1. General information about the processing of personal data
(1) The protection of your personal data is of particular importance to us. The aim of the following information is to provide you with a comprehensive explanation of how your personal data is processed through the use of our websites and services.
(2) The controller according to Art. 4 No. 7 of the General Data Protection Regulation (“GDPR”) is:
Telephone: +49 (0) 331 9816 9040
(hereafter referred to as “Flightright”). Further information can be found in our imprint.
(3) Our data protection officer can be reached via E-mail at email@example.com or by post at our address marked “For the attention of The Data Protection Officer”.
(4) We process personal data in strict compliance with the applicable data protection regulations. This means the data will only be processed with legal permission; in particular, if the processing of the data is necessary for the provision of our contractual and online services, e.g. when consent is legally required, as well as on grounds of our legitimate interest (i.e. interest in the analysis, optimization and economic operation and security of our online content within the meaning of Art. 6 para. 1 lit. f. GDPR, especially for range measurement, creation of profiles for advertising and marketing purposes, collection of access data and use of third-party services).
(5) The legal basis of consent is Art. 6 para. 1 lit. a. and Art. 7. GDPR. The legal basis for the processing of data in order to provide our service and execute contractual duties is Art. 6 para. 1 lit. b. GDPR. The legal basis for the processing of data in order to fulfill our legal obligations is Art. 6. Para. 1 lit. c. GDPR, and the legal basis for the processing of data for the safeguarding of our legitimate interests is Art. 6, para 1. lit. f. GDPR.
2. Data processing through visits to our websites
When using our websites for purely informational purposes, i.e. if you do not make a request, do not log in or otherwise provide us with personal information, we process the data that your browser transmits to our server which is technically necessary to display our websites to you and to guarantee stability and security (“visitor data”):
- IP address
- Date and time of the request
- Duration of the website visit
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Volume of data transferred
- Webpage from which the request comes
- Webpages that you visit on our website
- Internet service provider
- Browser type
- Server Log Files
- Operating system and its interface
- Language and version of the browser software
(2) The legal basis is Art. 6 para. 1 sentence 1. lit. f. GDPR and that is our legitimate interest in the presentation of the accessed websites.
(3) We create anonymous user profiles from individual visit data. This enables us to constantly improve our website.
3. Data processing through Cookies (Tracking)
(1) In addition to the data usage mentioned above, cookies will be stored on your device when you use our website. Cookies are small text files that are saved to your hard disk by your web browser and provide us with information. They serve to make our website more effective and user-friendly. The legal basis for this is Art. 6 para. 1 sentence 1 lit. f. GDPR, which is our legitimate interest in improving the usability of our website and analyzing our online marketing activities.
(2) You can configure your browser settings according to your wishes. You can, for example, refuse to accept cookies. Please be advised that if you do not accept cookies, you may not be able to use the full features of our website.
(3) Our website generates temporary and permanent cookies, the function and scope of which are explained in the following paragraphs:
(a) Temporary cookies are automatically deleted when you close your browser. These are predominantly session-cookies. Session cookies store a so-called “session ID” which assigns different requests from your browser to the common session. This enables your device to be recognized when you return to our website.
(b) Permanent cookies are automatically deleted after a period of several days, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.
(1) When you use our website, you receive a temporary cookie which identifies your browser and transmits your user behaviour and search method.
(2) We also use permanent cookies:
(a) to improve the usability of our websites so that you can see the results of a terminated session ten days after leaving, and
(b) to identify your follow-up visits if you have an account with us. This is so you do not have to log in manually each time you visit. These cookies are stored for 30 days.
3.2 Google Analytics
(2) If IP anonymization is activated, Google will truncate your IP address within Member States of the European Union or in other countries party to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. IP anonymization is active in our web service. Google will use this information on our behalf to evaluate the use of our websites, compile reports on activities and to provide us with other services in connection with the use of the websites and the internet.
3.3 Google Adwords Conversion-Tracking
(1) We use the online advertising program “Google AdWords” and conversion tracking as part of Google AdWords. Google Conversion Tracking is an analytical service provided by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“). When you click on a Google ad, a cookie for conversion tracking is stored on your computer. The cookies expire after 30 days. These cookies do not contain personal data and cannot be used to identify you.
