Privacy policy

Every time the contents of our websites are accessed, data are stored that may permit identification of data subjects.

The following data are collected:

• date and time of access
• server traffic at time of access
• IP address
• page visited on our website
• message indicating whether page retrieval was successful
• transferred data volume
• information on the device used (mobile device, desktop, etc.), operating system, browser type and versions

The temporary storage of these data is necessary for processing the site visit in order to ensure that the website can be made available. Further data storage in log files takes place to ensure the functionality of the website and the security of the IT systems. These stored data are analyzed exclusively for purposes of analyzing technical malfunctions and possible attacks on our website. In addition, the data can by analyzed anonymously for statistical purposes.

Categories of recipients
Some websites are operated by external hosting services and/or through external agencies. They act on our behalf as external processors and process the data exclusively in accordance with our instructions.

Duration of storage
To be in a position to conduct proper investigations of technical malfunctions or possible attacks on our website and report as needed to regulatory bodies and security authorities, we delete or anonymize the log files within one month at the latest.

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in maintaining the functionality of our website and performing statistical analysis of the use of our website). 

3.2.1 General information on cookies

Cookies are small files in which certain information is stored either in open or encrypted form. Cookies are sent from the server to your computer and stored there. They initially serve to identify the computer from which our website was accessed. If you log in to our website, cookies serve to notify the server of your login and check the authorizations to retrieve the page.

Cookies can help to improve communications between our server and your computer and therefore make it easier to use our website. Cookies also make it possible to track the path of a user across various pages of the website and possibly across various websites. In addition, cookies can store information of any kind.

Cookies can originate not only with the operator of the website but also with third-party providers. In your browser you can display a list of the cookies stored on your computer, delete some or all of these cookies, or select settings to deactivate or limit the storage of cookies. Please note that some functions (e.g. the login) will not work, or will not be fully functional, if you deactivate the storage of cookies.

Every cookie has an expiry date when it is no longer valid and will be automatically deleted. Details on the expiry dates for certain cookies are described in the sections below.

You can object to the use of cookies that permit the analysis of your user behavior: Tracking Preferences. Details are provided in the following sections. Please note: If you delete the cookies stored in your browser after objecting, you may have to click the links provided here again because the objection to the use of cookies containing personal data will also be documented in the form of anonymous (non-personal) cookies.

Consent management tool 

We have integrated the consent management tool "consentmanager" (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, info@consentmanager.net) on our website to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalized advertising. With the help of “consentmanager” you can grant or reject your consent for all functions or give your consent for individual purposes or individual functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned things and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from the end devices used, such as the IP address, are processed.

The legal basis for processing is Art. 6 Para. 1 S. 1 lit. c) in conjunction with Art. 6 para. 3 sentence 1 lit. a) in conjunction with Art. 7 para. 1 GDPR and, in the alternative, lit. f). By processing the data, we help our customers (according to GDPR this is the responsible party) to fulfill their legal obligations (e.g. obligation to provide evidence). Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active. The log data will be deleted after three years. It may happen that we ask you again for your consent. This query takes place after one year at the latest.

You can object to the processing. You have the right to object to reasons arising from your particular situation. To object, please send an email to info@consentmanager.net.

3.2.2 Analytical cookies used on our websites

3.2.2.1 etracker

On our website and when using the open WLAN, FMG uses the “etracker Analytics” service of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) for the purpose of measuring the reach of our websites.

Scope of processing

Data that may allow a reference to an individual person, such as the IP address, login or device IDs, are anonymized or pseudonymized as early as possible. It is not used in any other manner, aggregated with other data or shared with third parties.

The following data is stored and processed when you access the page:

• IP address
• information on the device, operating system and browser used;
• geo-information up to a maximum of city level;
• the requested URL with the corresponding page title and optional information about the page content;
• the website from which the individual page was accessed (referrer site including assignment to search engines and social media sites as well as reading out campaign parameters);
• the subsequent pages that were accessed from the accessed website within a single website in the session;
• the time spent on the website;
• further interactions (clicks) on the website such as entered search terms, downloaded files, external link calls, viewed videos, logins, inquiries, ordered items, etc.

It is not possible to display unique visitor figures, the frequency distribution of sessions per visitor in the period and the linking of visits to customer journeys or conversion paths that result from multiple visits over periods of time longer than 24 hours or across multiple devices.

However, it is excluded that user profiles are formed and visitors are “recognized” over time (identification or re-identification is excluded in both processes, as the IP address is shortened and thus anonymized at the earliest possible time by default).

Purpose of processing

The application of eTracker Analytics is used to optimize the respective FMG website through reach measurement and statistical analysis as well as to ensure that the website design is tailored to the needs and is error-free.

Legal basis

• Necessity to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail [cf. Art. 6 (1) sentence 1 (f) GDPR]. The legitimate interests are in the optimization of the respective FMG website facilitated by the reach measurement and statistical analyses.

Categories of recipients

Personal data is transmitted to the following recipients or category of recipients:

• External contractor in accordance with Art. 28 GDPR, currently this is: etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany

Transmission to third countries

A transmission to a third country outside the European Union or the European Economic Area (EEA) is not intended.

Term of storage and criteria for determining the effective period

The period of observation is limited to a maximum of one day, as all visitor IDs are automatically linked to the respective date and thus recognition of visitors in standard mode is excluded on subsequent days.

Necessity of the data and consequences of failure to provide data

The provision of personal data is neither required by law nor by contract. If you do not provide your data, this will have no impact on your use of our services.

Automated decision-making in individual cases and profiling

Automated decision-making or profiling does not take place. The use of the eTracker is expressly not for the purpose of profiling.

Possibility of erasure or objection

You have the right to object to the processing of personal data concerning you at any time.

You can object to data processing at any time by clicking on the slider.

Further information on data protection at etracker can be found here.

3.2.2.2 Matomo - LabCampus

For the LabCampus website, we use Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. Cookies are used, which are saved on your computer for up to 13 months and enable a statistical analysis of the use of the website.

In this context, usage information including the shortened IP address of the accessing computer is transmitted and stored for analysis purposes. By shortening the IP address, website users remain anonymous. Only a "session ID" (cookie) is carried and stored as the common key of a page visit. A "session" ends when the web browser is closed.

The website access information used for usage analyses includes date, time, location (city), browser type, capabilities and language, operating system/device type, length of website visit, visits by server and local time, pages visited, usage history, search engine used and search terms used to access the LabCampus website, URL referencing the LabCampus website.

By "turning off" the tracking, a so-called opt-out cookie is generated in the web browser. This causes Matomo to no longer collect the usage data of this website visit. Note: If this opt-out cookie is deleted by the user in the web browser settings, the collection of statistical data by Matomo is reactivated.

The recipient of the data is the commissioned processor (Büro am Draht GmbH) as well as the responsible departments of LabCampus GmbH. The statistical data generated by the website visit is used exclusively by LabCampus GmbH to improve the online offer and the most targeted use of resources. No other use, combination with other data or transfer to third parties takes place.

The legal basis for the placement of the Matomo cookie on your terminal device is §25 TDDDG (consent).

The legal basis for the data processing associated with our use of Matomo is Art. 6 para. 1 p. 1 lit. f) DSGVO (balancing of interests, based on our legitimate interest in continuously adapting the design of the website to the interests and needs of users).

If you do not consent to the placement of the Matomo cookie, no placement will be carried out. Once you have given your consent to the placement, you can revoke this at any time with effect for the future via the data protection settings of the Consent Manager.

You can object to the described (downstream) data processing at any time, as far as it is person-related. Your opt-out will not have any adverse consequences for you. To do so, please contact: datenschutzbeauftragter@munich-airport.de.

You can find more information about Matomo here.

3.2.3 Pixels and advertising cookies used on our websites

In order to learn more about interests and demands, we use special tools for the efficient performance of surveys that allow us to ask you for your feedback at certain touchpoints and at specific times. The providers of these tools render their services for us as part of data processing and are thus bound by our instructions.

We generally design our surveys so it is not possible to draw conclusions about individual persons during analysis and potential publication (de-facto anonymous data). This means that based on the information you provide and the supplementary knowledge that the party authorized to access it has, it is impossible to trace back to you with reasonable effort. The employees conducting the evaluation do not have access to data that would allow for personal attribution. Please make sure that the information you enter, e.g. in free text fields, does not contain any data that could allow conclusions to be drawn about you or third parties. Participation in user surveys is voluntary.

3.3.1 Purpose of processing

To collect feedback and evaluate the motives and interests of the participants in our surveys.

During technical performance of anonymous surveys, the following data is processed via links to our website or printed QR codes:

• Local storage data (e.g. language setting)
• Information about the device used (type of device, including device name, manufacturer, and version), operating system, and browser (including the version of each)
• Error logs
• Answers (open and completed) to the questions asked in the survey

While it is not possible to trace back to individual persons, this cannot be technically ruled out, especially in individual cases depending on the device used or based on the answers you provide in free text fields.

Data may also be stored and retrieved on your devices as part of the technical performance of surveys. The following cookies are implemented during use:

• Session cookie: this is used to recognize participation in an ongoing survey; to assign the correct questions, pages, and provided answers; and to attribute current participation. Cookies are deleted when the browser is closed.
• CSRF token: this is used to protect the participant’s data from cross-site request forgeries. The token is deleted when the browser is closed.

If we proactively e-mailed you about participating in surveys, the following data is also processed as part of such personally addressed surveys, polls, and interviews:

• Name
• E-mail address
• Answers (open and completed) to the questions asked in the survey

3.3.2 Legal basis

For temporary processing of personal use data for the technical performance of surveys, we process your data as part of a balancing of interests pursuant to Article 6(1)(f) GDPR (based on our legitimate interest in asking visitors to our website about certain topics while balancing your interest in having performance designed with as little data as possible).

The legal basis for the performance of personal surveys and e-mail contact is Article 6(1)(a) GDPR. To the extent that anonymous surveys are conducted on internal matters, the legal basis for contact and for technical performance of the survey is established in Article 6(1)(f) GDPR (based on our legitimate interest in learning more about possible wishes, requirements and suggestions directed at us while balancing your interest in having performance designed with as little data as possible).

3.3.3 Categories of recipients:

The surveys are performed by the specialist departments of Flughafen München GmbH that are assigned to do so. Personal data is not transmitted to third parties.

Survey tools provided as part of data processing

• Lamano GmbH & Co. KG, Prenzlauer Allee 36G, 10405 Berlin, Germany. Additional information on data protection at Lamapoll.
• Informizely B.V., WG-plein 425, 1054SH, Amsterdam, Netherlands. Additional information on data protection at Informizely.

3.3.4 Transmission to third countries

3.3.5 Duration of storage

3.3.6 Options for removal or revocation

Our website uses Google Maps to represent our location and generate directions. Google Maps is an online map service by the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

When retrieving a page on our website requiring a map, your browser will create a direct link to the Google servers and retrieve a map to display on your screen. To use Google Maps functions, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a Google server in the USA and processed there by Google. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

Further information on the handling of user data is available in the Google privacy statement.

