Privacy policy

Who is the data controller?

The controller within the meaning of the GDPR for the processing of your personal data is:

DEUTSCHE LUFTHANSA AG
Venloer Straße 151-153
50672 Cologne

Who can I contact?

If you have any further questions regarding data protection in connection with our website or the services and products offered there, please contact our Data Protection Officer:

Email: datenschutz@dlh.de

What personal data is processed, for what purposes and for how long?

Personal data is any information relating to an identified or identifiable natural person that you provide to us, or that is generated by us or collected by us. This includes, in particular:

Contact and payment details: If you wish to purchase tickets to visit Hangar One, your contact details (surname, first name and email address) and your payment details (credit card details) will be required.

Content data: When using services on our website, for example at using contact forms or the newsletter, the content data you enter and that is generated about you, as well as the information we provide to you, will be processed.

Server log data: When you use our websites, data relating to this (such as, in particular, the date and time of your visit, pages accessed and files requested, the type and version of the web browser you are using, the type and operating system of the device you are using, and your IP address) is temporarily stored in a log file on our servers.

What personal data is processed, for what purposes and for how long?

Ticket purchase

When you purchase a ticket from us for a tour of Hangar One, we process your contact and payment details in order to issue a ticket.

The legal basis for this processing is the conclusion and performance of a contract with you (Article 6(1)(b) of the GDPR).

This data will be deleted 30 days after your visit to Hangar One, unless we are legally obliged to retain it, e.g. due to commercial or tax law retention obligations.

Car park booking

If you wish to book a parking space with us online, we process your contact and payment details, order number and a QR code to issue the parking ticket.

The legal basis for the processing is the conclusion and performance of a contract with you (Art. 6(1)(b) GDPR).

We also collect your vehicle registration number. The legal basis for this is our legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest lies in being able to verify that only authorized persons park in our car park and, if necessary, to contact the vehicle owner.

Ensuring the technical infrastructure and provision of the website

The processing of server log data serves the technical provision of the website and, subsequently, the safeguarding of system security and the protection of the technical infrastructure in order to detect malicious access to our website.

The legal basis for the processing is our legitimate interest in providing the website with our services and in protecting our technical infrastructure (Art. 6(1)(f) GDPR). The processing is strictly necessary for the use of our website.

This data will be deleted at the latest after 30 days.

Enforcement of legal claims

For the purpose of enforcing our own legal claims and defending our legal position, we process, on a case-by-case basis, the personal data necessary for enforcement or defence.

The legal basis for the processing is our legitimate interest in enforcing legal claims and defending our own legal position (Art. 6(1)(f) GDPR).

The data required for this purpose will be deleted once the legal dispute has been resolved or upon expiry of the statutory retention period.

Your enquiries

If you send us enquiries via a contact form or by email, we process your contact and content data to respond to your enquiry, as well as, where applicable, the IP address, date and time of the enquiry to prevent misuse of the contact form.

The legal basis for the processing is Article 6(1)(f) of the GDPR. Our and your (legitimate) interest in this data processing arises from the aim of answering your enquiries, resolving any issues that may arise and thereby maintaining and promoting your satisfaction as a customer or user of our website.

This data will be deleted once our communication with you has ended, i.e. once the matter in question has been conclusively resolved and there are no further legitimate interests or legal obligations to retain the data.

Cookies and similar technologies

To make our website as user-friendly as possible, we use so-called cookies. A ‘cookie’ is a small text file that a Lufthansa web server (https://www.lufthansagrouphangar-one.com) sends to your browser when you visit a website.

Here you will find all the information about the cookies used by our Hangar One website and our ticket shop.

We use only technically necessary cookies to ensure a smooth browsing experience for you. These cookies are strictly necessary for the operation of our website. Without these cookies, we cannot provide the services you request. We also use these cookies for security purposes. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to provide our services in a secure and user-friendly manner.

Technically necessary cookies on the Hangar One website

• Neos_Session
  • Purpose: This cookie allows the website to recognize you during your current visit. It is needed, for example, to make forms work properly and to process your entries during the active session.
  • Content: Random session ID
  • Duration: Only until you close your browser (session)
  • Category: technically necessary
  • Legal basis: Legitimate interest
• Neos_Session_Storage
  • Purpose: This cookie supports the technical management of your current website session. It helps ensure that certain website functions work reliably while you are using the site.
  • Retention period: Session
  • Category: technically necessary
  • Legal basis: Legitimate interest
• XSRF-TOKEN (for forms)
  • Purpose: This cookie helps protect website forms against unauthorized requests from third parties. It helps ensure that form submissions actually come from the website and can be processed securely.
  • Content: Token, no personal data
  • Retention period: Session
  • Category: technically necessary
  • Legal basis: Legitimate interest