(2) If you visit certain pages of our website and the cookie has not yet expired, Google and Flightright can detect that you have clicked on the ad and were re-directed to this page. Every Google AdWords customer receives a different cookie. It is not possible, therefore, to track cookies via the websites of AdWords customers. The information obtained by the conversion cookie is used to generate conversion statistics for AdWords customers who utilize conversion tracking. With a conversion tracking tag, customers can see the total number of users who clicked on their ad and were re-directed to their page. They do not, however, receive information that can personally identify users.
3.4 Google Dynamic Remarketing
(1) We use the remarketing or “similar target group” function provided by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“) on our websites. This feature enables us to provide users of our website with targeted advertising by displaying personalized, interest-based advertisements when you visit other websites in the Google Display Network.
3.5 Bing Ads
(1) Our website uses the conversion tracking of Bing Ads provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft“). For this purpose, Microsoft Bing Ads stores a cookie on your computer when you have been forwarded to our website through a Microsoft Bing ad. This way, Microsoft Bing and Flighright can detect that someone clicked on an ad, was forwarded to our website and, as a result, has reached a previously determined target site (conversion site). These statistics show us the total number of users who clicked on a Bing ad and, as a result, have been forwarded to the conversion site. No personal information about the user’s identity will be disclosed.
3.6 Yahoo Web-Analytics
(1) We also use the Yahoo Web Analytics application provided by Oath Inc., 701 First Avenue, Sunnyvale, CA 94089, USA (“Oath”).
(2) Yahoo Web Analytics is a browser-based system used to collect information about visitors to our websites. Yahoo Web Analytics uses web beacons and cookies to collect data about visitors to our customer’s websites. This data is sent to Oath by your web browser as part of your interaction with the website. The data collected commonly includes IP address, time spent on webpages, links clicked, or advertisements viewed on those pages. This data is collected by Yahoo Web Analytics so that Oath can report statistical information. Yahoo Web Analytics cookies do not contain personally identifiable information.
(3) We use the information collected through collected through Yahoo Web Analytics in order to improve our products and services and provide advertisements about goods and services of interest to you.
(4) If you do not wish to have information about your activities on our customer’s websites used by Yahoo as stated above, you can opt-out here. For information on how Oath handles your information, please refer to the Yahoo search engine’s privacy statement.
(1) Our websites collect information about the surfing behaviour of website visitors for marketing purposes in a purely anonymous form through Criteo SA, 32 Rue Blanche, 75009 Paris, France (“Criteo”), and sets cookies for this purpose.
(2) Criteo can analyze surfing behavior and then display targeted product recommendations as a suitable advertising banner when you visit other websites. Under no circumstances can the anonymized data be used to identify you personally. The data collected by Criteo will only be used to improve our advertising services. On the bottom right of each displayed banner there is a small “i” (for “information”) which opens when you hover the mouse over it and, when you click it, leads to a page where the system is explained and the option to Opt-Out is offered. When you click on Opt-Out, an “Opt-Out” cookie is set, which will prevent these banners from being displayed in the future. No other use or disclosure to third parties takes place.
(1) We use the analysis and feedback tool provided by Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (“Hotjar”). With Hotjar we analyse how you use our website. The tool shows us the surfing behaviour of our website visitors and enables us to get feedback from them.
(2) We do not collect any personal data through this service. With Hotjar, we record only random and anonymous mouse clicks, mouse movements, scroll activities and non-personal text data from input fields. This means that only browser information (browser type, version, screen size, etc.); general information about the user (IP address (collected and stored in an anonymous format); language; time zone; country) and data about mouse movements, clicks, scrolling events and keystrokes are sent to Hotjar. Keystrokes in password fields or fields classified as “sensitive” are not recorded.
(1) We use a tool which delivers “Recommendation Technology” provided by plista GmbH, Torstraße 33, 10119 Berlin, Germany (“plista“). Plista compares the interests of visitors of our websites and recommends the favorites of similar visitors. In order to do this, it is necessary that plista can evaluate interests and distinguish individual website visitors from each other without knowing their identity. plista compares the reading behaviour (e.g. clicks, visits, date) of different visitors. This only happens on pages where plista is activated. Recommendations are generally anonymous i.e. ratings and click data are collected by an algorithm where it is not possible for third parties to see or read the base data.
