You can access our website without providing any personal data (such as your name, postal address or your email address) directly. Nevertheless, even in this case we need to collect and store certain information to enable you to access our website. We also use certain analysis procedures on our website and we have integrated functionalities that are provided by third-party providers. In addition, some of the features we offer you on our website require us to collect personal data.
We collect and process personal data as follows:
Hosting and log files: When you visit this website, our web server automatically stores data and information from the end device and browser you use. In this context, we process information regarding the browser type and version, the operating system, the internet access provider, the IP address of your end device, the date and time of access, the website from which your access originates, and the pages you visit on our website. We process this technical information in the log files of our systems and do not combine it with other personal data concerning you. We process the technical information to enable you to access our website and to ensure the functionality of our website and the security of our IT systems.
We use the following hosting service to provide our website: Eurowings Aviation GmbH (“Eurowings Aviation”), Waldstr. 249, 51147 Cologne, Germany. This hosting service is the recipient of your personal data and acts as our processor. The server is located in Germany. The legal basis for the processing is Article 6(1)(f) GDPR. This processing of your data is justified as the result of a weighing of interests is in our favour. Eurowings has a legitimate interest in ensuring the technical functionality of the website and the services offered on it, and in protecting the website against attacks, which is something you benefit from as well.
Cookies and tracking: We have compiled information on the cookies and tracking software we use, as well as their purposes and legal basis (or bases), in our separate Cookie/Tracking Information.
Booking data: We process the personal data required for processing your flight reservation, in particular your first and last name, your billing address and email address, as well as information on your chosen method of payment and, as applicable, passport/visa information. You may voluntarily provide additional information (e.g. your mobile telephone number). In some cases we also process information concerning your health, for example information related to special medical needs during the flight (e.g. use of a wheelchair). The required information is marked as such on our website. If you do not provide this information, you cannot complete the booking process. We process this data to perform our contractual obligations in accordance with Article 6(1)(b) GDPR. These obligations include the following, without limitation:
Issuing flight documents and related notifications based on our legal obligation
Sending booking confirmations
Managing the check-in process
Providing the flight-related services you booked and provide flight-related information (e.g. e-journals or luggage service)
Collection and processing of personal data for the purpose of lounge management
Collecting and transmitting contact data that is requested by the local authorities on the basis of compulsory legal regulations and is therefore required to perform the contract of carriage
Passenger rights, accidents and loss of baggage: We process your personal data to grant passenger rights (e.g. in the event of flight delays), in connection with accidents or incidents involving your baggage or in other cases on the basis of our legal obligations. The legal basis for processing is Article 6(1)(c) GDPR. This includes in particular
Collection of booking-related data to grant passenger rights in the event of flight delays, flight cancellations and non-granting of transport due to flight overbooking or aircraft changes in accordance with EU Regulation 261/2004
Collection of health-related data to grant the rights of passengers with disabilities or reduced mobility in accordance with EU Regulation 1107/2006
Collection of baggage-related data in connection with lost or damaged baggage or accidents in accordance with EU Regulation 889/2002, which supplements Council Regulation (EC) No 2027/97
Collection of data in connection with the transport of animals in accordance with EU Regulation 1/2005
Direct mailing to existing customers: We use your email address for sending advertising and flight-related information and offers by email. This includes check-in reminders, offering you extra services for your flight (seating, travelling with an item of baggage, catering, more leg room), and for carrying out surveys related to offered services. We process your data only in the event that we have received your email address from you in connection with the sale of a product or service; when you have not refused consent to the use of your email address, and when we have clearly notified you of your right to revoke your consent to its use by us at the time we received it and each time it is used. Your address is used solely for the direct marketing of our products or similar services. The legal basis for this is our legitimate interest in accordance with Article 6(1)(f) GDPR as well as Paragraph 7(3) UWG (Unfair Competition Act). Our legitimate interest prevails because our customers presumably wish to be informed about their booked flight and other similar products and services. We store your data for the period necessary for providing flight-related emails. To this end, we share your personal data with our service providers, with whom we have entered into relevant data processing agreements.
