Lufthansa WorldShop privacy notice

Who is the responsible person?

Miles & More GmbH („MMG“) would like to inform you in the following about how your personal data is processed within the context of our offerings. You can gain direct access to these offerings via („website“). Full details about the company can be found under „Imprint“ on

Who can I contact?

The Lufthansa Data Protection Officer is also responsible for questions related to data protection at MMG. Please contact us if you have any questions about data protection: e.g. by post: Konzern-Datenschutzbeauftragte(r), FRA CY, 60546 Frankfurt/Main or by e-mail: 027021059029047057025035061059071000027043035001027029.

If you contact us via email the communication will be unencrypted.

Why do we process your data (purpose of the processing) and on what legal foundation?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG).

We process personal data to fulfil our contractual obligations as per Article 6 Paragraph 1 Subparagraph 1(b) GDPR. This includes in particular:

  • Setting up and managing a guest account for concluding and executing a contract
  • Concluding the purchase contract
  • Executing the purchase contract (sending order confirmations, delivery notifications, handling the logistics process)
  • Terminating the purchase contract
  • Processing returns
  • Handling claims
  • Processing complaints
  • Processing your contract-related queries via the contact form
  • Passing on your details to newspaper subscription providers in order to conclude and execute a contract

We also process your data to protect our legitimate interests as per Article 6 Paragraph 1 Subparagraph 1(f) GDPR

  • to make it easier for you to register in our online shop (setting up and managing a customer account when logging in with your Miles & More access data for the first time)
  • for the purpose of preventing fraud e.g. credit card misuse, identity theft, obtaining special conditions or rates via devious means
  • for asserting legal claims including debt collection and the defence of legal disputes
  • for auditing purposes
  • for marketing, provided that you have not objected to the use of your data.

Based on your consent, we process your data in accordance with Article 6 Paragraph 1 Subparagraph 1(a) GDPR for specific purposes, in particular:

  • Sending the newsletter with regular Lufthansa WorldShop offers
  • Sending the catalogue
  • Setting up and managing a customer account
  • Processing your enquiry via the contact form
  • Supporting operations on the website with reminder functions
  • Performing analyses to optimise our offering for you.

You can withdraw your consent at any time. This also applies to the withdrawal of declarations of consent issued to us before the GDPR came into force (i.e. before 25 May 2018). The withdrawal of consent is only effective for the future and shall not affect the lawfulness of data processed up to the point of withdrawal. For further information, please see the „How can you withdraw your consent?“ section.

What data do we process when you visit our website?

You can use our website without directly providing any personal data (such as your name, postal address or email address). In this case we also have to collect and store specific information so that you can access our website.

You can use our website without directly providing any personal data (such as your name, postal address or email address). In this case we also have to collect and store specific information so that you can access our website.

1.1 Logfiles

When you visit our website, our internet server automatically records the domain name or IP address of the requesting computer, as well as the date and time of access, client file request (file name and URL), HTTP response code, browser type, the website from which you are visiting and the number of bytes transferred in the course of the connection. These data are deleted as soon as you end your visit to our website. For legal purposes - particularly detecting misuse and identifying and resolving technical malfunctions - we save the logfiles from your web server and application server, including your IP address, for 90 days.

1.2 Cookies / Web Beacons

Like many well-known companies, we use so-called cookies and web beacons to design our offering in the most user friendly way possible.

„Cookies“ are small text files that a web server (e.g. the web server on sends to your browser when you visit a website. So-called „session cookies“ expire at the end of the browser session and can record your activities during this session. In contrast, „permanent cookies“ are also stored on your end device between different browser sessions and can record your settings or activities on several websites.

As well as so-called „session cookies“, which are deleted when you end your browser session, we use permanent cookies for the purpose of conducting web analysis with etracker. These cookies are stored until they are deleted by the user.

