I. Who is responsible for processing the data?

The party responsible for the processing of personal data under data protection law (the “Controller”) is Lufthansa Cargo AG, Frankfurt Airport – Gate 21, Building 322, 60546 Frankfurt am Main, Germany. Where the words “we” or “us” are used in this Data Privacy Statement, they refer to the above company.

Please submit requests for information or revocation of your consent by post to the aforementioned address or by e-mail to: datenschutz-lcag@dlh.de

We have appointed the Data Protection Officer of the Lufthansa Group as our company’s Data Protection Officer. If you have any questions regarding the processing of your personal data, you can contact the Data Protection Officer at any time by post (FRA CJ/D, Airportring - LAC, 60546 Frankfurt) or e-mail (datenschutz@dlh.de).

II. What principles do we observe?

In compliance with requirements under data protection law, we process personal data only if we are permitted to do so under a statutory provision or you have given us your consent.

On this Website we can also record items of information that, taken on their own, do not allow us to directly draw conclusions about your person. Nevertheless, this information may constitute “personal data” within the meaning of data protection law in certain cases, in particular if it is combined with other data. In addition, we may also record information on this Website that does not enable us to identify you directly or indirectly; this is the case, for example, with aggregated information on all users of this Website.

III. What data do we process?

You can access our Website without directly providing personal data (such as your name, postal address or e-mail address). In this case, too, we have to process certain information to enable you to access our Website. Moreover, on this Website we may use certain analytics methods and have integrated links to other websites whose operators may process further (personal) data.

1. Log files: When you visit this Website, our web server automatically stores the domain name or IP address of the requesting computer system (usually your internet access provider), including the date, time and length of your visit, the sub-sites/URLs you visit, and information on the applications and devices you use to view our Websites.
2. Cookies: Like many well-known companies, we use cookies to make our offering as user-friendly as possible. Most of the cookies we use are what are termed session cookies. They are automatically deleted when your visit is over. However, we also use persistent cookies, - also from third-party providers - if you allow us to do so, in order to make our Website more convenient for you to use or to improve our services and our Website by analyzing your use of our Website. For more information about the cookies we (like to) use on our Website and the possibility to adjust your settings in this regard, please refer to our Cookie Declaration or our Consent Manager, which you may reach at any time via the respective button on our Website.
3. Website analysis using Google Analytics: If you allow us to do so in the Cookie settings (you can find them here), we use Google Analytics, a web analytics service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (“Google”), on our Website to continuously improve it. You will find more information about the cookies used by Google Analytics in order to enable the analysis of the Website’s use, in our Cookie Declaration or our Consent Manager, which you may reach at any time via the respective button on our Website.
4. Map feature city-map.com: (1) We use the offering from city-map.com on this Website. This enables us to display interactive maps directly on the Website and makes it easy for you to use the map feature. When you visit our Website, city-map Internetmarketing AG is informed that you have visited the corresponding page of our Website. city-map.com is used to make the presentation of our online offerings more appealing and so that the forwarder company specified on the Website are easy to find. You can find more information on the cookies used by city-map in our Cookie Declaration or our Consent Manager, which you may reach at any time via the respective button on our Website and on how user data is used on the privacy policy site of city-map.com (https://city-map.com/en/data-protection).
5. Embedded videos: We have embedded our own videos on our Website, which are also available on our channel on the YouTube platform (an offering from YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, U.S. – “YouTube”). The contents of the YouTube videos embedded on our Website are shown in a subsection of our Website, but are only started and played if you click actively on them. When you play an embedded YouTube video, a connection to the YouTube servers is established so that the video is played in your browser. YouTube videos are embedded on our Website in the privacy-enhanced mode provided by YouTube; according to YouTube, use of this mode means that no cookies are stored on your device. However, when you play a YouTube video, your IP address is transferred and so YouTube obtains information that you have visited our Website. According to YouTube, this information cannot be assigned to you if you are not logged on to YouTube or another Google service at the time a video is called. As soon as you start playing an embedded video by clicking on it, YouTube – in privacy-enhanced mode – only stores cookies on your device which do not contain any data that can identify you personally, unless you are currently logged on to a Google service. These cookies can be prevented by appropriate browser settings and extensions. You can find more information on data processing by and the privacy policy of YouTube and Google at https://policies.google.com/privacy?hl=en&gl=de.
6. Links to other websites: Our Website contains links to other offerings (including our presence on Facebook, YouTube, LinkedIn and Instagram. These are not social plugins (i.e. buttons which enable the operator of the offering in question to collect information on our Website’s users when the Website is called). However, please note that when you call the other offering, information (possibly including personal data) on your visit may be collected by the operator of the other offering. You can find more information in the data privacy statements of the operators of the offering.
7. Means of contact: On our Website, we point out various ways you can contact us. If you use one of these ways, we process the information we ask for and/or you give us in order to handle your inquiry. If necessary, this information may be stored for a longer period of time after completion of the processing for reasons of preservation of evidence.
8. Searching for Forwarders: We offer you a search function to forwarder companies in a specific region. As part of that, we use the post code or city you enter to check which forwarder from our global network operates in that region. You can contact the displayed forwarder by e-mail. We request personal data of the contact person for that purpose. That data is as specified in the online screen. This data is made available to the forwarder in question in order to get in touch with the contact person. If you name contact persons other than yourself, please ensure that the persons you specify are informed that their personal data is processed in connection with a shipping order, where that is required under statutory regulations.