The legal basis for processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in showing visitors to our website their current location and information on directions to the airport).

We embed YouTube videos in our web pages. The operator of the correspondent plugins is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

When retrieving a page on our website containing an embedded video, your browser will create a direct link to the YouTube servers to retrieve and run the video content on your screen. To use this function, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a YouTube server in the USA and processed there by YouTube. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

Further information on data protection at YouTube is available in the Google privacy statement.

The social media channels used by us are described in detail in the sections below. We have a presence on the social media platforms of the following companies:

The purpose of these social media channels is to advertise our products and services and communicate with interested parties or customers.

When you contact us through one of these social media channels, we process the personal data associated with your query in the course of processing the query itself. These data are deleted as soon as the query is fully answered and statutory retention or archiving obligations no longer apply (e.g. in case of subsequent settlement of a contract).

The legal basis for the related data processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in presenting our products and services and communicating with interested parties or customers).

The Munich Airport website uses the software application “Eye-Able®” from Web Inclusion GmbH. This tool enables visitors to the website to use a button on the edge of the screen to adjust font sizes, contrasts, and filters and to save their personal settings. The files required for the application, such as JavaScript, style sheets and images, are loaded from an external server. When functions are activated, Eye-Able uses the browser’s local storage to save the settings. All settings are saved locally on your device and are not passed on.

3.7.1 Purpose of processing

With the support of the "Eye-Able®" tool, we want to give users easier access to our information online.

3.7.2 Legal basis

The legal basis for the technically required inclusion of the "Eye-Able®" service is our legitimate interest in ensuring equal participation of all people, which outweighs the data subjects’ interest in particularly data-minimized processing of their data when visiting our website in accordance with Art. 6 Par. 1 f) GDPR.

3.7.3 Recipients

The files required for the "Eye-Able®" software application, such as JavaScript, style sheets and images, are loaded from an external server. When functions are activated, "Eye-Able®" uses the browser’s local storage to save the settings as adjusted by the user. All settings are only saved locally on your device and are not passed on.

In the context of order processing, the data is transmitted to Web Inclusion GmbH, Gartenstraße 12c, 97275 Margetshöchheim, Germany. 

3.7.4 Transmission to third countries

There is no transmission to third countries.

3.7.5 Possibility for removal

The locally saved files and settings can be removed by clearing the browser cache.

The main website of Flughafen München GmbH and its subsidiaries is www.munich-airport.de (in German) and www.munich-airport.com (in English).

This Privacy Statement also applies to all other websites of Flughafen München GmbH and its subsidiaries that are linked to it, in particular the following websites:

We offer you the option of using a contact form to ask us for information or support on specific questions.

Categories of personal data
We collect your first and last names and email address in any case so that we and/or our system partners to which your query is addressed can contact you.

When you submit the contact form, the current IP address of the sender is saved for security reasons. Your data will be processed and treated confidentially in compliance with the applicable data protection regulations.

We will store and process your data only to the extent and as long as required for handling your message.

In order to process your inquiry in a subject-specific manner and to forward it internally to the right contact person, Munich Airport International GmbH, a subsidiary of Flughafen München GmbH, collects the following additional data in addition to the personal data mentioned: company & position.

Categories of recipients
In some cases, it will be necessary to forward your data to system partners such as airlines, government authorities or other companies in the FMG group to respond to your feedback. In addition, your data can be transmitted to external service providers for website support.

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest: in answering queries from our customers and other interested parties).

Google reCAPTCHA

Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter: Google).

Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.

This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.

The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. Google offers detailed information at https://policies.google.com/privacy concerning the general handling of your user data.

4.3.1. Newsletter Flughafen München GmbH

If you primarily wish to receive contents relevant to you, then select personalized information.

4.4.1 User profile

To present content that is relevant to you, we need an optimal understanding of your interests. For this per-sonalized information, we therefore create a personalized user profile for you.

In this personalized user profile, we save identifying characteristics such as your name and email address together with your contractual and usage data. This ensures that we can personalize our services for you. For example, in the newsletter you will only receive content provided on countries that are likely to interest you or special tips for business travelers – depending on the aspects that apply to you.

4.4.2 Data sources

In the user profiles, we collect data from various sources within the Munich Airport group of companies to arrive at the best possible overview of your interests. These sources are based on the declarations of consent submitted by you and may include the following data:

• the airport website
• the airport newsletter
• the PASSNGR app
• online parking reservations
• WLAN registration at the airport
• booking/reserving airport tours, lounges, events and other offers
• input in contact and feedback forms
• participation in contests offering prizes
• bonus and customer loyalty programs
• suggestions for improvements submitted through electronic channels
  
  

4.4.3 Contractual and usage data for personalization

• cookies, and in particular long-term cookies
• start and end time of use
• opening the newsletter, app or other services
• functions and pages accessed over time
• clicking on newsletter content
• origin of use, e.g. whether a search engine was used first
• duration of page views
• salutation
• first name
• last name
• address
• Email address
• consents, e.g. to receive a newsletter or for the use of mobile apps
• date of birth
• payment and transaction data
• telephone number
• other contractual data
  

4.4.4 Withdrawal of user profile

You can withdraw your consent for the storage of your personal data at any time. In addition, you can un-subscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. Revoking your consent has no effect on the legality of the processing up to the time of revocation. Due to the lead times of the technical and organizational processes, it is possible in exceptional cases that the personalization of content as described in this section will continue for up to 48 hours after your with-drawal of consent.

The free wifi coverage at Munich Airport is provided by Telekom Deutschland GmbH. Consequently, the separate terms and conditions for the HotSpot and the privacy statement of Telekom Deutschland GmbH shall apply. Flughafen München GmbH grants access to the WLAN of Telekom Deutschland GmbH.)

4.5.1 Scope of processing

If you wish to use the free wifi, you must identify yourself as a user with your email address. In addition to your email address, we collect the following data:

• the exact time of access,
• your browser version,
• IP address of your end device,
• number of times free wifi is accessed and
• your consent to our terms and conditions for free wifi

We only use technically necessary cookies on the WLAN pages (wifi.munich-airport.de), which are required for the technically flawless provision of the site. In particular, these are the following functional cookies:

• f5_cspm
• f5avr2042896050aaaaaaaaaaaaaaaa
• TS01*

On our website and when using the open WLAN, FMG uses the “etracker Analytics” service of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) for the purpose of measuring the reach of our websites. Further information can be found in section 3.2.2.1 of this privacy policy

4.5.2 Purpose of processing

We collect this data for the following purposes:

• Contacting if necessary for the purpose of contract fulfilment (in accordance with the General Terms and Conditions (GT&C) for wifi) or processing (e.g. in connection with a possible violation of the contractual terms and conditions of use)
• Provision of a free wifi for an additional passenger and visitor service
• Ensuring the functionality of the website and the security of the IT systems by evaluat-ing log data to analyze technical malfunctions and possible attacks on our services

When you register to subscribe to our email newsletter, the data provided by you are also used for that purpose: privacy statement for the newsletter. 

4.5.3 Legal basis

The following legal basis applies for the lawfulness of processing:

• Necessity for the performance of a contract to which the data subject is a party [cf. Art. 6 para. 1 sentence 1 lit. b) alt. 1 GDPR] as part of our contractually agreed terms of use (GT&C)
• Necessity for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [cf. Art. 6 para. 1 sentence 1 lit. f) GDPR]. The legitimate interests is provision of a free wifi for an additional passenger and visitor service and ensuring the functionality of the website and the security of the IT systems by evaluating log data to analyze technical malfunctions and possible attacks on our services.

4.5.4 Categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

When you are transferred to the wifi access page of Telekom Deutschland GmbH, we also transfer the email address provided by you to that company.

We may transmit data relating to you that we have stored to courts, authorities or other gov-ernmental bodies if this is necessary to prosecute statutory violations or if we are under the obligation to render information to the respective public body for other reasons.

Apart from the foregoing, we do not transmit your data to third parties.

4.5.5 Transfer to third countries

A transfer to a third country outside the European Union respectively the European Economic Area is not intended.

4.5.6 Duration of storage and criteria for determining the duration

The data collected in connection with your access to wifi will be deleted no later than nine months after you use the wifi service.

The indicated storage periods may be exceeded in exceptional cases if and to the extent that the data in question are needed for a longer period (e.g. for purposes of the required investiga-tion and/or prosecution of a possible violation of the terms and conditions of the contract for use of the service).

The cookies are deleted after each session of the visitor.

4.5.7 Necessity of the data and consequences of non-provision

The provision of personal data is a contractual requirement [see (GT&C). If you do not enter your data, you may not be able to use the free WLAN.

4.5.8 Possibility of removal or revocation

You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation.

Please send your objection to info@munich-airport.de. We reserve the right to examine your request individually before implementing a restriction or cessation of processing and deletion.

4.5.9 Status of information

Date: December 21, 2023

This privacy policy applies to photography, video and sound recordings (referred to below as "images and recordings") created by Flughafen München GmbH on various occasions (e.g. photo shoots, events). This privacy policy does not apply to data processing in connection with surveillance measures (e.g. video monitoring).

The images or recordings may be made in connection with photo shoots or events, for example. For this purpose, we will either obtain your consent in advance or at least inform you in your personal invitation or on location (e.g. in case of public events without personal invitations) that such images or recordings will be made. We do not secretly produce images or recordings.

Categories of personal data
In addition to the photos, video and sound recordings, we may process other personal data that we collect from you (such as your name and email address) in connection with the recording.

Flughafen München GmbH may use the images and recordings for print publications, in broadcasting or in electronic media for corporate communications (e.g. reports, flyers, posters, brochures, presentations, websites, intranet, press releases) and for documentation purposes (e.g. archives). The images and recordings may be shared with third parties (e.g. journalists) and disseminated in social media (e.g. Facebook, Twitter). The possible uses of the images or recordings includes all known and unknown uses as well as the editing and modification of the images or recordings. Flughafen München GmbH may grant the same utilization rights to its subsidiaries and participating interests. However, images and recordings will be utilized as de-scribed here only to the extent that this is covered by a basis for authorization (e.g. consent, contract, law).

Duration of storage
If you have granted us your consent or if we have entered into a contract with you, the data will be deleted with the expiry of the consent or contract. If we are processing the data on the basis of a legitimate interest pursuant to Art. 6 Par. 1 f) GDPR, the data will be deleted when the legitimate interest no longer applies.

For FMG employees only: If the recordings are made for purposes of establishing and implementing an employment relationship, we will delete them when the corresponding purpose is fulfilled. If the processing is regulated in a works agreement, the storage periods may be stipulated in that agreement.

Statutory archiving periods may require us to store the data for a longer period on the basis of Art. 6 Par. 1 c) GDPR.

Categories of recipients
If we have obtained the necessary utilization rights for the recordings, we will transfer the recordings to our subsidiaries and participating interests as required so that they can also use them. In all other respects, we will forward your data to our service providers only in compliance with the applicable data protection laws. Our service providers who may be granted access to the recordings and data include IT service providers, printers and advertising agencies.