Disclosure of data to public authorities: An increasing number of destination countries (in the future possibly also EU Member States) require us, as an airline, to transmit passenger data upon entering or leaving a country, in some cases even when just flying over the relevant country (API data (“Advanced Passenger Information”), PNR data). The relevant legal regulations usually include the transmission of data concerning the identity and travel documents (passport, visa) of the passengers and crew members that were taken on board the plane. We do not collect all of this data right away when a flight is booked; in many cases, such data is collected shortly before departure, where applicable using the “machine readable zone” of travel documents that were issued more recently. In addition, Eurowings has a duty to disclose your personal data to domestic and foreign law enforcement, judicial or administrative authorities where they need such data to prevent or prosecute criminal or administrative offences or to perform their administrative obligations. We only process such data to transmit it to the authorities of the relevant destination country in compliance with our legal obligations; the legal basis is Article 6(1)(c) GDPR.
Contact persons: Applying Regulation (EU) 996/2010 on the investigation and prevention of accidents and incidents in civil aviation, we offer each passenger the opportunity to provide the name of a contact person we should contact if the need arises using our call centre. This information is linked to the booking, is only used to comply with the aforementioned Regulation, and is deleted 48 hours after the last flight of the booking. The legal basis for processing this data is Article 6(1)(c) GDPR. You cannot name a contact person without providing your data.
Frequent flyer programmes provided by partners: When you book a flight, you can collect bonus points/miles that are offered by frequent flyer programmes provided by our partners. In this context we need your number for the relevant programme (e.g. the Miles & More number). We also request the information that is needed to process your booking. We transmit the programme number you provided, as well as your last name, first name, booking class, route, fare, booking code, seat number and ticket number, to ensure that the bonus points/miles can be credited to you in the relevant programme. The legal basis for this transmission is Article 6(1)(b) GDPR. If your data is not provided, you cannot avail yourself of the benefits of the frequent flyer programme.
Further information on the processing of your personal data in the context of the Miles & More programme is available here.
Services offered by partners: Based on your flight data (departure, date of the return flight, destination), we provide offers for services offered by partners in the areas of car rental, rail travel, hotels and travel insurance to you while you are booking your flight. If you accept such offers, we transmit the necessary data to our partner company. The legal basis is Article 6(1)(b) GDPR. If your data is not provided, you cannot avail yourself of the services offered by our partners.
Registration/myEurowings account: On our website, we offer you the opportunity to register and create a myEurowings account. For this purpose, we will ask you for your first and last name, your mobile telephone number, your email address and a password chosen by you. After you have registered, you can add additional information to your myEurowings account (such as additional information for future bookings, your preferences when booking a flight or payment data) and access additional information, for example on the flights you booked. When you want to access your myEurowings account, we may ask you to enter data that was already collected when you registered (in particular information that is used to identify you). We process the data relating to your myEurowings account to provide this feature to you; the legal basis is Article 6(1)(b) GDPR. We cannot provide your myEurowings account without such personal data.
Registration / EW4Business account: Our website offers you the opportunity to register and create an EW4Business account. We will ask you for your first name and last name, your mobile number, and your email address. Following registration, you may also add further information to your EW4Business account and view details regarding bookings made with this account. When accessing your EW4Business account, we may ask you for information previously collected during registration (particularly for verification purposes). We use your personal data solely for delivering and managing this business customer portal, for communications with you, and, where necessary, for complying with legal obligations. Your data is processed on the basis of art. 6 (1)(b) GDPR for the performance of the contractual relationship. An EW4Business account cannot be made available without personal data relating to the contact partner of the business in question. Your data will be stored for the period necessary for fulfilling the indicated purposes, and will be deleted immediately upon unsubscribing from the EW4Business account. Data processed in connection with a flight booking will be deleted no later than the expiration of the legally prescribed retention period (max 10 years).
Newsletter: If you have signed up for our newsletter, we process your email address and any information you enter into your myEurowings accounts on the basis of your consent in order to send you information tailored to your interests about our services, offers and promotions, credit card and selected partner companies from the travel and transport segments (e.g. flat-rate trips, hotels, car rentals, insurances, events, tours and activities). We also analyse the data created by sending and receiving your emails in an aggregated and anonymised form (delivery rate, opening rate, click rates, conversion rate, cancellation rate, bounce rate, visits, bookings, revenue) for evaluating the success and use of our emails. We also analyse the data create through the receipt and use of these emails (opening time, clicked hyperlinks, downloaded documents) as a basis for sending you more personalised information in future emails, which consider your interests and needs as best as possible. Navigation data (details on flight searches, including departure location and destination, flight date, passenger numbers, etc.), for example, a flight search for a specific route or cancelling a flight booking (abandoned cart, retargeting) on our website is used for personalising the newsletter. We store your data for the period needed to provide this newsletter to you. You are not required to provide personally identifiable information. However, without your email address, we are unable to provide you with our newsletter. We process your data solely for selecting personalised content and for sending the newsletter within the scope of the consent you have given us. For this purpose, we share your personal data with our service providers, with whom we have entered into relevant data processing agreements. The legal basis for this is Article 6(1)(a) GDPR. You may revoke your consent to Eurowings GmbH at any time with effect from that point in time by clicking on the unsubscribe link found in every email.