IV. For what purposes and on what legal basis do we process your data?

1. Personal data that may be contained in the log files is processed to enable you to use our Website; that is done on the basis of Section 15 (1) of the German Telemedia Act (TMG) and on the basis of Article 6 paragraph 1 point (f) GDPR so as to safeguard our legitimate interests in operating our Website.
2. The data collected using necessary cookies and the pseudonymous user profiles are processed for the purposes of tailoring our Website to users’ needs on the basis of Article 6 paragraph 1 point (f) GDPR so as to safeguard our legitimate interests in the use of our Website. The data collected using optional cookies (cookies of all categories other than “necessary”) and the pseudonymous user profiles are processed for the purposes of analyzing the Website, advertising, and market research on the basis of your consent and Article 6 paragraph 1 point (a) GDPR.
3. The processing of the data collected through the playing of videos embedded on our Website is carried out for the purpose of using and designing our Website in accordance with the requirements of Article 6 paragraph 1 f) DSGVO to safeguard our legitimate interest in the operation of our Website.
4. Personal data provided as part of an inquiry directed to us or the contacted forwarder using the channels specified on the Website is processed to deal with the inquiry so as to safeguard our legitimate interests in conducting an existing business relationship or performing our other business activities on the basis of Article 6 paragraph 1 point (f) GDPR.
5. We can also process the personal data collected in connection with the use of our Website to comply with legal obligations to which we are subject; this is done on the basis of Article 6 paragraph 1 point (c) GDPR.
6. Where necessary, we also process personal data above and beyond the above-mentioned purposes to safeguard further legitimate interests or the interests of third parties; this is done on the basis of Article 6 paragraph 1 point (f) GDPR. Our legitimate interests include
   a) establishing legal claims and defending ourselves in legal disputes;
   b) preventing and investigating criminal acts; and
   c) controlling and further development of our business activities, including risk management and operation of our IT systems.

V. Do I have an obligation to provide data?

The particulars required for searching for and contacting forwarders are indicated as mandatory details in the relevant section of our Website; if you do not provide these mandatory details, we cannot enable you to use the feature in question.

If we collect personal data from you above and beyond that, we notify you at the time whether the information has to be provided under the law or a contract or is necessary so that a contract can be concluded. We usually indicate information that is provided voluntarily and does not have to be furnished pursuant to one of the above obligations or is not required to conclude a contract.

VI. Who receives personal data?

In general, personal data is processed inside our company. Only specific departments/organizational units can access personal data, depending on its nature. They include in particular the specialist departments tasked with providing our digital offerings (e.g. Websites) or the described business processes, and our IT department. A role and authorization concept restricts access at our company to the functions and the scope required for the purpose for which the data is processed.

We may also transfer personal data to third parties outside our company to the legally permissible extent. In particular, these external recipients may include

• affiliated companies in the Lufthansa Group to which we transfer personal data for internal administrative purposes and for the performance of central services (e.g. billing services);
• service providers whom we have engaged (e.g. our website operator) and who, on the basis of a separate contractual agreement, provide us with services that may also involve processing personal data, as well as the subcontractors our service providers engage with our consent;
• non-public and public bodies, where we are obliged to transfer your personal data pursuant to statutory obligations,

Furthermore, we may transfer further data to third parties within the scope of the use of cookies and tracking functions on our Website, according to the details set down in our Cookie Declaration or our Consent Manager, which you may reach at any time via the respective button on our Website.

VII. Is automated decision-making used?

In principle, we do not use any automated decision-making (including profiling) within the meaning of Article 22 GDPR in connection with operation of our Website. If we use such methods in individual cases, we will notify you separately to the legally prescribed extent.

VIII. Is personal data transferred to countries outside the EU/EEA?

In most cases, personal data is processed within the EU or the European Economic Area.

Since the Lufthansa Group operates globally and we also perform our services worldwide, we also possibly transfer information to recipients in what are termed “third countries”. “Third countries” are countries outside the European Union or not party to the Agreement on the European Economic Area where it cannot be readily assumed that they have a level of data protection comparable to that in the European Union. Recipients in third countries may be, for example, service providers we engage, especially forwarders, but also non-public and public bodies, in case we are obliged to transfer specific information in the course of the provision of our services pursuant to statutory obligations.

