Data Privacy

We are pleased about your visit to our website, where we offer you personalized functionalities in addition to information about our company and our services. Transparency and integrity in the processing of your personal data is important to us. We comply with data protection regulations, in particular the EU General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (“BDSG”) and the German Telecommunications and Telemedia Data Protection Act (“TTDSG”). 

In this data protection notice, we explain to you what information (including personal data) is processed by us during your visit and use of our aforementioned internet offer (“website”) and what rights you have with regard to your personal data. You can access, print or download this data protection declaration permanently and at any time at https://lufthansaholidays.com/en-de/privacy

1. Who is responsible for data processing?

The data controller responsible for the processing of personal data under data protection law is Eurowings Holidays GmbH, Waldstraße 249, 51147 Cologne. Whenever the terms “we” or “us” are used in this data protection notice, they refer to the aforementioned company. 

If you have any questions or comments about data protection, please feel free to contact Datenschutz-ew@eurowings.com. 

Our Group Data Protection Officer for the Lufthansa Group can be reached at datenschutz@dlh.de. 

2. What principles do we follow?

In compliance with data protection regulations, we process your personal data only if a legal regulation permits us to do so or if you have given your explicit consent for the processing. This also applies to the processing of personal data for advertising and marketing purposes. 

On this website, we may also collect information that does not in itself allow us to draw any direct conclusions about you as an individual. In certain cases – in particular when combined with other data – this information may nevertheless be considered “personal data” in the sense of data protection law. Furthermore, we may also collect such information on this website that does not allow us to identify you either directly or indirectly; this is the case, for example, with summarized information about all users of this website. 

3. What data do we process? For what purposes and on what legal basis is this processing carried out?

You can access our website without directly providing personal data (such as your name, postal address or email address). Even in this case, we need to collect and store certain information to enable you to access our website. We also use certain analytical tools on our website and have integrated functionalities from third-party providers. In addition, we offer you some functionalities on our website for which we need to collect personal data. 

3.1. We collect and process personal data to the following extent:

Processing of access data, log files, and cookies: 

When you visit this website, our web server automatically stores data and information from your device and browser. This includes details such as the browser type and version, operating system, internet service provider, IP address, date and time of access, the website from which you accessed our site, and the specific pages you visit on our website. These technical details are processed in log files and are not combined with other personal data about you.

We process this data to provide you with access to our website, ensure the functionality of our site, and guarantee the security of our IT systems. In particular, this processing serves to detect, analyze, and defend against cyberattacks, fraud attempts, and other security-related incidents, as well as to ensure the integrity, confidentiality, and availability of our IT systems. Additionally, it helps to identify and prevent misuse of our website. The legal basis for this processing is Article 6 (1) (f) of the GDPR, based on our legitimate interest in ensuring technical functionality, security, and defense against cyberattacks.

In addition, we use cookies and tracking software on our website. Information about the cookies we use, their purposes, and the relevant legal bases can be found in the privacy settings under More Information. Processing is carried out either on the basis of our legitimate interest pursuant to Article 6 (1) (f) of the GDPR or – where required – based on your consent pursuant to Article 6 (1) (a) of the GDPR.

Booking data: 

We process the personal data required to process your travel booking, in particular title, first and last names, billing address, telephone number, date of birth, nationality, email address, bonus program number, and information about the means of payment you have selected. If there are multiple participants, we also process their first and last names and their dates of birth. The required information is marked as such on our website; it is not possible to complete your booking without this information. We process this data in order to fulfill our contractual obligations in accordance with Article 6 (1) point b GDPR. This includes in particular: 

• issuing travel documents and corresponding notifications based on our legal obligation,
• sending booking confirmations,
• providing the travel-related services you have booked and providing travel-related information, such as eJournals, baggage services or transfer offers,
• collecting and transmitting contact details required by local authorities due to mandatory legal requirements and therefore necessary for the performance of the service contract.