For our image database we use a solution provided by CELUM GmbH, Passaustrasse 26-28, 4030 Linz, Austria ("CELUM"). The image database is maintained on our servers. CELUM may access the images when providing support. We have entered into an external processing agreement with CELUM under which CELUM has undertaken to process personal data only in accordance with our instructions. Further information on data protection at CELUM is available at: https://www.celum.com/en/privacy-cookie-policy/.

To the extent that we are permitted to use your recordings in social media channels, we cannot preclude the possibility that they will be transmitted into a country outside the EU. The US social media servers used by us are certified under the EU/US Privacy Shield Framework and are obliged to comply with the provisions of the GDPR.

It is also conceivable that, as part of our international media relations and corporate communications, we will transfer some recordings or images in compliance with the applicable data protection regulations to media, press representatives or agencies outside the EU and the European Economic Area so that the recordings or images can be published there.

Legal basis
If you have granted us consent, the legal basis for processing is Art. 6 Par. 1 a) GDPR. If consent is granted by employees of FMG, the legal basis of processing under data protection laws in this case is Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 of the German Data Protection Act (BDSG).

If we conclude a contract with you (e.g. for a photo shoot), then the use of the recordings and other personal data will serve the purposes of executing the contract and will take place in accordance with our contractually agreed utilization and exploitation rights. In that case, the legal basis for processing under data protection laws is Art. 6 Par. 1 b) GDPR.

If the recordings are made for purposes of establishing and implementing an employment relationship with FMG, the primary legal basis for processing is Section 26 Par. 1 BDSG.

We will produce photos, video or audio recordings at events etc. without your consent and without a contractual agreement only if a legitimate interest applies in accordance with Art. 6 Par. 1 f) GDPR. Such a legitimate interest may result from the provisions of Section 23 of the German Art Copyright Act (KUG). This is conceivable, for example, in case of:

• images of historical interest in which you appear;
• images in which you can be seen incidentally near a specific location or
• images of gatherings or public events in which you participated.

In addition to the original purpose for producing the recordings, we may also store recordings and the related data for documentation or archiving purposes unless this is prohibited under contractual or statutory regulations. In this case, our legitimate interest in accordance with Art. 6 Par. 1 f) GDPR is the use of the recordings for publications on our company's history.

To the extent that we process data in accordance with Art. 6 Par. 1 f) GDPR, we always give due consideration to the question of whether you have overriding interests in the specific case at hand that outweigh our legitimate interests in using the data.

Passngr is the app shared by a number of German airports. With this app, you always have all of your travel information on hand: your flight data, important information for finding your way in your departure and arrival airports, and the most convenient way of getting to and from the airport. The Passngr app is offered and operated by InfoGate Information Systems GmbH, a subsidiary of Flughafen München GmbH.

For the Passngr app website (https://www.passngr.de), the general privacy information for websites provid-ed in this Privacy Statement applies. In addition, you can enter your mobile phone number on this website to ask for a link to be sent to the Passngr app on your phone. We will use your mobile phone number for this purpose only and will then delete it.

The privacy policy for the Passngr app can be accessed directly from the app under "Settings" – "About the Passngr app".

1. Description and scope of data processing
 
On our website under parken.munich-airport.de, you have the opportunity to conveniently and easily book your parking space in advance online. The provider and contractual partner is Flughafen München GmbH. 

The following personal data is processed as part of the booking process and when a parking space contract is concluded:

• company
• salutation
• surname, first name
• address
• Email address
• telephone number (optional)
• license plate number (optional)
• Other contract data (planned and actual start of parking, planned and actual end of parking, product, parking area/parking garage, price, promotions or promotion codes if applicable)
• Time of booking
• Payment details
• Affiliate network (Online sales partner)

If you register with us or book without a customer account, we collect, store and process the above-mentioned data for the purpose of reserving your pre-booked parking space. We use your data, inter alia, to confirm and provide the booked services (including additional services), invoice processing, reimbursement in the event of cancellation, quality assurance and to contact you, e.g. in the event of rebooking, parking garage or product changes, air traffic restrictions. You can have your optionally created customer account deleted by sending an e-mail to our Customer Service Center (kontakt.parken@munich-airport.de). Deletion will only take place after completion of any ongoing or future booked parking transactions and the associated payment processing. In addition to booking your parking space, we offer you optional additional services, so-called premium services such as valet parking service, vehicle washing, interior cleaning, etc. In addition to the data mentioned above, we also collect the following data:

• License plate number

• Mobile telephone number
• Vehicle manufacturer
• Vehicle model
• Vehicle color

The Premium Services are provided by our service provider. If additional services are booked, a copy of the booking confirmation will be sent to the service provider's scheduling department.

2. Purposes of the data processing

Personal data are processed for the following purposes

1) Online booking of parking spaces
2) Online booking of additional services
3) Optional creation of a personal customer account (“registration”)
4) Emailing of booking confirmation
5) Invoicing
6) Payment processing
7) Entry/exit to the booked parking space
8) Customer communication (contact, e.g. for rebooking, parking garage or product changes, air traffic restrictions, vehicle pick-up additional services, information on the parking process).

3. Legal basis for data processing 

Personal data are processed for the following purposes:

• For purposes 1 - 8 Art. 6 para. 1 lit. b GDPR: Fulfillment of the online parking contract and, if applicable, the contract for additional services (terms and conditions of use for online parking bookings, general parking conditions, airport usage regulations)
• For purpose 5: Art. 6 para. 1 lit. c GDPR in conjunction with § 14 UStG: Fulfillment of the legal obligation to issue a correct invoice for tax purposes and compliance with statutory retention obligations
• For purpose 7: Art. 6 para. 1 lit. f GDPR: Efficient and customer-friendly processing of parking transactions with advance payment.  

4. Recipients/categories of recipients

Personal data is transmitted to the following recipients of categories of recipients:

• Operator of an external booking platform for online bookings, based in the UK
• Credit card acquirer or payment service provider
• Manufacturer of license plate recognition software for operation, maintenance and support, based in Germany
• When booking additional services: Operational service provider for the provision of the services.

5. Transfer to third countries

Transfer to third countries is generally not intended. However, there may be third-country transfers to the United Kingdom in the context of online bookings. This is based on the adequacy decision of the EU Commission of June 28, 2021.

6. Legitimate interests

The pursuit of the purpose stated under point 7 serves to achieve our legitimate interests in making prepaid parking processes efficient and user-friendly. The processing is necessary and suitable for the achievement.

7. Duration of storage

After your booking, the data collected will be deleted after one year. Data that you have provided to book an optional additional service will be stored for two years. Data for which we are subject to statutory retention periods (§257 HGB, §147 AO) will be stored for up to 10 years.

8. Right to object / right to erasure

Your processed personal data are required, insofar as they are based on the lawfulness of processing in accordance with Art. 6 para. 1 lit. b or c GDPR, to ensure the conclusion/execution of the contract with Flughafen München GmbH as part of your online booking of a parking space and/or additional services. Consequently, there is no possibility of objection in this regard.

For all processing activities that are based on our legitimate interests, you have the right to object to the processing at any time on grounds relating to your particular situation in accordance with Art. 21 (1) GDPR. Please send your objection to kontakt.parken@munich-airport.de. 

Description and scope of data processing

The number plate of your vehicle is read by an infrared camera when entering the parking areas. After successful entry, the recognized license plate number is stored in the parking system together with the time of entry and the entry column.

When the vehicle exits the parking space, the license plate number is recorded again and compared with the data stored when the vehicle entered.

The following personal data is processed as part of automated license plate recognition and the associated processing of parking procedures:

• Scanned infrared image of the license plate, vehicle license plate number in plain text, parking garage used, entry and exit device, entry and exit times (date, time), card number of the ticket or long-term parking medium.
• For short-term parking tickets and online reservations, the parking fee paid, information as to whether a receipt was issued, invoice number.
• For long-term parking tickets, the data of the contractual partner (surname, first name, company).
• For online reservations, the e-mail and postal address.
  
  

Purposes of the data processing

Personal data are processed for the following purposes

1. Handling of the parking process (e.g. entry, parking, exit, charging/payment processes for electric vehicles)
2. Improvement of the traffic flow
3. Barrier openings
4. Proof of parking duration in the event of unlawful reclaims
5. Prevention and prosecution of criminal offenses, administrative offenses and damage to property
6. Detection and punishment of violations of the parking regulations and the airport usage regulations
7. Blocking of license plates
   
   

Legal basis for data processing

The legal bases for data processing are:

• For purposes 1, 2, 3, 4, 6 and 7: Art. 6 para. 1 lit. b GDPR
  Contract fulfillment, e.g. parking space rental agreement / permit agreement, general parking conditions, terms and conditions of use for online parking space bookings, airport usage regulations
• For purposes 5, 6 and 7: Art. 6 para. 1 lit. f GDPR
  Safeguarding our legitimate interests (Assertion, exercise or defense of legal claims)
• For purpose 1: Art. 6 para. 1 lit. a GDPR
  Employees can optionally register for the license plate recognition system.
  
  

Recipients/categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

• Manufacturer of license plate recognition software for operation, maintenance and support, based in Germany
• Operator of an external booking platform for online bookings, based in the UK
• Manufacturer of a business management software system, based in Germany.
  
  

Transfer to third countries

Transfer to third countries is generally not intended. However, there may be third-country transfers to the United Kingdom in the context of online bookings. This is based on the adequacy decision of the EU Commission of June 28, 2021.

Legitimate interests

The pursuit of the purposes mentioned under 5, 6 and 7 serves to achieve our legitimate interests, in particular to prevent the fraudulent provision of services, to assert, exercise or defend possible legal claims and to be able to enforce our domiciliary rights. The processing is necessary and suitable for the achievement.

Duration of storage

The infrared images of the license plates are deleted from the license plate recognition system after 10 days. In the system for controlling the parking facilities and storing the relevant data records, the license plate number is deleted 63 days after exiting.

If we are subject to statutory retention periods (§257 HGB, §147 AO), the data required for this purpose will be stored for up to 10 years.

Right to object / right to erasure

To the extent that the legal basis for processing your personal data is based on Art. 6 (1)(b) GDPR, this processing is required in order to enter into or fulfill a contractual relationship with Flughafen München GmbH in connection with your parking transaction. Consequently, there is no right to object in that regard.

For all processing activities carried out by us on the basis of our legitimate interests, you have the right, on grounds related to your particular situation, to object to such processing at any time pursuant to Art. 21 (1) GDPR.

4.10.1 Airport tours

On our website at munich-airport.de/airport-tours you can find a selection of seasonal and year-round tours for adults and children where you can obtain in-depth insights into Munich Airport's operations.