If the transferred information also includes personal data and we do not have a legal obligation to disclose such data, we ensure before transferring it that the necessary adequate level of data protection is ensured in the third country in question or at the recipient in the third country. That may be based in particular on an “adequacy decision” by the European Commission, in which an adequate level of data protection is ascertained for a specific third country as a whole. Alternatively, we can transfer data on the basis of EU standard contractual clauses agreed with a recipient. For information about the EU Standard Contract Terms, click here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and for information about the adequacy decisions click here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#dataprotectionincountriesoutsidetheeu. We will be happy to provide you with further information on the appropriate and adequate safeguards to maintain an adequate level of data protection upon request; our contact details can be found on in section I. of this Data Privacy Statement.

IX. For how long is personal data stored?

In general, we store personal data according to article 17 GDPR only for as long as they are necessary for the purposes mentioned, or if we have legitimate interests in storing it and they are not overridden by your interests in your data no longer being stored. Subsequently, such data will be deleted in order to comply with the principle of data minimization.

Even if we have no legitimate interests, we can continue to store your data if we are required to do so by law (such as to comply with retention obligations). We erase your personal data, also without any action on your part, as soon as we no longer need to know it in order to fulfill the purpose of processing or storage of it is otherwise legally impermissible.

As a rule

• log data is erased within seven days, unless it needs to be stored further for purposes envisaged under the law, such as detection of misuse and the identification and rectification of technical faults;
• data processed in connection with a business relationship is erased no later than by the end of the statutory retention periods or the applicable limitation periods; and
• the data stored in connection with a forwarder search is deleted after the corresponding request has been processed, unless further retention of it is required to comply with statutory retention periods in connection with the business relationship in question.

Personal data we have to store in order to comply with retention obligations is stored until the obligation to retain it ends. If we store personal data solely to comply with retention obligations, it is usually blocked, meaning it can only be accessed when that is required for the purpose for which the data had to be retained.

X. What are your rights as a data subject?

a. Right of objection under Art. 21 DSGVO

As a data subject you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. In the event of such an objection, we will no longer process your personal data, unless (i) we can demonstrate compelling legitimate grounds to further process the personal data, outweighing your interests, rights and freedoms, or (ii) the processing is used for effective exercise or defense of legal rights.

In case we process your personal data for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object processing for direct marketing purposes, the relevant personal data will no longer be processed for these purposes.

b. Withdrawal of consent

If you have given us your consent to process your personal data, we hereby inform you that you can withdraw this consent at any time, e.g. with regard to cookies, by selecting the appropriate boxes in our cookiebot-consent-manager, which you can access at any time via the link in our Cookie Declaration or via our Consent Manager, which you may reach at any time via the respective button on our Website or by sending us a corresponding message by post, fax or e-mail via one of the contact channels mentioned in Section I. of this Data Privacy Statement. You can also withdraw or modify your consent to the use of cookies at any time by clicking on this link. In all other cases or if you have problems to withdraw your consent, you can also contact our Data Protection Officer, also mentioned in Section I. of this Data Privacy Statement.

Please note that the consent you have withdrawn will only have effect for the future and has no influence on the lawfulness of processing based on consent before its withdrawal. In some cases, despite your withdrawal, we are entitled to process your personal data on a different legal basis - for example, to fulfil a contract.

c. Additional rights

As a data subject, you also have the right to

• access the personal data stored on you (Article 15 GDPR);
• have incorrect data rectified and to have incomplete data completed (Article 16 GDPR);
• demand erasure of personal data (Article 17 GDPR);
• demand restriction of processing (Article 18 GDPR); and
• demand data portability (Article 20 GDPR),

In order to exercise these rights you can contact us at any time, e.g. by using the channels specified in Section I. of this Data Privacy Statement.

If you have questions relating to processing of data, you can also contact our Data Protection Officer, whose contact information you can also find in Section I. of this Data Privacy Statement.

As a data subject you also have the right to lodge a complaint with a supervisory authority responsible for data protection (Article 77 GDPR). The supervisory authority responsible for Lufthansa Cargo AG is the Hessian Commissioner for Data Protection and Freedom of Information.

XI. Changes to the Data Privacy Statement

Due to the further development of our Website and our offers or due to changed legal or official requirements, it may become necessary to change this Data Privacy Statement.

If this results in fundamental changes for you or if legal provisions make this necessary, we will inform you of such changes (with a corresponding note when you go to our Website).

You can access and print out the current Data Privacy Statement on our Website at any time.

Status: January 2024

* * *