Privacy policy

The entity responsible for processing your personal data in accordance with data protection law is Eurowings GmbH, Waldstraße 249, 51147 Cologne, Germany. When this Privacy Notice uses the words “we” or “us”, this refers to the aforementioned company.

You are welcome to contact us if you have any questions regarding data protection or exercising your rights:
Email: [email protected]

Our data protection officer is also responsible for the Lufthansa Group and can be contacted at the following email address:
Email: [email protected]

Please do not hesitate to contact us if you have any concerns or questions about data protection.

In compliance with data protection regulations, we only process your personal data if this is legal or if you have given us your express permission. Moreover, we only process your personal data when your rights and freedom do not outweigh our legitimate interest. This also applies to processing your data for advertising and marketing purposes. For example, we may be required to process your data to meet contractual obligations, assert legal claims, or improve our services. When we process the data based on a legitimate interest, we do so in accordance with the applicable data protection laws, while always protecting your interests.

We guarantee that the processing of your data always complies with the applicable data protection laws. Our data processing is based on the following principles:

1. Lawfulness and transparency: We process your data in a lawful, fair, and transparent manner.

2. Restricted use: Your data is only processed for the stipulated purposes, or else for purposes that are compatible and permissible.

3. Data minimisation: We collect only the data required for these purposes.

4. Correctness: We ensure that your data is correct and up-to-date and will correct it as needed.

5. Storage limitation: We store your data only for the period required to achieve the purposes or for the legally required term.

6. Integrity and confidentiality: We implement technical and organisational measures to protect your data against unauthorised access, loss, or destruction.

Introduction to data processing

We collect personal data within the scope of our website and the services we offer. The data is processed exclusively in accordance with the regulations of the General Data Protection Regulation (GDPR). The following is a detailed explanation of the data we collect, the purpose for which it is processed, and the legal foundation on which this is based.

1.      Processing of access data, log files, and cookies

When you visit this website, our web server automatically stores data and information from your end device and browser. This includes information on your browser type and version, operating system, Internet access provider, IP address, date and time of access, as well as the website from which you access our site and the pages you visit on our website. This technical information is processed in log files and will not be combined with other data related to your person.

We process this data to facilitate your access to our website, ensure our website’s functionality, and safeguard the security of our IT systems. In particular, the processing is used to detect, analyse, and defend against cyberattacks, attempts at fraud, and other security-relevant incidents. It also helps us ensure the integrity, confidentiality, and availability of our IT systems. In addition, it is used to investigate and prevent any fraudulent use of our website. The legal foundation for this processing is Article 6 (1) (f) GDPR, based on our legitimate interest of ensuring technical functionality, security, and defence against cyberattacks.

We also use cookies and tracking software on our website. You can find information on the cookies we use, their purpose, and the respective legal foundations here: Cookie/Tracking Information. The processing is performed on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR or – if required – your consent in accordance with Article 6 (1) (a) GDPR.

2.      Booking and passenger travel data

When booking your flight, we collect all personal data required to execute your booking and your travel. This may include basic data such as your first and last name, your contact information (e.g. email address, phone number), and payment information. Depending on the requirements of the respective booking and flight operation, we may need additional data, such as passport or visa information, health information (e.g. in the case of special needs or medical requirements), or information on special requests (e.g. selected seat, special diets). All required information is clearly labelled on our website.

This data is processed to fulfil our contractual obligations in accordance with Article 6 (1) (b) GDPR, and encompasses the following in particular:

• Issuance of flight documents: We provide you with all required flight documents, such as tickets and boarding passes.

• Check-in process: We facilitate and manage checking in online and in person, and issue your boarding pass.

• Provision of services: Among other things, this includes baggage service, special baggage transport, VIP services, lounge access, and specific travel information.

• Flight notifications and updates: We inform you about the flight status, changes, delays, and other relevant information about your trip.

• Lounge management: We offer and manage access to lounges for authorised passengers.

• Handling of special requests and assistance: We process data required to fulfil special wishes, such as meals (kosher, halal, vegetarian), preferred seating, or assistance services.

• Security and passenger controls: We collect the data necessary to execute security checks, such as identity checks before a flight.