Direct marketing to existing customers: 

We use your email address to send you advertising and travel-related information and offers by email, e.g. to offer you additional services for your trip. We will only process your data if we have received your email address in connection with the sale of a product or service from you, if you have consented to its use, and if we have clearly indicated to you at the time of collection and each time it is used that you may object to its use at any time. Your address will be used exclusively for direct marketing for our own products or similar services. The legal basis is our legitimate interest in accordance with Article 6 (1) (f) GDPR and Article 7 (3) of the German Unfair Competition Act (UWG). Our legitimate interest outweighs the customer's interest, as our customers presumably want to be informed about their booked trip and other similar products and services. We store your data for as long as it is necessary to provide travel-related emails. For this purpose, we pass on your personal data to our service providers, with whom the corresponding data processing agreements have been concluded. 

Partner offers: 

Based on your travel data (departure and return dates, destination), we provide you with offers for partner services in the areas of car rental, rail travel, travel insurance and destination-related tours and activities during the booking process. If you accept the corresponding offers, we will transmit the necessary data to our partner company. The legal basis is Article 6 paragraph 1 b) GDPR. You cannot use our partners' services without providing your data. 

Newsletter: 

If you have registered for our email newsletter, we will process your email address, on the basis of your consent, to send you information tailored to your interests about our services, offers and promotions and selected partner companies in the areas of travel and mobility (e.g. flight bookings, hotels, rental cars, insurance, events, tours and activities). We analyze the data on the delivery, opening and click rates of our e-mails to evaluate the success and use of the newsletter. On the other hand, we also evaluate the data generated when you access and use these e-mails (time of opening, hyperlinks clicked on, documents downloaded) in order to provide you with individualized information in future e-mails that best meet your interests and needs. Transactional data (travel search details incl. departure location and destination, travel period, number of travel participants, etc.) on our website are used, e.g. to personalize the newsletter after a travel search for a specific holiday destination or after a travel booking is canceled (shopping cart canceler, retargeting). We store your data for as long as is necessary to provide you with the newsletter. You are not obliged to provide personal data. However, without your email address, we cannot provide you with our newsletter. We process your data exclusively for the selection of individualized content and for sending the newsletter within the scope of the consent you have given. For this purpose, we pass on your personal data to our service providers with whom the corresponding data processing agreements have been concluded. The legal basis for this is Art. 6 (1) point a GDPR. You can withdraw your consent at any time with effect for the future by clicking on the unsubscribe link in each e-mail sent to Eurowings Holidays GmbH. 

Personalized customer communication: 

We want to make using our services as convenient and efficient as possible for you by personalizing the booking process. For this reason, we process information about your previous bookings and, if applicable, preferences stored in your profile in order to immediately display the options that are relevant to you in the booking process or to make the appropriate default settings. This enables you to make travel bookings, rebookings or purchase additional services more quickly, i.e. without having to first search through the multitude of options offered to find the ones that are of interest to you. The legal basis is Art. 6 (1) (a) GDPR. 

Contacting us: 

You can contact us, for example, using our contact form, by email, by phone or using the form to check a compensation claim under Article 7 of Regulation 261/04. We collect all the data you provide and store it to the extent necessary to process your request. If necessary, data will be stored for a longer period after processing has been completed for reasons of preserving evidence. The legal basis is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. 

Telephone calls: 

When you contact us by phone, we process your data in order to handle your request. We only record phone calls with your explicit consent and solely for training and quality assurance purposes. The legal basis for this data processing is either your consent in accordance with Article 6(1)(a) of the GDPR or the fulfillment of your request in accordance with Article 6 (1) (b) of the GDPR. Your data is generally processed by our customer service provider, with whom we have concluded a data processing agreement. You are not required to give your consent to the recording. However, if you do not provide the data necessary to process your request, we may not be able to handle your inquiry over the phone.

Statistical evaluations: 

If necessary, we may evaluate your personal data to evaluate your preferences for the purposes of interest-based marketing, individual targeting and continuous optimization of our business processes. We do this to gain a better understanding of what our customers expect from us and to be able to offer you personalized communication. In addition, these evaluations help us to detect fraud, carry out audits and ensure security, which is why we carry out this processing to protect our legitimate interests. The legal basis is Art. 6 para. 1 lit. f GDPR. 

