Introduction to data processing
We collect personal data within the scope of our website and the services we offer. The data is processed exclusively in accordance with the regulations of the General Data Protection Regulation (GDPR). The following is a detailed explanation of the data we collect, the purpose for which it is processed, and the legal foundation on which this is based.
1. Processing of access data, log files, and cookies
When you visit this website, our web server automatically stores data and information from your end device and browser. This includes information on your browser type and version, operating system, Internet access provider, IP address, date and time of access, as well as the website from which you access our site and the pages you visit on our website. This technical information is processed in log files and will not be combined with other data related to your person.
We process this data to facilitate your access to our website, ensure our website’s functionality, and safeguard the security of our IT systems. In particular, the processing is used to detect, analyse, and defend against cyberattacks, attempts at fraud, and other security-relevant incidents. It also helps us ensure the integrity, confidentiality, and availability of our IT systems. In addition, it is used to investigate and prevent any fraudulent use of our website. The legal foundation for this processing is Article 6 (1) (f) GDPR, based on our legitimate interest of ensuring technical functionality, security, and defence against cyberattacks.
We also use cookies and tracking software on our website. You can find information on the cookies we use, their purpose, and the respective legal foundations here: Cookie/Tracking Information. The processing is performed on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR or – if required – your consent in accordance with Article 6 (1) (a) GDPR.
2. Booking and passenger travel data
When booking your flight, we collect all personal data required to execute your booking and your travel. This may include basic data such as your first and last name, your contact information (e.g. email address, phone number), and payment information. Depending on the requirements of the respective booking and flight operation, we may need additional data, such as passport or visa information, health information (e.g. in the case of special needs or medical requirements), or information on special requests (e.g. selected seat, special diets). All required information is clearly labelled on our website.
This data is processed to fulfil our contractual obligations in accordance with Article 6 (1) (b) GDPR, and encompasses the following in particular:
Issuance of flight documents: We provide you with all required flight documents, such as tickets and boarding passes.
Check-in process: We facilitate and manage checking in online and in person, and issue your boarding pass.
Provision of services: Among other things, this includes baggage service, special baggage transport, VIP services, lounge access, and specific travel information.
Flight notifications and updates: We inform you about the flight status, changes, delays, and other relevant information about your trip.
Lounge management: We offer and manage access to lounges for authorised passengers.
Handling of special requests and assistance: We process data required to fulfil special wishes, such as meals (kosher, halal, vegetarian), preferred seating, or assistance services.
Security and passenger controls: We collect the data necessary to execute security checks, such as identity checks before a flight.
Collection and transmission of contact information: In accordance with legal requirements, we may send your data to authorities or to meet security requirements in order to fulfil our contractual obligations for conveyance.
Payment processing: Your payment information is processed for the payment of tickets and additional services (e.g. seat reservations, additional baggage).
This data processing is required to fulfil the flight contract and provide the services that you use in connection with your trip.
3. Passenger rights, accidents, and loss of baggage
We process your personal data to safeguard your passenger rights in the event of flight delays, flight cancellations, overbooking, accidents, or problems with your baggage. This processing is performed to meet our legal obligations, particularly under the terms of the European Union air passenger rights regulations. The legal basis for this processing is Article 6 (1) (c) GDPR, which requires the fulfilment of legal obligations. In particular, this data processing includes:
Collection of booking data: To grant passenger rights in the event of flight delays, cancellations, or denied boarding due to overbooking or aircraft changes, in accordance with EU Regulation 261/2004.
Collection of health data: For the protection of the rights of passengers with disabilities or limited mobility, in accordance with EU Regulation 1107/2006.
Collection of baggage data: In the event that baggage is lost, damaged, or delayed, and in the case of accidents, in accordance with EU Regulation 889/2002, which supplements the regulation of the Council (EC) no. 2027/97.
Collection of data on the transport of animals: To meet the requirement of EU Regulation 1/2005 regarding the transport of animals.
This data processing is required to ensure your rights as a passenger in accordance with the valid EU regulations and safeguard your interests in the event of such incidents.
4. Data transmission to authorities
In accordance with the statutory provisions in various destination countries – and, in the future, several member states of the European Union – our role as an airline requires us to transmit certain passenger data in connection with entering or exiting those countries. In particular, this includes API data (Advanced Passenger Information) and PNR data (Passenger Name Record). This data mainly encompasses information about the identity and the travel documents (such as a passport or visa) of passengers and crew members. The data is often collected shortly before departure, particularly from the machine-readable section of travel documents.