• Collection and transmission of contact information: In accordance with legal requirements, we may send your data to authorities or to meet security requirements in order to fulfil our contractual obligations for conveyance.

• Payment processing: Your payment information is processed for the payment of tickets and additional services (e.g. seat reservations, additional baggage).

This data processing is required to fulfil the flight contract and provide the services that you use in connection with your trip.

3.      Passenger rights, accidents, and loss of baggage

We process your personal data to safeguard your passenger rights in the event of flight delays, flight cancellations, overbooking, accidents, or problems with your baggage. This processing is performed to meet our legal obligations, particularly under the terms of the European Union air passenger rights regulations. The legal basis for this processing is Article 6 (1) (c) GDPR, which requires the fulfilment of legal obligations. In particular, this data processing includes:

• Collection of booking data: To grant passenger rights in the event of flight delays, cancellations, or denied boarding due to overbooking or aircraft changes, in accordance with EU Regulation 261/2004.

• Collection of health data: For the protection of the rights of passengers with disabilities or limited mobility, in accordance with EU Regulation 1107/2006.

• Collection of baggage data: In the event that baggage is lost, damaged, or delayed, and in the case of accidents, in accordance with EU Regulation 889/2002, which supplements the regulation of the Council (EC) no. 2027/97.

• Collection of data on the transport of animals: To meet the requirement of EU Regulation 1/2005 regarding the transport of animals.

This data processing is required to ensure your rights as a passenger in accordance with the valid EU regulations and safeguard your interests in the event of such incidents.

4.      Data transmission to authorities

The laws in various countries of destination and departure as well as transit countries require us, as an airline, to share certain passenger data for entry, exit or transit: specifically, API data (Advance Passenger Information) and PNR data (Passenger Name Record). API and PNR data mainly consist of information concerning the identity and travel documents (e.g. passport or visa) of passengers and crew. These data are routinely collected on check-in or boarding, particularly when the machine-readable zone of the travel document is scanned. These data are transmitted to the relevant authorities of the country of destination or departure, or transit country, if required under national or international law. Such data processing is mainly for the purpose of border control, aviation security as well as crime prevention and investigation, including combating terrorism and serious crime. For flights to and from France, Article L.232-7 of the French Internal Security Code (Code de la sécurité intérieure) requires us to transmit reservation, check-in and boarding data (PNR/API) collected when you book and travel, to the relevant French authorities. Such data are transmitted according to the applicable French legislation (specifically, Décret n° 2014-1095 and Décret n° 2018-714) for the purposes set out in those regulations. The basis for the processing and transmission of the data mentioned above is compliance with our legal obligations according to Article 6(1)(c) GDPR. We transmit personal data only to the relevant authorities, provided and to the extent that it is strictly necessary to comply with a legal obligation.

5.      Guarantee of flight safety

We process personal data to guarantee flight safety, particularly in the event of violations of our conditions of carriage or security-related regulations. Among other things, this includes keeping watch lists and restricted persons lists to identify potential safety risks and guarantee the proper execution of the flight procedure. The processed data includes items such as the name, booking details, flight routes, seat information, and flight behaviour.

The legal basis for this processing is our legitimate interest in accordance with Article 6 (1) (f) GDPR. This processing is performed to ensure flight safety, risk prevention, and compliance with regulations that are required for safe operation. If necessary, this data may be transmitted to other airlines.

The data is stored for the period required to fulfil the safety precautions and for the maintenance of the flight operation. Data subjects have the right to receive information about the processed data and to demand its correction or erasure under certain conditions, provided that this does not conflict with the flight safety and legal requirements.

6.      Registration and accounts

On our website, we offer you the option to create a myEurowings account or an EW4Business account, so that you may benefit from personalised features and may manage your bookings more easily.

myEurowings account
We collect your first and last name, mobile telephone number, email address, and a password for the registration. Once you have registered, you may add further information to your account, such as payment information or preferences for future flight bookings. This data enables us to offer you a personalised experience and efficiently manage your bookings in the future. Your data is processed to fulfil the contract in accordance with Article 6 (1) (b) GDPR.