Processing in the context of data subject rights: 

If necessary, we process your data in connection with the assertion of data subject rights in accordance with Chapter 3 GDPR (“Rights of the data subject”). We collect all the data provided by you and requested by us (e.g. name, email address, postal address or, in rare cases, a copy of an ID card) exclusively for the purpose of personal identification and to exercise the rights set out in Chapter 3 (e.g. right of access or right to erasure). If you do not provide us with this data, we will not be able to process your request. The retention period for data in connection with data subject rights is three years. The legal basis for the processing of your data is Article 6(1)(b) GDPR. 

Creditworthiness check and fraud prevention: 

We process your personal data to assess your creditworthiness and to prevent fraud, such as credit card misuse, identity theft, or the improper use of special conditions. For this purpose, the payment and reservation data you provide – or that is provided by third parties – is compared with relevant rules and blocklists.

The legal basis for this processing is Article 6 (1) (f) of the GDPR, as we have a legitimate interest in protecting ourselves from financial losses and preventing unlawful activities.

To ensure proper payment processing and fraud prevention, your data is also checked against national and international sanctions lists. This is to ensure that unauthorized individuals do not use our services.

As part of this processing, automated decision-making may occur, which could result in the purchase process not being completed. In such cases, you have the right to object to the processing (Article 21 GDPR). If you exercise this right, your information will be reviewed and a decision will be made as to whether the process can continue.

Your data will be processed for as long as necessary to protect the legitimate interests mentioned above. Once the review or purchase process is complete, your data will be deleted unless other legal retention obligations apply. 

Further legitimate interests: 

Insofar as necessary, we also process your data beyond the aforementioned purposes to protect our further legitimate interests or the interests of third parties; this is done on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interests include 

• the assertion of legal claims (e.g. debt collection) and the defense in legal disputes;
• the management and development of our business, including risk management;
• improving the loading times of our website;
• improving our products and services, e.g. through the pseudonymized evaluation of qualitative customer feedback (e.g. from surveys or our social media channels).

4. Am I required to provide data?

The information required for booking a trip or registering for our email information is marked as mandatory in the corresponding area of the website (e.g. an online form); we cannot enable you to use the respective functionality without providing the mandatory information. 

If we collect additional personal data from you, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. As a rule, we mark the information that is provided voluntarily and is not based on one of the aforementioned obligations or is not required for the conclusion of a contract. 

5. Who receives my data?

Your personal data is processed within our company exclusively by the responsible departments. It is only passed on if this is necessary to provide our contractual services, if there is a legal obligation to do so or if another legal basis permits it. Recipients of your data may include the following categories of third parties in particular: 

• affiliated companies such as airlines, including Eurowings, Lufthansa, etc. as aircraft operators;
• other affiliated companies such as Miles & More GmbH as the operator of the Lufthansa Group's frequent flyer and rewards program;
• service providers we use to provide our services, insofar as the transfer is necessary to fulfill the contracts concluded with us, such as bus or taxi transfers, call centers or travel partners;
• business partners, for example in connection with hotel bookings, insurance services, car rental and destination-related tours and activities, who act as independent controllers;
• IT service providers for the operation and maintenance of our IT infrastructure (e.g. IT maintenance, IT support and development or cloud and hosting providers)
• Credit institutions and payment service providers for billing and payment processing;
• Shipping service providers, media and marketing agencies (e.g. for market research, advertising communications or campaign management);
• Consultants or consulting firms (e.g. lawyers, auditors);
• Collection agencies and lawyers to collect debts and enforce claims in court

6. Do we use automated decision-making?

We do not use automated decision-making (including profiling) as defined in Article 22 of the GDPR in connection with the operation of our website. If we use such procedures in individual cases, we will inform you of this separately to the extent required by law.