Personalised customer communication: We would like to make your use of our services as convenient and efficient as possible by personalising the booking process. For this purpose we process information relating to prior bookings and any preferences specified in your profile to immediately show you the options that are relevant to you in the booking process or set respective defaults. This allows you to books flights, change bookings, or purchase additional services more quickly, i.e., without having to look for the offers that are of interest to you among the multitude of the options offered yourself. The legal basis is Article 6(1)(a) GDPR.
Flight recommendations:
When you log in to the myEurowings account on our booking portal, you will first get to the dashboard. We process the information stored in your profile concerning prior bookings to show you the flight that probably is most interesting to you as a recommendation. For example, where you have booked other flights to the same destination airport in the past, we would show you the same or similar connections as a recommendation on the dashboard, so that you can select such connection again without having to look for it among the multitude of suggestions provided. Of course, you can also choose another connection from the alternative options that are still displayed below the recommendation.
Displaying personalised advertising: We process your data to display personalised advertising. The personalisation process uses a variety of target groups (so-called "custom audiences"). These allow us to differentiate them from other target groups (so-called "lookalike audiences"). Our intention here is to avoid displaying irrelevant advertising. Using lookalike audiences, other, similar target groups are defined by drawing on pre-existing custom audiences. A displayed Eurowings ad is of greater interest to one person within a certain lookalike audience than it is to another internet user. This means that this person is more similar to our customers than average internet users, thereby allowing Eurowings to find new customers and manage associated advertising campaigns more effectively. The creation of customer lookalike audiences is carried out within our "customer data platform" (CDP), operated by us. Profiles of Eurowings customers and internet users are created using a hashed version of the customer's email address. Hashing is a form of pseudo-anonymisation to encrypt email addresses. In the event that multiple profiles exhibit similarities, they are grouped into a target group. Grouping is carried out on the basis of similar interests, similar ages, similar purchasing histories, similar web-browsing behaviour, and other factors. The data processed within this scope is deleted after two years.
In order to be able to draw on the benefits of lookalike audiences, as described above, we send a hashed version of customers' email addresses to Meta Ads Server, Google Ads, and Google Display & Video 360 (hereafter referred to as "DV360"). The email addresses are compared by Meta Ads Server, Google Ads, and DV360 to verify whether they are already stored by Meta (e.g. Facebook and Instagram) or by Google (e.g. Google Search Network, Gmail, YouTube, Google Display Network). We also send the definitions of our self-created custom audiences and lookalike audiences to Meta Ads Server, Google Ads, and DV360. If the comparison is successful, meaning that Meta Ads Server, Google Ads and/or DV360 are able to find one of the sent email addresses, a comparison of target groups then follows. Here, Meta Ads Server, Google Ads, DV360 determine which target group the hashed email address has been assigned to, then advertise on the basis of target groups to people from the lookalike audiences within their own networks. Meta Ads Server, Google Ads, and DV360 do not share the data we send to them with third parties or other advertisers, nor do they provide them with access to the data.
More information is available from Meta's privacy policy and Google's privacy policy.
Automated decision-making (including profiling) within the meaning of Art. 22 GDPR does not take place, as the displayed advertising has no legal effect on our customers, nor are our customers significantly affected in a similar fashion. The data processed in this context is deleted after 31 days. The legal basis for the data processing described above is your consent, in accordance with Art. 6(1)(a) GDPR.
Contact us: Among other options, you can contact us using our contact form, by email, social media, or using the form for a review of a compensation claim in accordance with Article 7 of Regulation 261/04. In this context, we collect all data provided by you and store this data to the extent this is necessary to process your request. As applicable, your data will be stored for a longer period of time after your request has been processed for evidentiary purposes. The legal basis is Article 6(1) (b) and (f) GDPR.