Depending on your browser settings, the cookie file will either be saved or rejected. If the file is saved, our web server can recognise your end device. During subsequent visits to the website, and when switching between functions that require entering a password, the cookie reduces the amount of information you need to input. Cookies thus simplify the use of websites that require user input. Cookies can also help us to offer you an individualised and relevant surfing experience if you grant your consent to this.

Regardless of any cookies that might have been saved, for security reasons you will have to log in again each time you access areas requiring registration. You will also need to input your password before redeeming miles.

No personal data is saved in the cookies we use. Only one identification number is assigned to these cookies and we shall not combine this with other existing data (e.g. provided during registration) without your consent.

You can configure your browser in such a way that it can receive our cookies or you can use our website without the cookie functionality. However, in the latter case the text you input in form fields cannot be saved for further queries, which means that you will have to input the data again the next time you visit our website. Furthermore, in this case we will unfortunately not be able to present you with personally tailored content.

Your browser may already be configured in such a way that a warning message is displayed each time it receives a cookie. This notification can be very disruptive, as the identification cookie must be resent every time you access each individual page of our website. We therefore recommend that you configure your browser so that cookies from are always accepted. You can specify this setting for individual websites.

Further information on the use of cookies and how you can deactivate them can be found at (in german) or

Web beacons are small graphic files (also described as „pixel tags“ or „clear GIFs“), which may be contained in our websites, applications and newsletters. They are generally set in conjunction with cookies to identify users and user behaviour. The preceding statements about cookies apply likewise to web beacons. In particular, web beacons will not be used if you have deactivated the corresponding cookie.

1.3 Web analysis

1.3.1 Web analysis with etracker

We use services provided by etracker GmbH (Hamburg, Germany) on our website to analyse usage data ( Cookies make it possible to undertake a statistical analysis of the use of this website by visitors and to display usage-orientated content or advertising. Please note that etracker cookies do not contain any information that could be used to identify a user.

etracker only processes and stores the data it collects on behalf of the provider of this website in Germany and is therefore subject to the stringent German and European data privacy laws and standards. In this regard, etracker has been independently audited, certified and awarded the ePrivacyseal, a data privacy seal of approval.

The legal foundation for the data processing is Article 6 Paragraph 1(f) (legitimate interest) of the EU General Data Protection Regulation (GDPR). Our legitimate interest lies in optimising our online offering and web presence. As the private sphere of our visitors is particularly important to us, their IP addresses are anonymised by etracker at the earliest point in time possible, and login or device identifiers are converted to a code that is unique but cannot be assigned to an individual. etracker does not use this data in any other way, combine it with other data or pass it on to third parties.

1.3.2 Web analysis with Adobe Analytics

Our website, app and digital communication media use Adobe Analytics, a web analysis service provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland („Adobe Analytics“).

Adobe Analytics use cookies, in particular the and domains that belong to Adobe. Adobe Analytics also uses web beacons (cf. Point 1.2, last paragraph). A web beacon is a transparent graphic (usually 1 pixel x 1 pixel) that is placed on digital content and can be used to identify access to this content by visitors. It enables us to determine the activities of visitors who open a website, app or communication medium with the web beacon.

Adobe Analytics abbreviates and thus anonymises your IP address, which is then only used in this anonymised form.

The information obtained via cookie or web beacon is only transmitted to an Adobe data centre located in a member state of the European Union or in other contracting states of the Agreement on the European Economic Area. Adobe only uses this information on our behalf and only for the aforementioned purposes.

If you do not want us to collect and use such information via cookies through Adobe Analytics, you can object to this here. When using our app, you can object to this information being collected by deactivating the button at the end of the privacy policy. A corresponding opt-out cookie is then placed on your device. This cookie does not contain any values suitable for tracking, but merely makes it possible to recognise your objection so that no data is transmitted to Adobe servers for tracking purposes.

