Information regarding data protection

1. Controller

Information is provided below by Lufthansa AG (Venloer Straße 151-153, 50672 Cologne/Germany) (hereinafter also “Lufthansa”, “we”, “us”) on the processing of your personal data when you use the website (“website”).

Full details of the organisation can be found in the Imprint section at

2. Data processing on use of the “Lufthansa Preflight Shopping” service

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). We process personal data to implement pre-contractual measures as permitted under Art. 6, 1 (b) GDPR. This includes in particular:

  • Creating and processing a reservation

Personal data processed in this context includes the following:

  • First name and surname, address
  • Order data
  • E-mail address
  • Flight details (date, time, flight number, booking class, departure and arrival airports)

3. Data processing on use of our website

You can use our website without providing personal data. However, we need to process specific information so that you can access our website. Our server automatically logs the following data (in so-called log files):

  • Domain name
  • Date and time of your visit
  • Your client’s file request (file name and URL)
  • http response code
  • Number of bytes transferred during the session
  • IP address of your end device
  • End device details, such as operating system

This data is processed and retained for 90 days for security backup purposes, in order to make it possible for you to access the website and to ensure its stability and security. The legal basis for processing this data is that specified in Art. 6, 1. (f) GDPR (legitimate interest pursued by the controller - technical stability of the website).

Furthermore, your IP address needs to be processed so that we can protect our website against potential external attacks (e.g. hacker attacks, botnet attacks and other forms of fraudulent access). Your IP address is stored for 90 days, and it is not possible for us to trace it back to you (without significant and disproportionate effort). The legal basis for processing this data is that specified in Art. 6, 1. (f) GDPR (legitimate interest of the controller in ensuring security of the system overrides other interests).

In addition, we make use of technologies that are able to recognise your end device, such as cookies and localStorage. You can find more information on this under item 4.

4. Cookies/web beacons/localStorage

a. Cookies/web beacons

We use so-called cookies, localStorage and sessionStorage as well as web beacons to provide our online services in the most user-friendly way possible.

Cookies are small text files that a web server (e.g. the web server on sends to your browser when you visit our website. Depending on your browser settings, the cookie file will either be saved or rejected. If the file is saved, our web server will subsequently be able recognise your end device. During subsequent visits to the website, and when switching between functions, the cookie reduces the amount of information you need to input. Cookies thus simplify the use of websites that require user input.

We use:

  • Session cookies
    These cookies expire at the end of the browser session and can record your activities during the session. They are deleted when you end your browser session.
  • Permanent cookies
    These are stored on your end device between different browser sessions and can record your settings or activities when you visit more than one website. They are deleted after a stipulated period of time, which can differ depending on the cookie. However, you can also delete the cookies at any time using your browser settings.
  • SessionStorage
    This acts in the same way as a cookie. In this case, data is stored in your browser. When you close the browser, the data is deleted.
  • LocalStorage
    This also acts in the same way as a cookie. LocalStorage is used for secure, long-term storage of the information it contains. You can find more details on this under item 4.c.

Furthermore, we differentiate between the following categories of cookies:

  • Technical
    These cookies are absolutely essential for the operation of the website and to enable login, redemption of points and functions relevant to security, for example.
  • Analysis
    We collect anonymised data for statistics and analyses to further improve our online services and our website. By using these cookies, we can for example determine the number of visitors and the impact of specific pages on our website, as well as optimise our content. We use etracker for this purpose (see item 5.a.).
  • Personal customisation
    These cookies are used so that we can display customised content based on your interests. In this way, we can present offers that are particularly relevant to you.

You can configure your browser so that cookies are enabled or blocked. In addition, you can specify that all cookies are deleted at the end of a session or you can delete cookies manually on an individual basis. Please note that if you block or delete certain cookies, certain features of our website may only be available on a limited basis or not at all. In particular, you will not be able to access your personal profile and you will not receive content that has been tailored to you personally.

Your browser may already be configured in such a way that a warning message is displayed each time it receives a cookie. This notification can be very disruptive, as the identification cookie must be resent every time you access each individual page of our website. We therefore recommend that you configure your browser so that cookies from are always accepted. You can individually configure this setting for each website you visit.

Further information on the use of cookies and how you can deactivate them can be found at or

Web beacons are small graphics files (also known as tracking pixels, pixel tags or clear GIFs) that may be contained in our website or in applications and that are generally used in combination with cookies. The preceding statements about cookies apply likewise to web beacons. In particular, web beacons will not be used if you have deactivated the corresponding cookie.

b. LocalStorage

We use localStorage functionality. This means your personal data is stored in your browser’s local cache after login, and will continue to be retained even after you close the browser window – provided you do not delete the cache – and can be read when you next access the website. Using localStorage allows us to display your data correctly when you surf our website without unnecessarily slowing down this process or overloading interfaces.