We are also required to transmit your personal data to the police or judicial or administrative authorities if this is necessary to prevent or prosecute criminal or administrative offences, or to fulfil the administrative obligations of these authorities.
This data is processed exclusively to fulfil our legal obligations in accordance with Article 6 (1) (c) GDPR. We transmit the data solely to the responsible authorities of the respective destination country.
5. Guarantee of flight safety
We process personal data to guarantee flight safety, particularly in the event of violations of our conditions of carriage or security-related regulations. Among other things, this includes keeping watch lists and restricted persons lists to identify potential safety risks and guarantee the proper execution of the flight procedure. The processed data includes items such as the name, booking details, flight routes, seat information, and flight behaviour.
The legal basis for this processing is our legitimate interest in accordance with Article 6 (1) (f) GDPR. This processing is performed to ensure flight safety, risk prevention, and compliance with regulations that are required for safe operation. If necessary, this data may be transmitted to other airlines.
The data is stored for the period required to fulfil the safety precautions and for the maintenance of the flight operation. Data subjects have the right to receive information about the processed data and to demand its correction or erasure under certain conditions, provided that this does not conflict with the flight safety and legal requirements.
6. Registration and accounts
On our website, we offer you the option to create a myEurowings account or an EW4Business account, so that you may benefit from personalised features and may manage your bookings more easily.
myEurowings account
We collect your first and last name, mobile telephone number, email address, and a password for the registration. Once you have registered, you may add further information to your account, such as payment information or preferences for future flight bookings. This data enables us to offer you a personalised experience and efficiently manage your bookings in the future. Your data is processed to fulfil the contract in accordance with Article 6 (1) (b) GDPR.
EW4Business account
We also collect your first and last name, your mobile telephone number, and email address when you register for an EW4Business account. After you have registered, you can add further details and view information on bookings made via this business account. Here as well, access to the EW4Business account requires entering identification data.
We also collect your first and last name, mobile telephone number, and email address for the registration. After your registration, you can add further details and view information on bookings made via the business account. Here as well, your personal data is processed to fulfil the contract in accordance with Article 6 (1) (b) GDPR, as well as for communication purposes to fulfil legal obligations.
Both types of accounts are processed exclusively for the stated purposes. We are unable to provide the respective accounts without this personal data.
7. Initiation of contact, phone calls, and chatbot
You have several options for contacting us, including our contact form, email, social media, and the form for reviewing a compensation claim in accordance with Article 7 of EU Regulation 261/04. We collect the data you provide exclusively in the scope required to process your enquiry. In certain cases, after processing is completed, the data may be stored for a longer period for purposes of providing evidence. Your data is processed on the basis of fulfilling the contract in accordance with Article 6 (1) (b) GDPR or to safeguard legitimate interests in accordance with Article 6 (1) (f) GDPR.
When you contact us by phone, we process your data to handle your request. We record phone calls only with your express consent, for the purposes of training and quality assurance. This data processing is performed on the legal basis of your consent in accordance with Article 6 (1) (a) GDPR or to process your request in accordance with Article 6 (1) (b) GDPR. Your data is generally processed by our customer service provider, with which we have entered into an order processing contract. You are not required to give your permission for the recording. However, it is possible that we are unable to process the subject of your phone call if we do not have the data required to process your request.
If you use our AI-based chatbot, we process the data you entered (prompts) as well as technical information regarding your browser (browser fingerprint) in order to make the chatbot available and to assist with your enquiries. The data is generally processed by a service provider, with which we have entered into an order processing contract. The legal basis for the processing is your consent in accordance with Article 6 (1) (a) GDPR. The processing is also performed to improve our service on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR.
8. Evaluation of creditworthiness and prevention of fraud
We process your personal data to evaluate your creditworthiness and to prevent fraud, such as credit card misuse, identity fraud or obtaining special conditions under false pretences. For this purpose, the payment and reservation data provided by you or third parties is compared with the relevant policies and restricted persons lists.
The legal basis for this processing is Article 6 (1) (f) GDPR, as we have a legitimate interest in protecting ourselves against financial damages and in preventing unlawful activities.
We also check your data against national and international sanctions lists to ensure correct payment processing and fraud prevention. We do this to ensure that no unauthorised persons use our services.
In the scope of this processing, there may be an automated decision-making process that may prevent the purchase transaction from being concluded. In such a case, you have the right to object to the processing (Article 21 GDPR). If you assert this right, your information will be reviewed and a decision made as to whether to continue the transaction.
Your data is processed for the period required to safeguard the above-mentioned legitimate interests. If no other legal retention period is in effect, your data will be deleted after the conclusion of the review or the purchase transaction.