EW4Business account
We also collect your first and last name, your mobile telephone number, and email address when you register for an EW4Business account. After you have registered, you can add further details and view information on bookings made via this business account. Here as well, access to the EW4Business account requires entering identification data.

We also collect your first and last name, mobile telephone number, and email address for the registration. After your registration, you can add further details and view information on bookings made via the business account. Here as well, your personal data is processed to fulfil the contract in accordance with Article 6 (1) (b) GDPR, as well as for communication purposes to fulfil legal obligations.

Both types of accounts are processed exclusively for the stated purposes. We are unable to provide the respective accounts without this personal data.

Travel ID account
In addition, we offer you the option to log in with your existing Travel ID account. In doing so, we process your email address and password for authentication and to manage your bookings. This processing is carried out for the execution of the user contract for the Travel ID in accordance with Art. 6 (1) (b) GDPR. Further information – including on group transfers and personalisation – can be found in the data protection declaration for Travel ID.

7.      Initiation of contact, phone calls, and chatbot

You have several options for contacting us, including our contact form, email, social media, and the form for reviewing a compensation claim in accordance with Article 7 of EU Regulation 261/04. We collect the data you provide exclusively in the scope required to process your enquiry. In certain cases, after processing is completed, the data may be stored for a longer period for purposes of providing evidence. Your data is processed on the basis of fulfilling the contract in accordance with Article 6 (1) (b) GDPR or to safeguard legitimate interests in accordance with Article 6 (1) (f) GDPR.

When you contact us by phone, we process your data to handle your request. We record phone calls only with your express consent, for the purposes of training and quality assurance. This data processing is performed on the legal basis of your consent in accordance with Article 6 (1) (a) GDPR or to process your request in accordance with Article 6 (1) (b) GDPR. Your data is generally processed by our customer service provider, with which we have entered into an order processing contract. You are not required to give your permission for the recording. However, it is possible that we are unable to process the subject of your phone call if we do not have the data required to process your request.

If you use our AI-based chatbot, we process the data you entered (prompts) as well as technical information regarding your browser (browser fingerprint) in order to make the chatbot available and to assist with your enquiries. The data is generally processed by a service provider, with which we have entered into an order processing contract. The legal basis for the processing is your consent in accordance with Article 6 (1) (a) GDPR. The processing is also performed to improve our service on the basis of our legitimate interest in accordance with Article 6 (1) (f) GDPR.

8.      Evaluation of creditworthiness and prevention of fraud

We process your personal data to evaluate your creditworthiness and to prevent fraud, such as credit card misuse, identity fraud or obtaining special conditions under false pretences. For this purpose, the payment and reservation data provided by you or third parties is compared with the relevant policies and restricted persons lists.

The legal basis for this processing is Article 6 (1) (f) GDPR, as we have a legitimate interest in protecting ourselves against financial damages and in preventing unlawful activities.

We also check your data against national and international sanctions lists to ensure correct payment processing and fraud prevention. We do this to ensure that no unauthorised persons use our services.

In the scope of this processing, there may be an automated decision-making process that may prevent the purchase transaction from being concluded. In such a case, you have the right to object to the processing (Article 21 GDPR). If you assert this right, your information will be reviewed and a decision made as to whether to continue the transaction.

Your data is processed for the period required to safeguard the above-mentioned legitimate interests. If no other legal retention period is in effect, your data will be deleted after the conclusion of the review or the purchase transaction.

9.      Processing in the scope of data subject rights

In the scope of exercising your data subject rights in accordance with Chapter 3 of the General Data Protection Regulation (GDPR), we process your personal data to the degree required. In particular, this includes the data that you provide to us or that we request from you, such as your name, email address, or a copy of your identity card. We collect this data exclusively to verify your identity and enable you to exercise the rights cited in the GDPR, such as the right to information, correction, or deletion of your data. It is possible that we will be unable to process your request if you do not provide us with this information.

The legal basis for processing your data is Article 6 (1) (c) and Article 6 (1) (e) GDPR, as we must fulfil our legal obligations in connection with the processing of data subject rights. The retention period for the data collected in connection with data subject rights is three years, so that any legal claims and deadlines can be properly accommodated.