If you prefer to avoid the use of localStorage you can always set your browser accordingly.

c. Legal bases

The legal basis for the use of technical cookies as described in item 4.a. is that specified in Art. 6, 1. (b) GDPR (necessary for the performance of a contract and pre-contractual measures). The legal basis for items 4.a. and 4.b. is that specified in Art. 6, 1. (f) GDPR (legitimate interest of the controller). With regard to item 4.a., our legitimate interest in the use of cookies used for statistics and customisation is the further development and ensuring the relevance of the website and the program. With regard to item 4.b., our legitimate interests are the speeding up of processes and avoidance of system overload.

5. Tracking tools for website analysis

We use certain analytical systems on our website. These analytical systems and linking processes are explained below.

a. Web analysis using etracker

We use services provided by etracker GmbH (Hamburg, Germany) on our website to analyse usage data ( Cookies make it possible to undertake a statistical analysis of the use of this website by visitors and to display usage-orientated content or advertising. Please note that etracker cookies do not contain any information that could be used to identify a user.

etracker only processes and stores the data it collects on behalf of the provider of this website in Germany and is therefore subject to the stringent German and European data privacy laws and standards. In this regard, etracker has been independently audited, certified and awarded the ePrivacyseal, a data privacy seal of approval.

As the private sphere of our visitors is particularly important to us, their IP addresses are anonymised by etracker at the earliest point in time possible, and login or device identifiers are converted to a code that is unique but cannot be assigned to an individual. etracker does not use this data in any other way, combine it with other data or pass it on to third parties.

b. Legal basis

The legal basis for the processing described in item 5.a. is that specified in Art. 6, 1. (f) GDPR (legitimate interest of the controller in the further development and ensuring the relevance of the website). Provided you have given us your consent, we may link the pseudonymised data to your personal data. The legal basis for this processing is that specified in Art. 6, 1. (a) GDPR (consent provided by data subject).

6. Duration of data retention for processing

Your personal data will be deleted as soon as it is no longer required for the stated purposes. However, we might need to store your data until the expiry of retention periods stipulated under law and/or by regulatory authorities; these periods may be specified in the German commercial code, fiscal code and anti-money laundering legislation and can, in general be in the range 6 - 10 years. Furthermore, we are permitted store your data until the expiry of statutory limitation periods (i.e. generally 3 years; in some cases also up to 30 years) if this is necessary to assert, exercise or defend legal claims. The corresponding data is then routinely deleted.

7. Rights of the data subject

It is important to us that our processing operations are fair and transparent. Data subjects can exercise the right to object and also have the following rights if the relevant legal requirement applies:

  • Right of access, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure (“right to be forgotten”), Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR

To exercise any of the above rights, please send an e-mail to 027021059029047021061057041061047031059000027043035001027029001 In order to handle your request and for purposes of identification, please note that we will process your personal data as permitted under Art. 6,1. (c) GDPR.

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Lufthansa German Airlines/Deutsche Lufthansa AG is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
(Information and Data Protection Officer for the State of Hesse)
Postfach 3163
65021 Wiesbaden/Germany

8. Information on your right to object as per Art. 21 GDPR

You have the right to object (as per Article 21 GDPR) at any time, on grounds relating to your particular situation, to the processing of your personal data as per Art 6, 1 (e) or (f) GDPR. The controller will not have the right to continue to process your personal data unless the controller can demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is required in order to establish, exercise or defend legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to your personal data being processed for such marketing. If you object to your personal data being processed for direct marketing, it will no longer be processed for this purpose.
In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you have the opportunity to exercise your right to object by automated means using technical specifications.
You can object to the processing of your personal data at any time.

9. Links and data collection on third-party websites

You may be directed via links on our website to third-party websites that are not operated by us. We have no influence over the processing of your personal data on such third-party websites. This is undertaken by the provider of the relevant website. Please therefore read the terms of use and privacy policies for these websites for more specific information on how they process personal data.

10. Disclaimers, limitations of and updates to this data protection declaration

This data protection declaration applies to processing on this website only. Other websites are not covered by this data protection declaration and provide their own specific data protection information.

We review this data protection declaration regularly and update it as necessary. We will notify you of any significant changes to this data protection declaration (e.g. through our website).

Not a Miles & More member?

Join today and earn and redeem award miles on Preflight Shopping.

Lufthansa Social Media