself later on against civil-law claims and accusations that carry fines or criminal penalties. This interest in storage pursuant to section 4 terminates when the limitation period pursuant to Sec. 193 and/or 195 of the German Civil Code (BGB) ceases to apply.

Data that are processed: Name, contact details, and communication content.

Additional information concerning the legal basis: Processing pursuant to sections 1 through 3 is, additionally, also justified by point (c) of Article 6(1) GDPR, as the controller is obligated to review data subjects’ requests.