You can also set your internet browser so that it does not accept any cookies and thus prevent Adobe Analytics from collecting data. The same applies to the „Do Not Track“ function or the deactivation of the graphic display for web beacons. Please clarify the steps required to do this in the operating instructions for your internet browser, as the relevant settings differ between browser providers.

Further information on Adobe Analytics and data privacy at Adobe can be found at

1.4 Functionalities

We provide various functionalities on our website for which we must collect personal data or other information. For example, these functionalities can be made accessible only to Miles & More members who log in using their identification details (e.g. Miles & More card number and PIN or user name and password) or to registered customers after login.

As a Miles & More member or registered customer you can access your customer profile via our website where you can, among other things, view and amend your saved personal data. For example, you can save, view and amend the following data in your customer profile: name, address, contact details, payment data, orders, language settings etc. As a Miles & More member you can also view the status of your mileage account and request specific awards. If more personal data is needed to use the functions, this will be indicated on our website accordingly. Mandatory information is highlighted separately; it is not possible to use the relevant function without providing the mandatory information.

On our website, we can also offer you functionalities that can be used without logging in as a Miles & More member or registered customer. We must nevertheless collect personal data or other information for this, e.g. if you take part in a survey or competition on this website or if you send us questions or feedback. Without your further consent, we will only collect, process and use such data and information to the extent required for the relevant functionality (e.g. for answering your question or processing your feedback). Detailed information on how data is collected during competitions can be found in the entry terms and conditions for the relevant competition.

1.5 Links and data collection on third party websites

You may be directed via links on our website to third-party websites that are not operated by us. For example, they may be websites operated by partner companies with whom you can earn miles or who have special offers for Miles & More members or where you can find information about products and services. We have no influence over the collection, processing and use of your personal data on such third party websites. This is performed by the providers of the relevant website. Please therefore read the terms of use and privacy policies for these websites for more specific information on how they collect, process and use (personal) information.

What happens when you receive our newsletter?

If you have granted your consent under the heading Newsletter on our website to receiving the newsletter - until you either revoke this consent or until MMG stops sending the newsletter - we would like to give you the following information: The legal foundation for the processing is your consent as per Article 6 Paragraph 1(a) GDPR. Your consent applies to the processing of the following personal data provided voluntarily:

  • Email address
  • Choice of newsletter language
  • Where applicable: surname, first name, title, gender/form of address
  • Where applicable: address details
  • Where applicable: country of origin
  • Where applicable: date of birth
  • Where applicable: Miles & More service card number
  • Your consent applies to the use of your email address for sending the newsletter to the stated address. The newsletter provides information about Lufthansa WorldShop offers and issues.

    You can withdraw your consent to receiving the newsletter at any time. Further information can be found under the „How can you withdraw your consent?“ section.

    What personal data do you have to provide?

    For statutory or contractual requirements, we have indicated in the input masks on our website the fields that you must complete so that we can execute the desired contract or service.

    For example, we collect the following data when you register or place an order:

  • First name and surname, address
  • Order data
  • Invoice and delivery address
  • Email address, telephone numbers
  • Invoice and payment data
  • Where applicable: date of birth
  • Where applicable: Miles & More service card number
  • If you are already a Miles & More member and are logging in for the first time using your Miles & More service card number/user name and your PIN/password, we will import your details from your Miles & More profile and create a customer account.

    For how long will your data be stored?

    Your personal data will be deleted as soon as it is no longer required for the stated purposes. Furthermore, previous orders will be deleted from active customer accounts after four years. Inactive customer accounts will be deleted in full after four years.

    However, we might have to store your data until the expiration of retention obligations and periods issued by the legislator or regulatory authority, which might be specified in the commercial code and fiscal code and generally amount to between six and ten years. Furthermore, we can store your data until the expiration of statutory limitation periods (i.e. generally three years; in some cases also up to 30 years) if this is required for asserting, exerting or defending legal claims. The corresponding data is then routinely deleted.

    Who receives your data?