The provider of the products and services is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data are collected when tours are booked:

• first name
• last name
• email address
• telephone number
• tour data

Recipients
The personal data provided by you will be collected, stored and processed by us, Regiondo GmbH, and by the credit card acquirer or payment services provider involved in the processing of your booking and the tour and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.2 Lounge bookings

You can find a list of lounges available at the airport on our website at munich-airport.de/lounges. For some of these lounges you can book tickets or vouchers through our website. The provider of the lounges that can be booked is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data are collected when bookings are made:

• first name
• last name
• email address
• telephone number
• booking details
• payment data

Recipients
The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the lounge use and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sen-tence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.3 Events

On our website at munich-airport-camarketing.regiondo.de and allresto.regiondo.de you can find events hosted by Flughafen München GmbH and Allresto Flughafen München Hotel und Gaststätten GmbH. For some of these events you can book tickets or vouchers through our website. The event providers are Flughafen München GmbH and/or Allresto Flughafen München Hotel und Gaststätten GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data may be collected when bookings are made:

• first name
• last name
• email address
• telephone number
• booking details
• payment data
• recipients

The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the event and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.4 Events LabCampus

On our website labcampus.de you will find events organized by LabCampus GmbH. You can register online for some of these events via our website. The provider of the events and the person responsible under data protection law is LabCampus GmbH.

Contact the data protection officer: datenschutzbeauftragter@munich-airport.de.

Categories of personal data

The following data will be collected during registration:

• First name
• Surname
• Company
• Position (optional)
• E-mail address

Purpose of processing

Your data will be processed for event invitation, implementation and communication based on relevant legitimate interests. Without providing the required data, you will not be able to participate in the event. Following the event, we will send you a one-time email, together with a note on our services, with the most important information at the event.

Legal basis

The legal basis of the corresponding processing of your data is Art. 6 para. 1 lit. f DSGVO (legitimate interest of the responsible party).

Duration of storage

Your data that we process as part of the event will be deleted by LabCampus GmbH after the event has been held and the follow-up has been completed.

Categories of recipients & transfer to third countries

Your data will only be processed by LabCampus GmbH. A transfer to third parties or third countries is not intended.

Revocation/removal options

In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of an objection, participation in an event may not be possible. To exercise your rights of access, rectification, erasure, restriction of or objection to the processing and transfer of personal data, to lodge a complaint with the supervisory authority and for further information, please contact: LabCampus GmbH, P.O. Box 23 17 55, 85326 Munich Airport or by e-mail: events@labcampus.de,

The section of the Privacy Statement applies to our processing of personal data of participants in contests, prize draws or campaigns run by Flughafen München GmbH. If you subscribe to a newsletter when taking part in a contest, please note the privacy information regarding newsletters.

4.11.1 Implementation

For purposes of implementing the prize draw, we process the personal data of the participants – in particular the email address and, at the appropriate time, the address of the winner – which we need for recording the participants' details, notifying the winner and presenting the prize.

For purposes of implementing the prize draw, we store the participants' personal data until the draw is completed and the winner is notified and for a further period in case the winner does not reply when notified so that a new winner must be drawn.

In addition, we store the winner's personal data – including the address obtained when the winner is notified – to complete the necessary steps for awarding the prize and, if applicable, for the duration of any additional statutory retention periods.

Contest participants are not required by law or contractual provisions to provide the above-mentioned personal data. However, for purposes of entering into the contract, i.e. participation in the prize draw, it is necessary to provide the data in our registration form marked as mandatory (as opposed to optional input). The address of the winner obtained after the draw is necessary for sending the prize.

4.11.2 Forwarding data to other recipients

Unless otherwise indicated elsewhere in this Privacy Statement, we transfer your personal data to the following additional recipients or categories of recipients:

• Newsletter mailing and customer relationship management service providers
• Cooperation partners used by us to deliver our services

4.11.3 Legal basis

Legal basis for the data processing described in the section "Contests, prize draws, campaigns":

• consent of the data subject (Art. 6 Par. 1 sentence 1 a) GDPR
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
• legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) Defense of legal claims

The municon conference center is operated by Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH. The municon conference center is located at the heart of Munich Airport in the north building of the Munich Airport Center, thus providing a professional setting for meetings, training seminars, presentations or major events.

The website of the municon conference center offers the opportunity to complete a contact form to submit a callback request. Further information is available under Contact form.

Categories of personal data
The following data are collected when the request is submitted:

• salutation
• first name
• last name
• telephone number
• email address

Recipients
The data will be used exclusively to make the requested call and, if applicable, to book a conference room. The data will not be shared with third parties.

Legal basis
The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

We offer you the possibility of using a contact form to contact us directly regarding aircraft noise. Relevant data collected in this case can be found under Contact form.

Categories of personal data

• name and contact data (e.g. telephone number, email address and postal address)
• location data to concretely specify the cause of the complaint and the underlying event

Special categories of personal data will be noted only to the extent that complainants provide such infor-mation on their own initiative. As they are not needed for the processing of complaints, no further processing will take place. Your data will be processed solely for the following purposes: Processing aircraft noise complaints, including reporting on the number and geographical distribution of aircraft noise complaints at the meetings of the Aircraft Noise Commission and in the Integrated Report of FMG (only the number of com-plaints).

Recipients
Personal data are sent to the following recipients or categories of recipients:

• recipients within the FMG Group (e.g. departments with a role in the processing of noise complaints)
• aircraft Noise Commission of Munich Airport (only information on the number and geographical distribution of noise complaints)
• interested members of the public through the Integrated Report (only the number of aircraft noise complaints)
• airport associations (only information on the number and geographical distribution of noise complaints)
• courts, public authorities or other government bodies in case legal obligations apply

Legal basis
Legal basis for the processing of personal data: Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (see Art. 6 Par. 1 sentence 1 f) GDPR). FMG has a legitimate interest in limiting the impact of airport operations on the surrounding residents in the interests of good relations with its neighbors and maintaining transparency with regard to environmental issues. In addition, legitimate interests result from the responsibilities of the Aircraft Noise Commission (Section 32b of the Aviation Act (LuftVG), Rules of Procedure of the Aircraft Noise Commission). The Aircraft Noise Commission is formed to engage in consultations with the approval authority, the Federal Supervisory Authority for Air Navigation Services (BAF) and the air traffic management organization. It is notified of measures taken to reduce aircraft noise to protect residents, but can also propose measures on its own initiative. To be able to discharge this responsibility, it is necessary to have knowledge of certain personal data, in particular geographical data and the related geographical distribution and number of aircraft noise complaints.

In case of inquiries under the Environmental Information Act (UIG) regarding the number and geographical distribution of complaints and the reason for the complaint, a special legal basis applies: the UIG.

We are pleased to provide you with the following information on how your personal data will be processed if you apply with Flughafen München GmbH and its subsidiaries, and what rights you have under data protection law. You can apply online through the applicant portal, by email or by regular mail. Your data will then be entered in the applicant portal and processed by the appropriate entity. The company within the Flughafen München Group that is responsible for your application and the processing of your personal applicant data is the company advertising the position or receiving your unsolicited application. Your application documents will be passed on to other companies within the Group or stored in the applicant pool only with your direct consent.

If you consent to your application being shared within the Group, your data may be passed on to the companies listed under section 1, "Controllers and data protection officers". This will increase your visibility and the possibility of being considered for a position.

If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies listed under section 1 once you have given your consent. That means you give us permission to store your application for a specified period of time and consider it for vacancies where applicable.

Applying through HeyJobs

You can also apply for jobs with us through our social media recruiting partner’s platform and your personal account on this platform. The platform provider is responsible for processing data on the platform and within your personal account. Information on data processing can be found here:

https://hire.heyjobs.co/en-us/privacy-policy/

If you decide to apply to us from your personal account on the platform after seeing a vacancy, we process the following data in our account on the platform:

• First name and surname
• Cover letter for the specific position
• Telephone number
• E-mail address
• Other data that may also be requested depending on the job profile (e.g. qualifications, work experience)

When you send your application, these data are stored on the platform, e-mailed to the employees in the HR department responsible for recruitment and (manually) sent to our applicant portal so that we can continue to process your application. The further information on the subsequent flow of data and how your data is handled is the same as when data is processed directly via the applicant portal. Please see the explanations below for related information on the purpose, legal basis, recipient, duration of storage etc.

Recipients of your data may include the human resources department and the platform partner’s IT administrator. Applicant information stored in the account at our social media recruiting partner is automatically deleted no more than six months after it is received. Applicant information sent by e-mail is also deleted after no more than six months.

Applying via WhatsApp

Scope of processing

The following data are processed when you use this application channel:

• Personal master data (e.g. title, surname, first name, postal code)
• Communication data (e.g. telephone, e-mail)
• Data that may also be requested depending on the job profile (e.g. driver’s license, work permit)
• Applicant information provided by users in messages, free text fields or files such as CV or qualifications
• Technical log data (e.g. login, IP, time stamp)

Opening the link or scanning the QR code on the job advertisement directs you to an information page from the provider PitchYou. This provides information on the application process and asks you to consent to the processing of your data in the application process and to the use of WhatsApp to send your application. Clicking on “apply now via WhatsApp” on a mobile device automatically opens the WhatsApp app. Selecting this option on the website produces a QR code that opens the WhatsApp app on your cell phone when it is scanned.

You start the WhatsApp dialog by sending a start message. You can cancel the dialog at any time during the interview by way of a simple “/stop” command and confirming this by clicking on yes. All data collected are immediately deleted. If you do not continue your interview, it will be assumed 24 hours after the last message that you do not wish to continue the interview. Your data will then be deleted.

Once the WhatsApp dialog is completed, your data will be sent to our applicant portal and processed there. For more information on the applicant portal (including on deletion periods), please see the information under “Applying through applicant portal/website”.

Legal basis

If you send us your application via WhatsApp, WhatsApp is used on the basis of your explicit consent in accordance with Art. 6 Par. 1 sentence 1 a) GDPR in conjunction with Art. 49 GDPR. This consent is requested prior to the WhatsApp dialog for the application.

Right to revoke consent

You can revoke your consent at any time with effect for the future without giving the reasons for doing so. This does not result in any disadvantages for you. You can also apply through our website (https://www.munich-airport.com/careers).

Recipients and transfer to third countries

Applications sent via WhatsApp use the provider PitchYou GmbH, Campusallee 9, D-51379 Leverkusen, e-mail: info@pitchyou.de, which receives your data as the processor.

Please note that if you use this channel your personal data may be transferred to third countries, in particular the US. This third country transfer is based on standard contractual clauses. WhatsApp LLC is also certified under the Data Privacy Framework.