9. Processing in the scope of data subject rights
In the scope of exercising your data subject rights in accordance with Chapter 3 of the General Data Protection Regulation (GDPR), we process your personal data to the degree required. In particular, this includes the data that you provide to us or that we request from you, such as your name, email address, or a copy of your identity card. We collect this data exclusively to verify your identity and enable you to exercise the rights cited in the GDPR, such as the right to information, correction, or deletion of your data. It is possible that we will be unable to process your request if you do not provide us with this information.
The legal basis for processing your data is Article 6 (1) (c) and Article 6 (1) (e) GDPR, as we must fulfil our legal obligations in connection with the processing of data subject rights. The retention period for the data collected in connection with data subject rights is three years, so that any legal claims and deadlines can be properly accommodated.
10. Data processing for marketing purposes and personalised communication
Social media: Eurowings processes photo and video recordings to be reused for marketing purposes on various social media channels, such as Instagram, Facebook, Twitter, LinkedIn, or TikTok. We search public channels for appropriate content and request use via the public comment feature. Once the user has agreed, we use the content to repost it on our own social media channels. The legal basis for this processing is Article 6 (1) (a) GDPR.
Personalised customer communication: We process information about your previous bookings and the preferences stored in your profile to create target groups, so-called custom audiences. This allows us to personalise our customer communication and the booking process. As a result, we will show you offers, options, and presets that are relevant to you in order to make the booking process more efficient and convenient. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR.
Flight recommendations: When you are logged into your myEurowings account, we process your information about previous bookings to show you appropriate flight recommendations in the dashboard. This makes it easier for you to select connections that you have already used in the past or which are similar. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR.
Newsletter: If you have subscribed to our newsletter, we process your email address and, if applicable, information stored in your myEurowings account, so that we can send you personalised offers and information on our services and on partner companies in the travel and mobility sectors. We analyse the data via the delivery, opening, and click rates of our emails, so that we can evaluate the success and usage of the newsletter. We also evaluate your interaction with our emails to personalise them further. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR. You may withdraw your consent at any time with effect for the future.
Direct marketing to existing customers: We use your email address to send you advertising and flight-related offers via email, such as reminders to check in, additional services for your flight, or surveys. This processing is carried out only if you have provided your email address in connection with purchasing a product or service and you have not objected. The legal basis for this is our legitimate interest in accordance with Article 6 (1) (f) GDPR and Section 7 Article 3 of the German Act Against Unfair Practices (UWG).
Display of personalised advertising: We process your data to display personalised advertising, so that we may direct ads that are specific to the target audiences that are relevant to you. Here we use custom audiences and lookalike audiences, whereby target groups that are similar to our existing customers are defined, in order to gain new customers. In order to protect your privacy, we create these target groups on the basis of a “hashed” version of your email address. This data (hashed email addresses, interests, purchase history, and usage behaviour) is transferred to platforms such as Meta Ads Server, Google Ads, and DV360 for targeted delivery within their networks. If the email address can be matched with a profile existing on these platforms, the target group is matched, followed by a targeted display of the respective advertisement. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR. The data with which the target group is determined is processed within 31 days and deleted after 2 years. There is no automated decision-making process as per Article 22 GDPR, as the displayed advertisement has no legal effectiveness and it is not significantly affected in a similar manner. You can find further information on the data processing and data protection regulations here: Meta data protection policy and Google data protection policy.
Statistical analyses: We perform statistical analyses for the continuous improvement of our marketing measures and communication with our customers. Here we analyse aggregate data about the use of our offers so that we can offer you even more relevant content and personalised advertisements. This data helps us optimise our services and develop customised campaigns. The legal basis for this is our legitimate interest in accordance with Article 6 (1) (f) GDPR.
11. Partner offers and frequent flyer programmes
Partner offers: During the booking process, we show you offers from partner services such as car rentals, rail transport, hotels, and travel insurance. If you accept such an offer, we send the required data to the partner company so that you can use the corresponding services. The legal basis for this is Article 6 (1) (b) GDPR.
Frequent flyer programmes: When you book a flight, you can collect bonus points/miles from our partners' frequent flyer programmes. For this, we need your corresponding programme number (e.g. Miles & More number). During the booking, we also collect required data such as your last name, first name, booking class, flight route, airfare, booking code, seat number, and ticket number. We send this to our partner so that you can be credited with the bonus points/miles. The legal basis for this processing is Article 6 (1) (b) GDPR. You will not be able to claim the benefits of the frequent flyer programme without providing this data. You can find further information on the processing of your personal data in the scope of the Miles & More programme here.