7. Do we transfer data to countries outside the EU/EEA?

Your personal data is generally processed within the EU or the European Economic Area. In certain cases, information may be transmitted to recipients in so-called “third countries”. “Third countries” are countries outside the European Union or the European Economic Area Agreement in which a level of data protection comparable to that in the European Union cannot readily be assumed. If the information transmitted includes personal data and we are not required to transmit it due to a legal obligation (such as in the case of Advance Passenger Information), we will ensure that the necessary adequate level of data protection is guaranteed in the respective third country or by the recipient in the third country before such transmission. This may arise in particular from a so-called “adequacy decision” of the European Commission, by which an adequate level of data protection is determined for a specific third country as a whole. Alternatively, we can also base the data transfer on the so-called “EU standard contractual clauses” agreed with a recipient. In such cases, we have secured the level of data protection with appropriate safeguards within the meaning of Art. 46 GDPR. We will be happy to provide you with further information on the appropriate and reasonable guarantees for maintaining an adequate level of data protection upon request; you will find our contact details at the beginning of this data protection notice. Further information on the current EU standard contractual clauses can be found here. Information on the current EU adequacy decisions can be found here.

8. How long will my data be stored?

Your personal data will be deleted as soon as it is no longer required for the stated purposes. However, we may have to continue to store your data until the expiry of the retention periods and obligations issued by the legislator or supervisory authorities, which may arise from the German Commercial Code, the German Fiscal Code and the German Money Laundering Act and which are usually 6 to 10 years. In addition, we may store your data until the expiry of the statutory limitation periods (i.e. generally three years) if this is necessary for the assertion, exercise or defense of legal claims. After that, the corresponding data is routinely deleted. 

Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil retention obligations). We will also delete your personal data without any action on your part as soon as knowledge of it is no longer necessary to fulfil the purpose of the processing or if storage is otherwise legally impermissible. 

• As a rule, the log data is deleted within ninety days, provided that further storage is not required for legally prescribed purposes, such as the detection of misuse and the detection and elimination of technical faults
• the data processed in connection with a travel booking is deleted at the latest after the legal retention periods have expired (max. 10 years)
• and the data processed in connection with customer communication will be deleted at the latest after a maximum of five years (Regulation (EC) No. 261/2004)
• the data collected for the processing of your respective request as well as the provision of the chat and the documentation of your specific chat request or for internal quality purposes will be stored until your request has been processed and as long as no legal storage requirements exist
• The data collected in the context of a competition will be stored for as long as it is necessary for the execution and processing of the competition, unless a longer legal storage period applies.
• We store call recordings made in the course of calls with our customer service until you revoke your consent or for a maximum period of 90 days, provided that no statutory deadlines apply that require longer storage.

9. What rights do I have?

Right to object under Article 21 GDPR: 

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. In the event of your objection, we will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. 

If we process personal data concerning you for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. 

You have the option, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications. 

Revocation of consent: 

If you have given us your consent (e.g. in connection with information by e-mail), you can revoke such consent at any time with effect for the future. In our e-mail information, we usually provide you with a corresponding link in each of our newsletters. You can also contact us in any other way, e.g. by sending us a message by post, fax or e-mail using one of the contact methods listed on the first page of this data protection notice. The revocation of consent does not apply retroactively and thus does not affect the lawfulness of the data processing up to the date of revocation. 

Further rights: As a data subject, you have the right 

• to information about the personal data stored about you, Article 15 GDPR;
• to correct incorrect or incomplete data, Article 16 GDPR;
• to delete personal data, Article 17 GDPR;
• to restrict processing, Article 18 GDPR; and
• to data portability, Article 20 GDPR.

To exercise these rights, please contact us at any time by email at Datenschutz-ew@eurowings.com. 

The postal address is: 

Eurowings Holidays GmbH 

z. Hd. Eurowings Datenschutz 

Waldstr. 249 

51147 Cologne

Germany 

Please provide the following information so that we can identify you: 

• Name
• Postal address
• email address and optionally: customer number or booking code

You also have the right to file a complaint with a supervisory authority in accordance with Art. 77 GDPR in conjunction with Art. 19 BDSG. The supervisory authority responsible for Eurowings is: 

North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information 

Kavalleriestr. 2-4 

40213 Düsseldorf

Germany

Telephone: 0211/38424-0 

Fax: 0211/38424-999 

E-mail: poststelle@ldi.nrw.de

Status: April 2025