10. Data processing for marketing purposes and personalised communication

Social media: Eurowings processes photo and video recordings to be reused for marketing purposes on various social media channels, such as Instagram, Facebook, Twitter, LinkedIn, or TikTok. We search public channels for appropriate content and request use via the public comment feature. Once the user has agreed, we use the content to repost it on our own social media channels. The legal basis for this processing is Article 6 (1) (a) GDPR.

Personalised customer communication: We process information about your previous bookings and the preferences stored in your profile to create target groups, so-called custom audiences. This allows us to personalise our customer communication and the booking process. As a result, we will show you offers, options, and presets that are relevant to you in order to make the booking process more efficient and convenient. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR.

Flight recommendations: When you are logged into your myEurowings account, we process your information about previous bookings to show you appropriate flight recommendations in the dashboard. This makes it easier for you to select connections that you have already used in the past or which are similar. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR.

Newsletter: If you have subscribed to our newsletter, we process your email address and, if applicable, information stored in your myEurowings account, so that we can send you personalised offers and information on our services and on partner companies in the travel and mobility sectors. We analyse the data via the delivery, opening, and click rates of our emails, so that we can evaluate the success and usage of the newsletter. We also evaluate your interaction with our emails to personalise them further. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR. You may withdraw your consent at any time with effect for the future.

Direct marketing to existing customers: We use your email address to send you advertising and flight-related offers via email, such as reminders to check in, additional services for your flight, or surveys. This processing is carried out only if you have provided your email address in connection with purchasing a product or service and you have not objected. The legal basis for this is our legitimate interest in accordance with Article 6 (1) (f) GDPR and Section 7 Article 3 of the German Act Against Unfair Practices (UWG).

Meta Lead Ads: We use the “Lead Ads” format provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”), to collect and process certain personal data of prospective customers – leads – using a contact form (“instant form”) that opens on Facebook pages. The processing of data is strictly confined to the purposes (clearly disclosed in the form) for which the lead ad campaign was created, before the inputted data are transmitted. These data may also be stored on the servers of Meta Platforms, Inc..,1601 Willow Rd, Menlo Park, CA 94025, USA. In the case of Facebook lead ads, both Facebook and Eurowings in its capacity as advertiser are jointly responsible for data processing in accordance with Art. 26 GDPR. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR (for example, for direct marketing such as signing up to receive the email newsletter) or our legitimate interest in the optimal marketing of our offering in accordance with Article 6 (1) (f) GDPR. You can find further information on the processing of data through Facebook lead ads in Facebook’s Data Policy.

Display of personalised advertising: We process your data to display personalised advertising, so that we may direct ads that are specific to the target audiences that are relevant to you. Here we use custom audiences and lookalike audiences, whereby target groups that are similar to our existing customers are defined, in order to gain new customers. In order to protect your privacy, we create these target groups on the basis of a “hashed” version of your email address. This data (hashed email addresses, interests, purchase history, and usage behaviour) is transferred to platforms such as Meta Ads Server, Google Ads, and DV360 for targeted delivery within their networks. If the email address can be matched with a profile existing on these platforms, the target group is matched, followed by a targeted display of the respective advertisement. The legal basis for this is your consent in accordance with Article 6 (1) (a) GDPR. The data with which the target group is determined is processed within 31 days and deleted after 2 years. There is no automated decision-making process as per Article 22 GDPR, as the displayed advertisement has no legal effectiveness and it is not significantly affected in a similar manner. You can find further information on the data processing and data protection regulations here: Meta data protection policy and Google data protection policy.

Statistical analyses: We perform statistical analyses for the continuous improvement of our marketing measures and communication with our customers. Here we analyse aggregate data about the use of our offers so that we can offer you even more relevant content and personalised advertisements. This data helps us optimise our services and develop customised campaigns. The legal basis for this is our legitimate interest in accordance with Article 6 (1) (f) GDPR.

Special occasions: If you opt to save your date of birth in your myEurowings account, we will process this information solely to send you personalised messages on special occasions, such as birthday messages or anniversary offers. The legal basis for this processing is Article 6(1)(a) GDPR. You may withdraw your consent at any time with future effect by changing your myEurowings account settings or by using the opt out link in our messages. 