Applying through applicant portal/website

4.14.1 Purposes of data processing

We and the service providers acting on our behalf process personal data for the following purposes:

1. Filling posted positions and vacancies
2. Filling future vacancies (unsolicited applications)
3. Sharing within the Group
4. Reviewing or identifying further applications within the Group (multiple applications by the same candidate)
5. Protecting children (applicants under 16 years of age)
6. Ensuring the consent of legal guardians (applicants under 16 years of age)
   Without the declarations of consent from the legal guardians, applications from applicants under 16 years of age cannot be accepted or can only be partially processed. This also applies when consent is revoked.
7. Safeguarding and protecting our rights
   
   Changes in purpose:
8. In case you are hired, some of your personal data will also be used for purposes related to your employment relationship (e.g. to prepare your contract). The processing is carried out on the basis of the following legal provisions: Art. 6 Par. 1 b) GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 Par. 1 of the German Data Protection Act (BDSG).
9. If you consent to the inclusion of your data in the applicant pool, we reserve the right to consider your application for other current or future vacancies and (if you consent to "sharing within the Group") forward your application to the companies specified in section 1 as needed. For information on the storage and deletion of data, refer to the section "Duration of storage and possibilities to have data erased" below.

4.14.2 Legal basis

• Purpose 3 and 9: Your consent (Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 BDSG)
• Purpose 5 and 6: Consent of your parents for the processing of your application data (Art. 6 Par. 1 a) GDPR in conjunction with Art. 8 GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 BDSG)
• Purpose 1, 2 and 4: Taking steps prior to entering into a contract in response to your inquiry for potentially establishing an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG) If there is a multiple application within the Group, the transfer will only be made with regard to the title, time and status of your application to the other Group company on the basis of our legitimate interest (Art. 6 Para. 1 lit. f DSGVO) for internal administrative purposes in order to simplify the application process.
• Purpose 8: Decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG)
• Purpose 7: Safeguarding our legitimate interests (Art. 6 Par. 1 f) GDPR): Legitimate interests on our part relate to the assertion and protection of our rights.

Please note that more than one of the above legal grounds for processing may apply.

4.14.3 Categories of personal data

The following categories of personal data are processed:

1) Applicant data that you enter in the application form. This generally involves the following data:

• Salutation*
• Title
• First name*
• Last name*
• Date of birth
• Country*
• E-mail address*
• Telephone*
• Highest level of education completed / currently being pursued*
• Native language
• Foreign language

Fields marked with an asterisk (*) are required

In addition, depending on the specific job posting and target group, personal data may be required and processed in other input fields.

In case of applicants under 16 years of age (in particular for high school students' internships, other internships, vocational training and, in exceptional cases, also for other positions), the following additional data:

• Name and signature of the legal guardians
• Declarations of consent from the legal guardians

2) Applicant data which you provide by attaching documents (application documents, application photo, etc).

If you use the "Upload CV" function, the selected documents will be automatically extracted and analyzed. This is done by a subcontractor of the applicant portal operator.

3) Applicant data from other platforms (Xing, LinkedIn, Dropbox, etc.) that you allow to be transferred and processed by granting a release. This is done through automated extraction/analysis by the subcontractor of the applicant portal provider. Depending on the platform, a CV may be generated from the available profile data and attached to your application in addition to having your data imported into the application form. You may remove this attachment where appropriate.

That information includes – among other items – the following personal data if entered in the profile or document:

• Name and address data (title, salutation, last name, first name, street, postal code, city, country, etc.)
• Contact data (e-mail address, telephone number, etc.)
• Profile photo
• Current position
• Date of birth
• If applicable, other data categories contained in the document or displayed before obtaining your permission to access them.

4) Log data collected by the applicant portal provider to ensure proper system operation, error correction and defense against attacks.

This includes the following personal data, which is erased after 180 days:

• User name
• Applicant name (first and last name)
• IP address

5) We reserve the right to record applicant information (see 1) and documents in the system manually. For this purpose, a subcontractor of the applicant portal provider can use the “parsing” function. This automatically extracts/analyzes the selected documents.

4.14.4 Categories of recipients

1) Use / sharing of data within the Group

Your data can be accessed only by employees of Flughafen München GmbH and the Group companies for which the vacancy is being filled. If you consented to having your application shared within the Group, your data may also be shared with the companies specified under section 1, "Controllers and data protection officers".

If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies specified under section 1. In this case, you will receive an e-mail from us requesting your permission to include you in the applicant pool. Please see section 14.6.5 for the retention period.

2) Applicant portal service provider

Your personal data will be transferred by the applicant portal provider to an external data center (a subcontractor of the applicant portal provider) for processing. A contract has been signed with the applicant portal provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

In the event of applications for the subsidiary MAI (Munich Airport International GmbH), we forward the data to an external personnel service provider. A data processing agreement has been entered into with this service provider as well that requires the service provider, in particular, to comply with all requirements of data protection law and to act solely as instructed by Flughafen München GmbH.

3) Online test service provider (for vocational training positions)

Your personal data will be processed and stored by the provider of an online test. The online test is used only in the late selection stages for vocational training positions and cooperative degree programs offered by Flughafen München GmbH. To take the online test, you will receive an email with further information. A contract has been signed with the online test provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

4) Service providers (general)

We engage external service providers to perform tasks such as programming or data hosting. We have selected these service providers with care and monitor them regularly, particularly with regard to their careful handling and protection of the data that they process. We require all service providers to sign a contract to maintain confidentiality and comply with the data protection requirements of the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

5) Platforms

The platforms of the following providers can be used to complete the application form quickly and easily during the application process:

• Dropbox International Unlimited Company (One Park Place - Floor 5 - Upper Hatch Street - Dublin 2 – Ireland)
• XING AG (Gänsemarkt 43 - 20354 Hamburg - Germany)
• LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

Please note that these providers and/or their servers may operate at locations outside the EU or the EEA (e.g. in the USA). When an applicant uses a platform, information – which may include personal data – may be sent to and possibly utilized by the platform provider. Please refer to the data protection statement of each platform provider for information on which specific data is stored by the provider in such cases and how it is used.

The applicant portal does not use platform providers' social plugins; these are only links to the platforms. Nor do we use the platforms to capture any personal data or how it is used.

After clicking on the button, you will be transferred to the platform provider's login screen. After logging in and releasing the data, the data will be automatically extracted and analyzed by the subcontractor for the applicant portal.

If you wish to ensure that no data of any kind is processed by the platform providers, enter your data manually in the application form and refrain from using the platforms.

6) Other third parties

We will transfer your personal data to other parties only to the extent that this is required to take steps prior to entering into a contract, if we or another party have a legitimate interest in the data transfer, or if you grant us your permission. In addition, data can be transferred to other parties if we are required to do so by law or under an administrative or court order. Your data will not be used for advertising purposes.

4.14.5 Duration of data storage and possibility of erasure

Applicant data

1) Your data will generally be deleted six months after your hiring date, your notification that your application was unsuccessful, or your decision to turn down an offer of employment.

The criterion for the storage period is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

a) Explanation of the legitimate interests

The application documents are stored for a period of six months for the purpose of asserting, exercising or defending legal claims. The six-month period is determined taking into account the deadlines of the General Equal Treatment Act (AGG) and corresponding publications of the Bavarian data protection supervisory authorities.

b) Necessity of the data processing

In the opinion of the supervisory authorities, the necessity of storing data for six months results from the overall view of the time limits applicable in the context of any claims under the AGG and the associated possibilities for legal action.

In case of an application for a vocational training position or a cooperative degree program, all your data will be stored for six months after your application is rejected, you refuse an offer, or your are invited to your first day of work. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

In case of an application for a high school student's internship, all your data will be stored for six months after your application is rejected, you refuse an offer, or the internship has ended. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

2) If you have consented to be included in our applicant pool, you will receive a notification about your continued inclusion in the pool after five months. If you consent to remain included in the pool, you will be notified again after a further five-month period. If you do not contact us after this notification, all your data will be erased within three months.

3) If you wish to have your data erased early or withdraw one of your permissions, please send an e-mail with your name, the e-mail address you provided when applying, the job title and company and, for unambiguous identification, your date of birth to jobs@munich-airport.de or contact the person in charge of the advertisement.

4) Please note that when the data is erased, all data associated with the application in question will be removed, making it impossible to obtain information on the application.

Log data

Log data – collected by the applicant portal provider – is erased after 180 days. Log data that has to remain on file for evidentiary purposes will not be erased until the final disposition of the matter and may, in specific cases, be forwarded to the investigating authorities.

Use of cookies

The applicant management system provider only uses temporary (session) cookies. These cookies are automatically deleted as soon as the user closes the browser.

The use of technically necessary (session) cookies is based on our legitimate interests under Art. 6 Par. 1 f) GDPR. Technically necessary cookies must be included to ensure that the applicant management system works correctly.

4.14.6 Transfer to third countries

Data is not transmitted to third countries as defined by data protection law.

4.14.7 Objection to processing

See chapter 6.5 of the privacy policy on how to object to the processing of your personal data on the basis of our legitimate interests (Art. 6 Par. 1 f) GDPR).

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point Art. 6 Par. 1 f) GDPR. In this case, we will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is done for the establishment, exercise or defense of legal claims.

The Airport Collaboration Portal (ACP) serves as the entry point for several applications that fall under various areas of responsibilities and serve various purposes. The portal is operated by Flughafen München GmbH.

Purpose of data processing
Your data will be processed solely for the following purposes:

• registration in the ACP system and
• granting user privileges for applications
• registration enables the user to be granted access to applications within the ACP. These include: AIS Airport Information System, Delaycodeclearing, night flight requests, LGS-Baggage.

Categories of personal data
Participation in the Airport Collaboration Portal (ACP) is a quasi-contractual legal relationship; the data not marked as optional must be submitted for user management purposes.

The following categories of personal data are collected:

• first name
• name
• organization
• company
• department
• email address
• telephone number
• airport ID number

Recipients
The specialized department has access to the personal data.

Duration of storage
Access data (login) are deleted when the individual leaves the company or when the access privileges are revoked.

Legal basis
The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

Data protection inquiries
To exercise rights pertaining to the Airport Collaboration Portal (ACP), the data subject can contact us, preferably by email, at: acp@munich-airport.de.

To offer accommodation to our future employees, existing staff, and partners in the vicinity of the airport, we cooperate with MUC Airport Betriebs GmbH.

Housing inquiries can be submitted to Flughafen München GmbH at: munich-airport.de/fmg-und-wohnen. After an initial review, inquiries are forwarded to MUC Airport Betriebs GmbH via that company's booking software. The data transmitted in this online form are exported in an email that is transferred only within the protected airport network to a special email account that can be accessed only by the responsible employees.

Purpose of processing
We process your personal data solely for purposes of processing and handling your booking inquiry, checking your authorization to access the "FMG und Wohnen" service, entering into a contract, executing a contract, processing your booking and to communicate with you to offer and deliver the "FMG und Wohnen" service. A further purpose is to execute and defend our rights.

Categories of personal data

• salutation
• first name
• last name
• address
• telephone number
• email address
• airport company
• personnel number (if available)
• booking date

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 f) GDPR (balancing of interests based on our legitimate interest in checking access authorizations, asserting and defending our rights and forwarding inquiries from our customers).

Recipients
We collect, store and process the personal data provided by you exclusively for the purposes stated above (in particular the processing of your booking). For this purpose, however, we must forward the data. As a result, the data are forwarded to the booking tool apaleo GmbH operated by MUC Airport Betriebs GmbH.