Technically necessary cookies in the Hangar-One Ticket shop

• XASSESSIONID
  • Purpose: This cookie allows the ticket shop to identify your current visit during the active session. This helps functions such as the shopping cart, login status, and form steps work correctly while you are using the shop.
  • Content: Random session ID, no plain text
  • Storage duration: Session
  • Category: technically necessary
  • Legal basis: Legitimate interest
• XASID
  • Purpose: This cookie is used for multi-instance failover.
  • Storage duration:Session
  • Category: technically necessary
  • Legal basis: Legitimate interest
• XSRF-TOKEN
  • Purpose: This cookie helps protect the ticket shop against unauthorized requests from third parties. It helps ensure that actions such as logins, orders, or form submissions actually come from you or from your current session.
  • Content: Token, no personal data
  • Retention period: Session
  • Category: Technically necessary
  • Legal basis: Legitimate interest
• mx-cookie-test
  • Purpose: This cookie checks whether your browser accepts cookies. This is necessary so the ticket shop can determine whether important functions such as login, shopping cart, and checkout can work properly.
  • Storage duration: very short-lived
  • Category: technically necessary
  • Legal basis: Legitimate interest
• DeviceType
  • Purpose: This cookie stores the type of device you are using to access the ticket shop, such as a smartphone, tablet, or desktop computer. This helps provide a suitable layout and user experience for your device.
  • Category: technically necessary
  • Legal basis: Legitimate interest
• Profile
  • Purpose: This cookie stores which navigation or user area of the ticket shop is being accessed during your session. This allows the shop to provide the appropriate structure, view, or navigation for your visit.
  • Legal basis: Legitimate interest
• SessionTimeZoneOffset
  • Purpose: This cookie stores the time zone offset for your current session. This allows times, dates, or event-related information in the ticket shop to be displayed correctly for you.
  • Retention period: Session
  • Category: Technically necessary
  • Legal basis: Legitimate interest
• Local Storage and Session Storage

  We store some data in your browser storage rather than in cookies:

  • localStorage (personal settings, where required)
  • sessionStorage (temporary data during your visit)
  • Legal basis: Legitimate interest

No tracking, marketing or analytics cookies

We do not use any cookies or tools for user tracking (‘tracking cookies’), for marketing purposes or for analytics. Your privacy remains protected with us.

To whom do we disclose your data?

Within the scope of the data processing described above and the respective legal bases, your data may be shared with the following categories of recipients:

Disclosure of data to data processors

In some cases, we engage service providers in accordance with legal requirements by way of data processing on our behalf, i.e. on the basis of a contract, acting on our instructions and under our control.

Data processors include, in particular

• service providers, e.g. for the provision of the website,
• cloud service and hosting providers (for data storage and infrastructure),
• service providers for the operation and maintenance of our IT systems,
• technical service providers whom we use to provide our website and the functionalities offered there, e.g. technically necessary cookies,

In these cases, we remain responsible for the data processing; the transfer and processing of personal data to or by our data processors is based on the legal basis that permits us to process the data in each instance. A separate legal basis is not required.

Disclosure of data to third parties

In addition, we also transfer your data to third parties, i.e. partners with whom we collaborate outside the scope of data processing on our behalf. Such partners provide their services as independent data controllers.

These partners include, in particular:

• Payment service providers with whom we collaborate and through whom you can book tickets with us (the legal basis for the transfer of data is Article 6(1)(b) of the GDPR);
• Banks and payment service providers for the purpose of preventing fraud and limiting the risk of payment defaults (the legal basis for the transfer of data is Article 6(1)(f) of the GDPR).

What type of automated decision-making is used?

Automated decision-making (including profiling) is a data processing operation in which a decision is made automatically without any human intervention or assessment of the content.

We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you.

What rights do you have?

With regard to our processing of your personal data, you have the following rights:

Right of access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not we are processing your personal data. If we process your personal data, you have the right to obtain from us information about this data, as well as the purposes of processing, categories of data, recipients of the data, storage period, origin of the data, information about your rights and the existence of automated decision-making, including profiling.

Right to rectification (Art. 16 GDPR): If your personal data processed by us is inaccurate or incomplete, you have the right to request rectification from us.

Right to erasure (Art. 17 GDPR): You have the right to request that we erase your personal data. This is also known as the right to be forgotten. This is not a blanket right to the erasure of all your personal data. For example, we may be legally obliged to continue processing certain items of your personal data.

Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data. If processing is restricted, we will block your personal data.

Right to data portability (Art. 20 GDPR): Where processing is based on your consent or where your personal data must be processed automatically for the performance of a contract, you have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to have that data transmitted to another controller.

Right to withdraw consent (Art. 7(3) GDPR): If you have consented to the processing of your personal data by us by means of a corresponding declaration, you may withdraw your consent at any time with future effect. The lawfulness of the data processing carried out on the basis of your consent up to the point of withdrawal remains unaffected.

Right to object (Art. 21 GDPR)

Where we process your data to safeguard legitimate interests, you may object to such processing at any time by contacting hangar-one@dlh.de, provided that your particular situation gives rise to grounds that preclude our processing of the data. You have the right to object at any time, without giving reasons, to the processing of your personal data for the purposes of direct marketing. Data processing will then cease, unless Deutsche Lufthansa AG can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as a data subject, or where the processing serves to establish, exercise or defend our legal claims.

To exercise your rights, please contact us or the company data protection officer using the contact details provided in section 2.

Right to lodge a complaint with a supervisory authority

In addition, you have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for Deutsche Lufthansa AG is:

The Hessian Commissioner for Data Protection and Freedom of Information
Wilhelmstraße 7
65185 Wiesbaden
Telephone: 0611-14080
Email: poststelle@datenschutz.hessen.de