(2) To enable plista to provide you with appropriate recommendations that fall within your area of interest, plista consolidates evaluation and click data into a user profile and evaluates it. To provide this service, plista needs anonymous usage data, which is generated by cookies. These cookies provide anonymous information about website visits, clicks made by a website visitor or also the visitor’s reading behavior.
(2) The pseudonymous user profile contains the following data: operating system of the user, web pages/content accessed on our websites, referrer/link which lead you to our website, time and number of website visits, visits to error pages, location information (city and region) and the IP address in shortened form.
(3) For more information on how your data is processed by Taboola and the option to deactivate Taboola cookies, see here (opt-out information can be found under “2.4 Interest-Based Advertising”).
3.12 Facebook-, Custom Audiences und Facebook-Marketing-Services
(1) Due to our legitimate interest in the analysis, optimization and economic operation of our online offer and for these purposes within the meaning of Art. 6 (1) f. of the GDPR we use the so-called “Facebook pixel” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
(2) With the help of the Facebook pixel, Facebook is on the one hand able to determine the visitors of our online offer as a target group for the presentation of advertisements (so-called “Facebook Ads”). Accordingly, we use the Facebook pixel to display our Facebook Ads only to Facebook users who have shown an interest in our Websites or who have specific characteristics (e. g. interests in certain topics or products determined by the websites visited) that we submit to Facebook (so-called “custom audiences”). With the help of the Facebook pixel, we also want to make sure that our Facebook Ads are in line with the potential interest of users and do not have a nuisance effect. Using the Facebook pixel, we can also track the effectiveness of Facebook Ads for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook Ad (so-called “conversion”).
(3) The Facebook pixel is directly integrated into our web pages by Facebook and can store a so-called cookie, i. e. a small file, on your device. If you then log in to Facebook or visit Facebook when you are logged in, your visit to our online offer will be noted in your profile. The data collected about you is anonymous for us, i. e. it does not allow us to draw conclusions about the identity of the users. However, the data is stored and processed by Facebook so that it can be linked to the respective user profile and used by Facebook as well as for its own market research and advertising purposes. If we transfer data to Facebook for comparison purposes, it is encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done with the sole purpose of matching the data encrypted by Facebook.
(4) Facebook’s processing of the data is governed by Facebook’s Data Usage Policy. For specific information and details about the Facebook pixel and how it works, please visit the Facebook Help Center.
(5) You may object to the collection by the Facebook pixel and use of your data to display Facebook ads. To set what kind of ads you see on Facebook, you can go to the page set up by Facebook and follow the instructions on how to set up use-based advertising.
4. Data processed for contact purposes
When you contact us via e-mail, telephone or an online contact formula, the data you provide (e.g. e-mail address, name, telephone number, the content of your request) will be processed by us in order to answer your question and/or query. The legal basis for this is Art. 6 para. 1 lit. b. GDPR.
5. Data processed for the execution of the contract
(1) When you commission us to enforce your compensation claim, we process your contact, communication, contract and flight data (e.g. flight number, date, time) so that we can provide our contractual services, which are described in full in our General Terms and Conditions (particularly to enforce the compensation claim). Your contact and flight data are required for the conclusion of the contract. Without this information, it is not possible to conclude the contract. Your data may be passed on to the service providers supporting us (hosters, service providers, operators of communication applications, etc.) These service providers have of course been carefully selected and are bound by our instructions. This applies particularly to technical service providers who support us in the provision of services.
Your payment data will not be required or processed until a payment is due to be made to you.
(2) As stated in our General Terms and Conditions, we instruct so-called contract lawyers to enforce claims if our extrajudicial enforcement of the claim is not successful (“Assignment processs”). Alternatively, you commission the contact lawyers directly (“Power of Attorney process”). In both cases, we will transfer all case related data to our contract lawyer to enable them to enforce the claim. In future, we will exchange information with the contract lawyer so that we can keep you informed at all times and continue to process your case (e.g. in event of paying out compensation to you).