The required transfer of personal data to MUC Airport Betriebs GmbH takes place as required to achieve the stated purposes. After the transfer of the data, the hotel is the sole controller responsible for the processing carried out there under data protection laws. Consequently, Flughafen München GmbH assumes no responsibility for data processing in the hotel operations.

Duration of storage
Your personal data will be stored for a maximum of 12 months after the contract is fully executed. The data will be deleted after that period ends. Please note that statutory retention periods, for example under the German Fiscal Code (AO) or the German Commercial Code (HGB), as legitimate purpose limitations, represent an exception and are handled according to the applicable requirements.

The following text contains information on the processing of your personal data in connection with damages of all kinds, including insurance claims and other ways of settling damages.

Purpose of processing
The purpose of the data processing is the comprehensive handling of the damage event, which is not possible without processing your personal data. We process your data in accordance with the relevant data protection regulations, in particular the Insurance Policy Act (Versicherungsvertragsgesetz – VVG) and all other applicable laws.

Categories of personal data
To process the damage event, we store and process the personal data of the concerned parties (e.g. first name, last name, date of birth, address, telephone number) as well as data regarding the events (e.g. the damage event) and material facts (e.g. vehicle identification data) that may relate to natural persons.

Recipients
Personal data are sent to the following recipients or categories of recipients:

• Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
• Companies in the FMG Group
• Cooperation partners used by us to deliver our services
• External contractors as defined in Section 28 of the EU-GDPR; at present, these are: FMV – Flughafen München Versicherungsvermittlungsgesellschaft mbH / Marsh GmbH
• Insurance companies involved in the handling of the damage event

Duration of storage
We process and store your personal data as long as necessary to meet our legal obligations. The damage reports and files are retained in accordance with the statutory retention periods.

Legal basis
The legal basis for the processing of personal data is as follows:

• Consent [see Art. 6 Par. 1 sentence 1 a) GDPR] (in cases where we request consent)
• Necessity for the performance of a contract to which the data subject is a party [see Art. 6 Par. 1 sentence 1 b) GDPR, first option] or to complete steps prior to entering into a contract.
• In addition, we process your personal data to meet legal obligations. The need to comply with a legal obligation to which the data controller is subject [see Art. 6 Par. 1 sentence 1 c) GDPR].

• Insurance Policy Act and other relevant laws
• Fulfillment of obligations to our insurer.

• We also process your data to safeguard legitimate interests pursued by us or third parties (Art. 6 Par. 1 f) GDPR), i.e. where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. [see Art. 6 Par. 1 sentence 1 f) GDPR].

• Asserting our own damage claims
• Fulfillment of obligations to our insurer
• Defending damage claims pursued against our company
• Defense and cooperation in case of criminal and administrative proceedings

In exceptional cases, special categories of personal data are processed (e.g. health-related data). In such cases, the data are generally processed on the basis of Art. 9 GDPR e.g. Art. 9 Par. 2 e) GDPR if these data are manifestly made public by you.

Source of the data
If the personal data are not obtained directly from the data subject, they are obtained from

• Vehicle inquiries, e.g. the "Green Card Office" in Hamburg
• Witnesses, persons involved in an accident and other third parties
• Generally accessible sources

Star Alliance Biometrics is a product of Star Alliance Service GmbH (hereinafter referred to as "Star Alliance") and enables the voluntary biometric identification (facial recognition) of passengers at the airport. Terminal 2 Gesellschaft mbH & Co oHG (hereinafter referred to as "Terminal 2 Gesellschaft" respectively “we”) currently supports the use of the biometric identification service offered by Star Alliance Biometrics at the following access points: boarding pass control.

At the airport access points managed by Terminal 2 Gesellschaft, which have integrated the Star Alliance Biometrics’ identification service, a short video sequence will be recorded of you if you wish to use the biometric identification service. A photo is extracted from the video sequence and sent to Star Alliance for biometric matching with your biometric profile stored in Star Alliance Biometrics.

Scope of application

This data protection notice refers exclusively to the recording of the short video sequence/photo of your face by the camera at the access point in the Terminal 2 Gesellschaft's area of responsibility.

For the subsequent data processing in connection with the biometric matching in the area of responsibility of Star Alliance as well as for the enrolment for Star Alliance Biometrics and the use of the corresponding Star Alliance Navigator App, the Star Alliance Privacy Notice applies.

Data controller

Controller for data processing within the scope of this data protection notice is

Terminal 2 Gesellschaft mbH & Co oHG
Terminal Street North 1, Level Z4
P.O. Box 23 17 55
85326 Munich-Airport

You can reach our data protection officer at datenschutzbeauftragter@munich-airport.de.

Processed personal data

A short video sequence and an extracted photo of your face are processed.

Purpose and legal basis of the data processing

Processing is necessary to enable the use of the biometric identification service at the boarding pass control, i.e. for Star Alliance to biometrically match the photo taken with your biometric profile stored in Star Alliance Biometrics.

The legal basis for this processing is your consent given in Star Alliance Biometrics to be identified at Munich Airport via the Star Alliance Biometrics’ identification service (Art. 6 para. 1 p. 1 lit. a) DSGVO).

You can withdraw your consent at any time in the profile management of the Star Alliance Navigator App. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 

Please note:

Unless you have given your consent or withdrawn it, you are neither permitted nor able to (successfully) use the biometric identification service. Alternative means of boarding pass control (e.g. boarding pass scan) are available to you. You are neither contractually nor legally obliged to use the biometric identification service.

Should you - contrary to the express notice at the access point - attempt to use the biometric identification service without being enrolled for Star Alliance Biometrics or without having given your consent to be identified at Munich Airport, a video sequence/photo will nevertheless be taken of you and sent to Star Alliance for biometric matching. However, the identification will then fail and the identification process will be completed with an error message.  

Storage period

Your personal data will be deleted as soon as the identification process at the boarding pass control is completed.

Categories of recipients

Your personal data will be transmitted to the following (categories of) recipients:

• The Star Alliance to perform the biometric matching and
• IT service providers who provide the system(s) / software used and who have been contractually committed as processors in accordance with the GDPR.

Your rights of data subjects

You have the following rights:

• Right of access, Art. 15 GDPR
  
• Right of rectification, Art. 16 GDPR
• Right to erasure ("right to be forgotten"), Art. 17 GDPR
• Right to restrict processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

To exercise your rights, you can contact us by e-mail at datenschutzanfrage@munich-airport.de.

In order to be able to process your request, we would like to point out that we process your personal data collected within the scope of the data protection request in accordance with Art. 6 Para. 1 S. 1 lit. f) DSGVO (for documentation and discharge purposes) and delete it after 3 years.

Furthermore, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

No automated decision making including profiling takes place.

Important note:

However, we would like to point out once again that we only record a short video sequence as part of the biometric identification process and use a photo from this and delete both from our systems immediately after the identification process is complete. The above-mentioned rights can therefore generally not be implemented, if only because no more personal data is available from you.

Responsible for video surveillance:

Flughafen München GmbH (FMG)
Nordallee 25, 85356 Munich Airport, Germany
CCTV video manager
E-Mail: cctv@munich-airport.de

Contact the data protection

Description and extent of specific data processing

FMG processes personal data in the context of video surveillance only to the extent required by law, to fulfill the specified, clear purposes, or to fulfill our legitimate interests.

Depending on the intended purpose and area of use, the cameras can either generate only the necessary stream for video surveillance or record within the detection range. Affected persons will be pixelated, to the extent possible and necessary.

Please note that other authorities at Munich Airport also operate video surveillance systems under their own responsibility in accordance with Art. 4 No. 7 GDPR (e.g. Terminal 2 Gesellschaft mbH & Co oHG, security authorities, each within their respective areas of operation). Information on how they process personal data can be obtained from the respective data controllers.

Purposes of data processing

The processing of personal data is carried out for the following purposes:

1. Aviation safety (including protection against attacks on air traffic safety, safety and order on airport premises, protection of persons, etc.)

2. Security (including protection of property, enforcement of house rules, compliance with the regulations governing the use of the airport, documentation of security-related incidents for evidence purposes, etc.)
3. Safety (including management of fire service deployment, protection of employees near installations, etc.)
4. Ensuring the efficiency and functionality of operational processes (including assistance with machines, passenger and traffic flow management, measurement of passenger capacity in the terminal, and general monitoring to ensure a functioning infrastructure at the airport)
5. Assertion, exercise or defense of legal claims
   
   

Legal basis for data processing

1. Legal basis for taking security measures as an airport operator

Description and scope of the specific data processing

Video surveillance in the parking facilities at Munich Airport is carried out to maintain the functionality and operational safety of the facilities and to ensure trouble-free use of the parking areas and facilities.
Video surveillance in these areas also serves to ensure airport security in accordance with the requirements of the European Commission (Regulation (EU) 2015/1998 of the Commission) and to protect property in structural and technical facilities. Areas that need to be protected in particular include, for example, the parking ticket machines or the electric charging infrastructure.
The video surveillance is identified on site by camera symbols and information on data protection.

Purposes of data processing

The processing of personal data is carried out for the following purposes:

1. Ensuring airport security in the parking areas and terminal driveways accessible to the public
2. Ensuring the operational safety of the technical parking facilities (barrier systems, parking ticket machines, e-charging stations)
3. Ensuring trouble-free and safe operations (e.g. intervening in the event of congestion at access roads, monitoring the traffic situation, assistance in the event of problems and technical malfunctions at restricted entrances and exits as well as at parking ticket machines)
4. Asserting, exercising or defending legal claims (prosecution of violations of the applicable General Terms and Conditions of Parking at the Airport and the Airport User Regulations, prosecution of damage to property).
   
   

Legal basis for data processing:

The legal basis for data processing is:

• Purpose 1: Art. 6 para. 1 lit. f GDPR in conjunction with No. 1.5.1. Annex to European Commission Implementing Regulation (EU) 2015/1998.
  
  Our legitimate interests lie in FMG's business interest in maintaining safety and order on the entire airport site (including parking facilities). In addition, we pursue a legal interest in using video surveillance to comply with the obligations pursuant to Section 1.5.1 of the Annex to Regulation (EU) 2015/1998 for the surveillance of publicly accessible areas belonging to the airport, including parking lots and access roads.
  
  

• Purposes 2, 3 and 4: Art. 6 para. 1 lit. f GDPR
  
  The pursuit of the purposes mentioned in points 2, 3 and 4 serves to achieve our legitimate interests, in particular to ensure the provision of a functioning infrastructure, to ensure trouble-free operation and to be able to assert, exercise or defend possible legal claims as well as to exercise our domiciliary rights. The processing is necessary and suitable for the achievement.
  
  

Recipients/categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

• The video images can be viewed live on site by the authorized employees of the parking control center and other responsible technical departments of Flughafen München GmbH.
• In the context of the assertion, exercise or defense of legal claims of the airport, video recordings may be passed on to insurance companies, authorities, law firms, etc.
• In addition, video data will be released to investigative and prosecution authorities upon request and with formal orders.
  