Telephone calls: When you contact us by telephone, we process your data to process your request. We only record telephone calls for training purposes and to improve our services with your consent. The legal basis for data processing is either your consent (Article 6(1)(a) GDPR) and/or complying with your request in accordance with Article 6(1)(b) GDPR. In all cases, your data will be processed by our customer service provider with whom we have executed a contract data processing agreement. You are not required to give your consent for the purpose of recording the telephone call. If you do not provide your data that is required for responding to your request, we cannot process your request made by telephone
Web chat: When you use our online chat for support, we only process the data you enter. We process your personal data to provide the chat and its features to you and to provide advice and support to you to establish, perform or terminate actions that are required prior to entering into a contract or under a contract. Providing your name and your email address is voluntary. We only store this data for the duration of the chat consultation. We use software to automatically categorise and respond to chat requests. If you provide feedback regarding your chat to us, we use the anonymised chat history to further improve this software. The legal basis is Article 6(1)(a) GDPR. The legal basis for using the chat histories for internal quality assurance purposes and for troubleshooting is based on legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest consists in providing a secure method to contact us to our customers.
Social media: Eurowings processes image and video recordings to reuse them on our social media channels (e.g. Instagram, Facebook, Twitter, LinkedIn or TikTok) for marketing purposes. To do this, we search the various channels for suitable image or video content and use the public comment function to ask the user for permission to use it. If the user gives their consent for use, their relevant public content will be reused by Eurowings or used for reposting on its own social media channels. The legal basis is Article 6(1)(a) GDPR.
Participation in sweepstakes: When you participate in sweepstakes, we store your contact data and, as applicable, the booking code and the win code to conduct the sweepstakes and contact winners. Processing data to conduct and manage our sweepstakes represents the performance of a contract to which you are a party (Article 6(1)(b) GDPR).
Statistical analyses: As necessary, we may analyse your personal data to evaluate your preferences for the purposes of interest-based marketing, personalised communications and the continuous optimisation of our business processes. This is done to better understand what our customers expect of us, and to be able to offer you communications that are tailored to your needs. In addition, these analyses help us to detect fraud, perform audits, and ensure the security of our website which means that we conduct this processing to protect our legitimate interests; the legal basis is Article 6(1)(f) GDPR.
Processing conducted in the context of data subject rights: Where necessary, we process your data in the context of your assertion of data subject rights in accordance with Chapter 3 of the GDPR (“Rights of the data subject”). In this context we only collect all data provided by you and requested by us (e.g. name, email address, address or a copy of your national identity card) for the purpose of verifying your identity and to enable you to exercise the rights set out in Chapter 3 (e.g. the right of access or erasure). If you do not provide this data to us, we cannot process your request. The storage period that applies in the context of the exercise of data subject rights is three years. The legal basis for processing your data is Article 6(1)(b) GDPR.
Credit worthiness check and fraud prevention: Furthermore, we process your data to verify your credit worthiness and to prevent fraud, such as credit card abuse, identity theft, obtaining special conditions or fares by fraud. To this end, payment and reservation data provided by the customer or a third party (travel agent) is checked against a corresponding set of rules and for presence on ban lists. In this context, we ensure that we are able to obtain the amount payable from you for the services supplied. Our legitimate interest to protect ourselves against material damage and illegal activities and to prevent the abuse of our products and services prevails over your interest to not have your personal data processed in this context. During the data processing, automated decision-making may occur, with the possible outcome that you are unable to complete the relevant purchase process. You have the option to contest this processing. Your information will be checked thoroughly, as will whether our decision holds.
Further legitimate interests: Insofar as it is required, we also process your data for purposes beyond those previously named to safeguard our further legitimate interests or the interests of third parties; this is carried out on the basis of Article 6 (1)(f) GDPR. Our legitimate interests include:
enforcing legal claims (e.g. collections) and our defence during legal disputes;
ensuring flight security, such as carrying out surveillance or ban lists in the event of individual breaches of our conditions of carriage and flight security rules;
the management and development of our business operation, including risk management;
improving the loading times of our website;
improving our products and services, such as through the pseudonymised analysis of qualitative customer feedback, such as from surveys, webchats or social media channels.