(3) The legal basis is the existing contractual relationship (Art. 6 para. 1 sentence 1 lit. b. GDPR). We delete the data arising in this context after the storage is no longer necessary, or limit the processing if statutory retention obligations exist.
6. Data processed for Single Sign-On Services
7. Data processing in connection with social networks
(1) We use plugins by the social network www.facebook.com, provided by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). You can recognize the Facebook plugins by the Facebook logo and the “Like” button.
(2) When you access a page of our website that contains such a plugin, your browser establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly from Facebook to your browser and embedded into the page. The embedded plugins provide Facebook with the information that a user with a specific IP address, namely the IP address assigned to your Internet access at the time of transmission, has visited the relevant website. If you are logged into Facebook at the same time, it can associate your visit with your Facebook account even if you do not press the “Like” button. If you interact with the plugins by clicking “Like” or leaving a comment, that information will be transmitted from your browser directly to Facebook and stored there. If you do not want Facebook to collect data via our websites and assign it to your Facebook account, please log out of Facebook before visiting our websites.
(1) We use plugins by the social network Google+, which is operated by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). You can recognize the plugins by the colored font “Google+” and the Google+ logo on our websites.
(2) When you access one of our websites containing such a plugin, your browser establishes a direct connection to the Google server. This allows the content of the plugin to be transmitted to the browser and displayed on our website. Google receives the information that a user has visited our website along with their IP address. If you are logged in to Google+ and do not want Google to store information about your visit, you must log out of your Google account before visiting our website.
(1) We use plugins by the social media platform Twitter, provided by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland (“Twitter”). The plugin can be recognized by the light blue font “twitter” on a white background as well as by the Twitter logo on our websites.
(2) Through the Twitter plugin it is possible to share our posts or to follow us on Twitter. If you access one of our websites that contains one of these plugins, your browser establishes a direct connection with Twitter’s servers. Twitter transfers the content of the Twitter plugins directly to your browser. As far as we are aware, only the user’s IP address and the URL of the relevant web page are transmitted when the plugin is clicked but are only used for the purpose of displaying the plugin.
8. Other Data Processing
If you have given your consent to receive our advertising (newsletter, e-mail, by post, etc.), we will inform you via the respective medium about our current offers using the data you have provided. You can revoke your consent at any time.
We may also use your email address to ask you to evaluate our services if you are our existing customer and have not objected to the use of your email address for this purpose.
In both cases, you can unsubscribe at any time. Please send your request to unsubscribe via email to firstname.lastname@example.org
9. Your Rights
(1) You have the following rights with respect to your personal data:
- Right of access by the data subject (Art. 15 GDPR)
- Right to rectification and erasure (Art. 16 and 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to object against the processing of data (Art. 21 GDPR)
- Right to data portability (Art. 20 GDPR)
(2) You also have the right to complain to the data protection supervisory authority about our processing of your data.
(3) We would like to inform you that you can revoke any data protection consent provided at any time with future effect. The same applies to consent given to promotional activities. The best way to do this is to send an informal e-mail to: email@example.com. The respective revocation may cause our service to become unavailable to you or only available in a limited capacity.
(4) Insofar as the processing of your personal data is based on a balance of interests, you may object to the processing. When exercising an objection, we ask that you state why we should not process your personal data in the manner that we have. In case of a justified objection, we will review the situation and either stop or adjust the data processing or point out the compelling legitimate grounds on which we will continue to process the data.
10. Disclosure of data to third parties
(1) We only disclose your personal data to our service and partner companies in as far as this is absolutely necessary for order processing and the fulfilment of contractual requirements e.g. on the basis of Art. 6 para. 1 lit. b. GDPR or on the basis of legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR.
(2) If we use subcontractors to provide our services, we take appropriate legal, technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal requirements.
11. Deletion of Data
(1) The data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory storage obligations. If the data is not deleted because it is necessary for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
(2) In accordance with statutory requirements in Germany, records are kept for 6 years in accordance with § 257 (1) HGB (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents etc.) and for 10 years in accordance with § 147 (1) AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation etc.)
12. Closing Provisions
(1) We employ technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.
Status: as of May 2018