11. Partner offers and frequent flyer programmes

Partner offers: During the booking process, we show you offers from partner services such as car rentals, rail transport, hotels, and travel insurance. If you accept such an offer, we send the required data to the partner company so that you can use the corresponding services. The legal basis for this is Article 6 (1) (b) GDPR.

Frequent flyer programmes: When you book a flight, you can collect bonus points/miles from our partners' frequent flyer programmes. For this, we need your corresponding programme number (e.g. Miles & More number). During the booking, we also collect required data such as your last name, first name, booking class, flight route, airfare, booking code, seat number, and ticket number. We send this to our partner so that you can be credited with the bonus points/miles. The legal basis for this processing is Article 6 (1) (b) GDPR. You will not be able to claim the benefits of the frequent flyer programme without providing this data. You can find further information on the processing of your personal data in the scope of the Miles & More programme here.

Your personal data is processed within our company, exclusively by the responsible departments. The data is shared only if this is required for the fulfilment of our contractual services, if there is a legal obligation, or if another legal foundation permits it. Recipients of your data may include the following categories of third parties, in particular:

• Associated companies: This includes, in particular, Miles & More GmbH as the operator of the frequent fliers and bonus programme for Eurowings. It also includes additional companies in the Lufthansa Group (e.g. Austrian Airlines, Brussels Airlines, EW Discover GmbH, Lufthansa or SWISS International Air Lines AG), particularly for collaboration in the areas of flight safety, fraud prevention, and operational management.

• Service providers: This includes companies that support us in fulfilling our contractual obligations, such as ground handling services, call centres, customer service providers, or travel partners. Operators of airport lounges used within the scope of your booking may also receive personal data.

• Other airlines and airports: This includes codeshare, interline, and wet-lease partners, as well as airports that are on your travel route or are approached by your flight, in order to ensure the smooth execution of your trip. If your flight is cancelled or significantly delayed, it may be necessary to transmit your personal data to another airline, in order to offer an alternative travel option. This is done on the basis of contractual obligations or applicable legal provisions, in particular in the scope of Regulation (EC) no. 261/2004 on air passenger rights.

• Business partners: These generally act as independent controllers and may receive personal data in the scope of additional services such as hotel and package tour bookings, insurance services, or vehicle rentals. This also includes customer loyalty and bonus programme partners, such as credit card providers with miles programmes.

• IT service providers: To ensure the operation and maintenance of our IT infrastructure, including IT maintenance, IT support, software development, cloud and hosting services.

• Payment service providers and financial institutions: To process payments, refunds and financial transactions.

• Shipping services, media and marketing agencies: To send travel information, market research, advertising measures, and campaign management.

• Consulting services: This includes lawyers, auditors, and other consulting firms that support us in complying with legal obligations and protecting our interests.

• Collection service providers and lawyers: To enforce legitimate demands or other legal claims.

• Public authorities and agencies: Among others, these include the Federal Aviation Authority, customs authorities, tax authorities, police, public prosecutors, and regulatory authorities, insofar as we are required to transmit your personal data due to legal obligations (e.g. entry requirements, police investigations, or aviation security measures). It is also possible that personal data is transferred to foreign aviation organisations or safety authorities, insofar as this is required to comply with international regulations.

• Security and emergency service providers: These include medical assistance services or security firms at airports that provide support in case of emergencies or security-related incidents.

As a rule, your personal data is processed within the European Union (EU) or European Economic Area (EEA).

However, some cases may require a transfer to so-called “third countries”. These are countries outside of the EU or the EEA, in which the level of data protection may not be comparable to that in the EU.

If the transfer is not based on a legal obligation (e.g. in the case of Advance Passenger Information for border authorities), we make sure that an appropriate data protection level is guaranteed. This is done by these means in particular:

• Adequacy decisions by the European Commission: The EU Commission has determined that an equivalent data protection level exists in particular countries.

• EU standard contractual clauses: If no adequacy decision has been made, we use the standard contractual clauses approved by the European Commission for the recipients in third countries to ensure an appropriate level of data protection.