  

Transfer to third countries

In principle, the transfer to third countries is not intended.

Storage duration

Video recordings are stored for a period of 10 days and then automatically deleted unless they are needed as evidence in criminal proceedings or to clarify legal claims.

Objection and removal option

For all processing activities that we base on our legitimate interests, you have the right to object to the processing at any time on grounds relating to your particular situation, in accordance with Art. 21 (1) GDPR.

Please address the objection to kontakt.parken@munich-airport.de. We reserve the right to carry out an individual examination of your request before implementing a restriction or discontinuing processing and deletion. 

4.20.1 Events and Lead Generation Campaigns

For the purpose of customer acquisition and network building, LabCampus conducts (promotional) events and lead generation campaigns. Contact data provided to LabCampus in this context will be processed by LabCampus as follows:

Categories of personal data

The following categories of personal data are processed:

• first name
• surname
• company name
• e-mail adress (if necessary)
• telephone- / mobile number (if necessary)
• position (if necessary)

Purpose of processing

Your Data will be processed for the purpose of arranging appointments, sending information about our products and services, news and event notices from LabCampus.

After providing your telephone/mobile number or if you ask us on the phone to send you information electronically by e-mail, we will also use this data with your consent to contact you individually and send you information. Without providing the required data, we cannot send you this information.

If, in the context of telemarketing campaigns, we receive personal data from publicly accessible sources or from information provided by your colleagues and process this data for the above-mentioned purposes, we will inform you of this within one month or at the latest at the time of the first contact.

For registration to our newsletter, we refer to section 4.3.2 of this privacy policy, which also applies to registration via business cards as part of promotional campaigns and events.

Legal basis

The legal basis for the processing of your personal data given to us is Art. 6 para. 1 sentence 1 letter f) GDPR (legitimate interest). The legal basis for the processing of personal data based on the handover of your business cards is Art. 6 para. sentence 1 letter a) GDPR (your consent by handing over the business card).

Storage period

We store your data for the purpose of contacting you until we receive your objection, but at the longest for a period of two years to the end of the year after the last communication, provided that no contractual relationship has been established.

Categories of recipients & transfer to third countries

Your data will be processed by LabCampus GmbH. A transfer to third countries is not intended. Recipients of the data are the responsible departments at LabCampus GmbH, as well as processors for marketing services and for the provision of IT services and those for the improvement, maintenance and support of these services.

Objection

You can object to the processing of your data at any time by sending an e-mail to: contact@labcampus.de. In the event of your revocation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of your objection, no further contact can be established by LabCampus.

Withdrawal of your given consent

If we process personal data on the basis of your consent, you can withdraw this at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent doesn´t affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. The lawfulness of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

4.20.2 LabCampus LinkedIn Lead Ads

This data protection information applies to the following LinkedIn profiles: https://www.linkedin.com/company/labcampus/

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn") is responsible for the processing of personal data entered by visitors while visiting our LinkedIn profile.

We use LinkedIn Lead Ads to generate contacts and addresses. Lead Ads are an ad format that is displayed to registered LinkedIn users. They contain form functions that enable the simple and rapid generation of leads. After the user actively consents (opt-in), contact information the user has stored with LinkedIn is entered into forms:

• Name
• Email address
• Company

Once the data in the form has been sent successfully, the user is shown a thank-you page where we can integrate a call to action (e.g. a referral to the LC landing page). We do not send your personal data to third-party advertisers or advertising networks.

The processing of this data serves the purpose specified above and takes place on the basis of Art. 6 Par. 1 a) GDPR on the basis of your voluntary consent upon registering and logging in to LinkedIn. We store your data until your consent is revoked. You can revoke your consent with future effect at any time by sending an email to contact@labcampus.de

We do not know the full extent of data collection, i.e. which of a visitor's data is collected by LinkedIn overall and the purposes for which it is processed by LinkedIn. The necessary information has not been provided to us by LinkedIn. Please understand that we can only provide information to the extent allowed for by our knowledge of the data processing within our area of responsibility and our influence on this data processing.

We would also like to point out that your data may also be processed outside the European Union and the European Economic Area. This could result in risks, e.g. because it could complicate the enforcement of user rights. Further details can be found in the privacy policies of the individual providers.

The Data Protection Officer of LinkedIn can be contacted through the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

Further information on data processing by LinkedIn can be found at: https://privacy.linkedin.com/

4.21.1 Introduction/scope

4.21.2 Categories of personal data

The following categories of personal data are processed:

The following categories of data are processed for participation in training courses:

• Identification/address details of the participant and, if applicable, of the person handling the registration
• Contact details of the participant and, if applicable, the person handling the registration
• Information on participation in events incl. results and evaluations as well as comments made by the participants
• Payment and contract data
• Log data / log files – see above 
  

In addition, we also process information on the participant's date and place of birth if this is required by law or official regulations.

4.21.3  Purposes of the processing of person related data

Your data is exclusively processed for the following purposes:

1. Processing for registration, organisation and administration of training and further education
2. Proof of participation in a seminar or WBT
3. Proof of a specific qualification
4. Transfer to the ID centre (aviation security training - to obtain an airport ID card or right of access to the security area)
5. Provision of a certificate (e.g. EASA certificate)
6. Invoicing
7. Customer support and responding to questions
8. Safeguarding and defending our rights
9. Organisational assurance of the requirement for training authorisation
10. Secure operation of the online learning portal and associated systems
11. Technical assurance of the requirements for access authorisations
    
    

4.21.4 Legal basis for processing personal data

Personal data is processed on the following legal basis:

• Purposes 1, 2, 3, 4, 5, 6 – Necessity in the context of pre-contractual measures and/or the performance of a contract to which the data subject is a party (Art. 6 para. 1 sentence 1 lit. b GDPR)
  
• Purposes 2, 3, 4, 5, 6, 9 – Necessity for compliance with a legal obligation to which the controller is subject (Art. 6 para. 1 sentence 1 lit. c GDPR). Legal obligations arise, for example, from the Implementing Regulation (EU) 2015/1998, from EASA requirements Regulation (EU) 139/2014 and Regulation (EU) 139/2014.
  
• Purposes 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, – Necessity to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence (Art. 6 para. 1 sentence 1 lit. f GDPR) The legitimate interests are the provision of information to, awareness-raising and qualification of persons working on the airport premises.
  
  

4.21.5 Recipients

Personal data is transmitted to and processed by the following recipients or categories of recipients:

• Recipients within the company who carry out the processing activities for a specific purpose, e.g. in the area of training administration, IT and corporate security where security is relevant
• Managers and organisers of the registering companies, if applicable
  
• Your personal data will be transmitted to the invoicing centre of Flughafen München GmbH for invoicing purposes.
  
• Companies of the Munich Airport Group Overview of the group structure
  
• External contractors and processors currently include: if necessary, instructors who are hired to carry out training and further education and, if applicable, conference hotels when organising workshops. We use payment service providers for certain payment transactions.
• Courts, authorities or other state institutions in the event of legal obligations, such as for background checks at the Luftamt Süd aviation agency.
  
  

4.21.6 Transmission to third countries

A transfer to a third country outside the European Union is not intended.

Some internal training courses include learning content in the form of videos, which may be hosted on servers in third countries. This content is integrated without tracking measures by the video hoster. Personal identification can be ruled out only given if you access the learning content from our internal network or via a VPN connection to our FMG network.

If you wish to participate in an internal training course without a VPN connection from your home network or via a mobile phone network, you must accept the possible transmission of your IP address to insecure third countries. Please note that your IP address constitutes personal data and that the level of protection and your rights as a data subject in third countries with a lower security standard, in particular the United States of America, may not correspond to that of the European Union (see ECJ case C-311/18).

4.21.7 Retention period

Personal data is stored only for as long as is necessary to fulfil the stated purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted in accordance with the statutory provisions.

Specifically, the following retention periods apply:

a. Online Learning Portal: The personal data will be completely deleted after the expiry of all certificates and a follow-up period of six months.

b. Event manager (registration forms): The personal data will be deleted after six years under existing EASA regulations.

c. Event management system and billing system: Personal data of persons who have aviation security training will be deleted from the event management system six years after the end of the effective period of the aviation security training. For all other persons, personal data will be deleted six years after the last seminar attendance. Invoices are deleted ten years after the end of the calendar year in accordance with Section 147 AO (German Fiscal Code) / Section 257 HGB (German Commercial Code); other documents, such as offers, are deleted six years after the end of the calendar year in accordance with Section 147 AO / Section 257 HGB.

4.21.8 Retention period

• The provision of personal data is required by law in order to carry out training in accordance with Chapter 11 of Regulation (EU) 2015/1998, including aviation security training. Failure to do so will mean that no Airport ID Card or work authorisation for work at Munich Airport can be issued.
• The provision and storage of personal data in the context of EASA-relevant training is regulated in the EASA requirements Regulation (EU) 139/2014 and Regulation (EU) 139/2014. The following apply: The ADR.OR.D.035 and ADR.OR.F.080 and the ADR chapter.OR.D.017. Failure to do so will mean that no Airport ID Card or work authorisation for work at Munich Airport can be issued.

• The provision and storage of personal data in the context of dangerous goods training is regulated in Annex 18 of the Convention on International Civil Aviation, including the "Technical Instructions for the Safe Transport of Dangerous Goods by Air" (ICAO T.I.) issued by the International Civil Aviation Organization (ICAO) Doc 9284-AN/905, as well as DOC 10147 whose application is laid down, inter alia:
  - in Commission Regulation (EU) No 965/2012 of 5 October 2012 laying down technical requirements and administrative procedures related to air operations pursuant to Regulation (EC) No 1139/2018 of the European Parliament and of the Council and
  - in Commission Regulation (EU) No 139/2014 of 12 February 2014 laying down requirements and administrative procedures related to aerodromes pursuant to Regulation (EC) No 2018/1139 of the European Parliament and of the Council.

• The provision and storage of personal data in the context of dangerous goods training in Austria are regulated by the 303rd Ordinance of the Federal Minister of Science and Transport on the Transport of Dangerous Goods (Gefahrgutbeförderungsverordnung - GGBV)
  

Sections 2, 11 and 14 of the Dangerous Goods Transport Act, BGBl. I No. 145/1998, as amended by BGBl. I No. 108/1999, 5th Section - "Training of persons involved in the carriage of dangerous goods by civil aviation"

Failure to provide this information will mean that participants will not be able to register for the required training courses. Proof and certificates for any necessary training courses cannot be issued either.

• The provision of personal data is necessary for the planning, implementation and administration (incl. billing purposes) of training and qualifications and thus for the implementation of pre-contractual measures as well as for the implementation of the contractually booked service. Proof and certificates for any necessary training courses cannot be issued either.
  
  

4.21.9 Source of the data

If the personal data are not collected directly from the person concerned, they come from the data entered by the person making the registration.