    In order to offer you our products and services on the basis of our contractual obligations or legitimate interests, we use service providers and third parties such as service centres, payment providers, logistics, postal and courier companies or IT service providers. If these service providers are processors as per Article 28 GDPR, they will have been carefully selected and work solely in accordance with our instructions. They provide sufficient guarantees for complying with data privacy obligations.

    It may be the case that personal data is transferred to third countries or international organisations. To protect you and your personal data, appropriate guarantees are provided for such data transfers in accordance with and consistent with legal requirements.

    If these transfers do not have a legal foundation, or take place in a country for which the EU Commission has not issued an adequacy decision, we shall use the standard EU contractual clauses. Information on standard EU contractual clauses can be found on the European Union websites via the link (in german) [].

    Furthermore, we are legally obligated in certain cases to make personal data available to German and international authorities as per Article 6 Paragraph 1(c) GDPR in conjunction with local and international regulations and conventions.

    The legal foundations for the transfer of data to other third parties and processors are Article 6 Paragraph 1(b) GDPR (executing your purchase contract), Article 6 Paragraph 1(a) GDPR (consent), Article 6 Paragraph 1(f) GDPR (legitimate interest) and Article 28 GDPR.

    What are your data protection rights?

    As a data subject, you can exercise the following rights if the relevant legal requirement applies:

    • Right of access by the data subject, Article 15 GDPR
    • Right to rectification, Article 16 GDPR
    • Right to erasure („right to be forgotten“), Article 17 GDPR
    • Right to restriction of processing, Article 18 GDPR
    • Right to data portability, Article 20 GDPR
    • Right to object, Article 21 GDPR

    You can use our „GDPR information enquiry“ contact form to exercise your rights. In order to handle your application and identify you, please note that we will process your personal data as per Article 6 Paragraph 1(c) GDPR.

    You can update most of your master data in your customer profile on our website at any time. If there are any changes in your personal data (e.g. your postal address, email address or telephone number), please update your customer profile to reflect this.

    You also have the right to lodge a complaint with a supervisory authority as per Article 77 GDPR in conjunction with Section 19 BDSG.

    The supervisory authority responsible for MMG is:

    Der Hessische Datenschutzbeauftragte

    PO Box 3163

    65021 Wiesbaden

    Gustav-Stresemann-Ring 1

    65189 Wiesbaden

    Telephone: +49 (0)611/1408-0

    Fax: +49 (0)611/1408-900 or -901

    e-mail: 051049057059057059029043043029000027021059029047057025035061059071001035029057057029047001027029

    How can you withdraw your consent?

    If you have granted your consent to us processing your personal data, we would like to point out that you can withdraw this consent at any time.

    If you have granted your consent to receiving our newsletter, you can withdraw this consent via the „Unsubscribe“ link in the newsletter.

    In all other cases, or if you are having problems withdrawing your consent on this website, you can contact the person responsible for data protection.

    Please note that withdrawing your consent only has effect for the future and has no influence on the lawfulness of processing performed in the past. In some cases we are entitled, despite your withdrawal, to further process your personal data on a different legal basis, e.g. for performance of a contract.

    Information on your right to object as per Article 21 GDPR

    You have the right to object, on grounds relating to your particular situation, at any time to your personal data being processed as per Article 6 Paragraph 1(e) or (f) GDPR.

    We shall no longer process your personal data unless we can demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is required for establishing, exerting or defending legal claims.

    If your personal data is processed for direct marketing purposes, you have the right to object at any time to your personal data being processed for such marketing.

    If you object to your personal data being processed for direct marketing, it will no longer be processed for this purpose.

    In connection with the use of information society services - notwithstanding Directive 2002/58/EC - you have the opportunity to exercise your right to object by automated means using technical specifications.

    You can object to the processing of your personal data at any time (e.g. via our contact form) as described in the „What are your data protection rights?“ section.

    Information on participation in the Miles & More programme

    Information on how your data is processed within the Miles & More programme can be found on or directly under this link.