• Additional suitable safeguards: If required, we will take additional measures to ensure that your data is protected.

You can find further information on the applicable EU standard contractual clauses here. Information on the current adequacy decisions of the European Commission can be found here. Please contact us via the contact information in the imprint if you have any additional questions.

We store your personal data for only as long as this is required to fulfil the contractual and legal obligations. Once your data is no longer required for the respective purposes, it will be deleted, unless longer retention is required due to a legal storage obligation or another legal requirement.

The retention of your data is also carried out in accordance with the applicable legal retention requirements. We are obligated to store certain data for a period of up to ten years in accordance with the provisions of the German Commercial Code (HGB), the German Fiscal Code (AO), or the German Money Laundering Act (GwG). This obligation particularly concerns accounting-related data such as invoices, flight bookings, and payment information.

In addition, we store your data if this is required for the assertion, exercise, or defence against legal claims. In these cases, the data may be retained for the duration of the legal limitation periods, which are usually three years, but may be up to 30 years in some cases.

Data on flights, bookings, and ticketing is stored for up to ten years in accordance with tax and commercial regulations. This data is necessary for proper documentation and accounting, as well as for compliance with regulatory requirements.

Data that is collected in the scope of customer enquiries or in connection with air passenger rights, complaints, or refunds, is generally stored for a maximum of five years, unless longer retention periods are applicable. This data is deleted after processing the request or complaint, unless legal requirements make longer storage necessary.

Recordings of customer calls are generally kept for up to 90 days, unless legal provisions or express consent require longer retention periods. Log data created during the use of our digital services is generally stored for a short period. It is only stored for a longer period if this is required for technical error analysis or to prevent misuse.

Depending on regulatory requirements and regulatory authorities, data related to safety reports or incidents is also stored for longer periods.

Once the data is no longer needed for the intended purpose or a legal storage requirement ceases to apply, it is automatically deleted, unless longer storage is required for legal or technical reasons.

According to the General Data Protection Regulation (GDPR), you, as the data subject, have the following rights in respect to the processing of your personal data:

1. Right to object according to Article 21 GDPR

At any time, for reasons relating to your particular situation, you have the right to object to the processing of personal data, insofar as this is carried out on the basis of Article 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.

If you object, we will no longer process your personal data, unless we can show verifiably compelling legitimate reasons for the processing that override your interests, rights, and freedoms, or if the processing is for the purpose of enforcing, pursuing, or defending legal claims.

Objection to direct marketing

If we process your personal data for the purpose of direct marketing, you have the right to object to this processing at any time. This also applies to profiling, provided that it is associated with this direct marketing. Following your objection, your data will no longer be used for these purposes.

You can make your objection informally and should send it to the following contact address: [email protected]

2. Revocation of consent

If you have given us permission to process your personal data, you can revoke this at any time with effect for the future. The revocation has no influence on the lawful processing performed up to the time of the revocation.

For example, you can revoke your consent via the unsubscribe link in our emails or by sending us a message by email or post.

3. Additional rights as a data subject

In accordance with the GDPR, you have the following additional rights:

·       Right of access (Article 15 GDPR): You can request confirmation on whether your personal data is being processed and can receive information about this data.

·       Right to rectification (Article 16 GDPR): You have the right to have us rectify incorrect or incomplete personal data.

·       Right to erasure (Article 17 GDPR): You can request the erasure of your personal data under certain conditions.

·       Right to restriction of processing (Article 18 GDPR): You can request the restriction of the processing of your personal data.

·       Right to data portability (Article 20 GDPR): You can request that we provide your personal data to you or a third party in a structured, conventional, and machine-readable format.

4. Assertion of your rights

To exercise your rights, please contact:

Eurowings GmbH

c/o Data protection department
Waldstr. 249
51147 Cologne, Germany

5. Right to lodge a complaint with a supervisory authority

You have the right to complain to a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The responsible supervisory authority for our company is:

North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information

Kavalleriestr. 2–4
40213 Düsseldorf, Germany
Telephone: 0211/38424-0
Fax: 0211/38424-999
Email: [email protected]