4.21.10 Automated decision-making (including profiling) and effects

Automated decision-making is not used. Depending on the type of web-based training (WBT), the issue of the certificate may depend on various factors (e.g. completion of a specific part or the entire WBT, assessment tests, etc.). Compliance with these factors is usually checked automatically by the respective WBT programme.

4.21.11 Cookies training platform

a. Description and scope of data processing

We only use technically necessary cookies on the Airport Academy training platform; details can be found in section b. The cookies used are always activated, as they are necessary for the provision of the training platform. The cookies used guarantee functions without which the training platform cannot be used as intended.

Flughafen München GmbH is responsible for the cookies used; the platform provider acts as a processor. Cookies from third parties are not used.

b. Purposes, legal bases and retention period

The specific purposes of the cookies used and information on the retention period can be found in the following overview:

The use of cookies is in our legitimate interests pursuant to Art. 6 para. 1 (f) GDPR in the provision of a training platform.

c. Option of removal

You have the right to object to the use of Cookies. You can use your browser to display the cookies stored on your computer, delete the existing cookies or set the configuration so that not all or no cookies are stored. Please note that some functions may not work or may not work properly if you deactivate the setting of Cookies.

This information about the processing of your personal data is based on the processing of your personal data as part of the luggage handling and securing of a fast, accurate and correct flight dispatching by Flughafen München GmbH (FMG).

4.22.1 Description and scope of the specific data processing

Based on § 45 LuftVZO, FMG - as the airport operator - is responsible to provide and develop the infrastructure for the reliable execution of the air traffic.

This also includes the administration and the operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment - starting with the transport from the check-in counters of the airlines including the required sorting and ending with the transport on the destination conveyors as well as the transport of the pieces of luggage that are subject to control to and from the control points.

FMG receives the required personal data of the airlines to fulfill the tasks as the airport operator as part of the provision of the central infrastructure of the luggage system with luggage transport and sorting.

To fulfill the tasks, FMG additionally provides information about the status of the luggage based on a request by your airline.

This includes the following data:

• Salutation, name (last and first)
• Flight data
• Location data about the piece of luggage in the transportation system
  
  

4.22.2 Purposes and legal principles

Purposes:

• Fulfilling the tasks as the airport operator to provide and develop the infrastructure for the reliable execution of the air traffic
• Administration and operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment
• Fulfilling the tasks as the airport operator to implement the required safety measures
• Defense against legal claims
• Fulfilling the requirements of public safety authorities

Legal principles:

• Fulfillment of legal obligations (art. 6 para. 1 lit. c GDPR a.o. i.c.w. § 45 LuftV-ZO, § 5 para. 3, § 8 and § 9 LuftSiG, VO EU 2015/1998)
• Protection of legitimate interests for an effective and efficient disposition of pieces of luggage, for the clarification of questions (a.o. public authorities, customs), for the delivery of contractual services to FMG customers (e.g. airlines) and for the clarification and defense against legal claims (art. 6 para. 1 lit. f GDPR)
  
  

4.22.3 Recipients of personal data

• FMG internal departments for the execution of the luggage sorting and luggage loading
• Airlines, ground handling services
• Public authorities, courts
  
  

4.22.4 Transfer to recipients in third countries

The a.m. personal data are transmitted via the SITA network to the airline with which you established a transport contract. If the airline has its seat in a third country outside the EU, then this can involve a data transfer to this third country.

Contracting partner of FMG for access to the SITA network is SITA Switzerland Sarl, 26 Chemin de Joinville, 1216 Cointrin, Schweiz. In accordance with Art. 45 GDPR, the EU Commission has decided that Switzerland offers an adequate level of data protection.

4.22.5 Storage duration

• 100 days in the operational system
• 15 months in the archive system
  
  

4.22.6 Source of the data

Data subject/airlines.

The Legal and Compliance (RCC) corporate unit of Flughafen München GmbH (“FMG” or “we”) offers employees and external parties the opportunity to report compliance violations to an internal reporting office. Employees and external parties such as providers, contractors, suppliers and customers can contact the internal reporting office and report violations of legal provisions within the scope of § 2 of the Whistleblower Protection Act (HinSchG), in particular in connection with corruption, fraud, theft, embezzlement, vandalism, property damage, competition offenses. Issues related to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the prevention and handling of sexual harassment, violations of the Code of Conduct and the guidelines of the FMG Corporation such as the “Gifts and Invitations Guideline” and other regulations applicable in the FMG can also be reported.

Name and contact data of the controller

FMG is controller for the internal reporting office under the data protection law. As part of the option provided in the Whistleblower Protection Act (HinSchG) of entrusting a third party with the tasks of an internal reporting office, FMG also assumes the tasks of an internal reporting office for the following corporate companies as joint controller in accordance with art. 26 GDPR:

• AeroGround Flughafen München GmbH
• Allresto Flughafen München Hotel und Gaststätten GmbH
• eurotrade Flughafen München Handels-GmbH
• FMSicherheit Flughafen München Sicherheit GmbH
• FMV - Flughafen München Versicherungsvermittlungsgesellschaft mbH
• LabCampus GmbH
• Flughafen München Realisierungsgesellschaft mbH
• Terminal 2 Gesellschaft mbH & Co oHG

In principle, the data subjects can contact the controller of the internal reporting office (FMG) as well as the controller of the corporate companies, which the FMG entrusted with the tasks of the internal reporting office. As part of the agreement about joint controllership, FMG and the above-mentioned corporate companies also agreed about close coordination when fulfilling requests from data subjects and notifications of data protection violations and possible communications to the data subjects in accordance with art. 34 GDPR. You can reach the internal reporting office of FMG using the following contact data:

Interne Meldestelle
RCC Flughafen München GmbH
Nordallee 25
85356 München
Germany
Phone: +49 89 975 403 40
(Monday to Friday during regular office hours)
Email: hinweise@munich-airport.de

The contact data of the entrusting corporate companies and the contact details of the respective data protection officers can be found under section 1 of this data protection declaration.

Contact data of the FMG data protection officer:

Datenschutzbeauftragter
Flughafen München GmbH
Nordallee 25 85356 München
Germany
Email: datenschutzbeauftragter@munich-airport.de

Categories of personal data

The submission of notices to the reporting office is voluntary, a report can also be made without us processing the data of the person providing the notice.

In particular, we use the online portal "Business Keeper Monitoring System" of the EQS Group AG, Karlstraße 47, 80333 Munich (hereinafter: BKMS® System). In this context, please note that anonymous tips should only be submitted from private devices outside the company network, as this is the only way to ensure the required confidentiality.

As part of the task completion, the following personal or person identifying data are regularly processed by the reporting office:

• Data of persons named as part of reports
• Data of persons processed as part of the exercise of tasks of a reporting office, especially in the area of the procedure and documentation
• Data of persons who are consulted by the reporting office for the exercise of tasks
• Data of persons providing notices that they voluntarily disclose to the reporting office
  
  

Purposes

FMG offers employees and business partners the opportunity to report compliance violations directly to the internal reporting office. This can be provided via various reporting channels, e.g. personal conversation, phone, letter, email or the BKMS® system.

The internal reporting office is responsible to maintain reliable principles of corporate management in day-to-day operations, the possibility of reporting violations via the BKMS® system is designed as an additional mechanism for employees and external parties to also anonymously submit notices and be available for questions.

Legal basis

For processing of notices as per HinSchG:

The reporting office processes the personal data of persons providing notices, persons involved in the proceedings and persons who may be accused due to legal obligations (art. 6 para. 1 lit. c GDPR). These obligations are applicable for HinSchG for:

• the establishment and design of the reporting office (§ 10 p. 1 i.c.w. §§ 16 HinSchG)
• the process for internal reports (§ 17 HinSchG)
• the execution of follow-up actions (§ 18 HinSchG)

If special categories of personal data are processed by the reporting office, then this is justified with the necessity for the fulfillment of the task (art. 9 para. 2 lit. g GDPR i.c.w. § 10 sentence 2 HinSchG).

If the HinSchG requires consent as a prerequisite for certain actions by the reporting office (e.g. for the transfer of personal data of the person giving the notices or phone recordings or word logs in case of phone reports), then such consent will be obtained. In these cases, the processing is carried out with art. 6 para. 1 lit. a GDPR.

If the legitimate interests of the controller or a third party require further processing and do not outweigh the interests or fundamental rights and freedoms of the data subjects, processing can also be carried out on the basis of art. 6, para. 1 lit. f GDPR for example to protect against accusations of reprisals.

For the processing of notices outside the application area of HinSchG:

For reports that are assigned to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the legal basis for the processing is based on art. 6 para. 1 lit. c GDPR in conjunction with § 8 LkSG (enabling of and procedural rules for the complaints procedure, confirmation of receipt of notices, discussion of the facts). Data processing when taking remedial measures is based on art. 6 (1) (c) GDPR i.c.w. § 7 LkSG.

The processing of personal data in the context of processing notices that contain violations of regulations outside the scope of the HinSchG is justified with the protection of legitimate interests (art. 6 para. 1 lit. f) GDPR). The legitimate interest lies in uncovering and preventing grievances and thus in averting damage to the FMG corporation, employees and customers. The processing of notices serves primarily to uncover and check abuses and violations of the law, and is embedded in our compliance management system. Based on this regulation and liability scope, the personal data required for processing the notices must also be processed. The interest of data subjects in not processing the data takes second place, since reports can be made voluntarily and anonymously and an appropriate level of protection is guaranteed for the confidentiality and integrity of the data of the whistleblower and any third parties involved through technical and organizational measures.

Type and scope of the data use

The personal data is processed exclusively for the purpose of processing notices and strictly under the stipulation that access to the data is only granted to certain persons and only to the extent that is absolutely necessary for the processing of the notice. Of course, all persons who have access to data are obligated to confidentiality.

Recipients

1. Internal use and possible transfer of that data within the corporation

The specific recipients of data depend on the content of the notice. Incoming notices are received by a small group of expressly authorized and specially trained employees of the compliance organization at FMG (employees of the reporting office) and the notices are always treated confidentially.

The reporting office checks whether an in-depth investigation is required and which internal bodies must be involved in clarifying the facts of a case. The reporting office also regularly informs top management about the content of the notices received, since the resolution of reported violations is one of their areas of responsibility. In addition, the auditing, corporate safety, legal and human resources departments are often called in to process notices or additional contact persons, which are required to execute the follow-up actions, are identified.

If reports for subsidiaries are received by the reporting office within the context of the entrusting relationship, or if notices addressed to the parent company also affect corporate companies, then the management of the subsidiaries and, if necessary, the responsible offices or departments of the corporate companies will be informed and consulted to process the notice, because the respectively affected corporate companies have the original responsibility to resolve and pursue an identified violation.

We ask that you only send the notices to the reporting office that relate to the reporting categories listed in paragraph 1 of this data protection information. We will not forward your request for reasons of confidentiality, but ask you to contact a suitable office if your notice is outside the area of responsibility of the reporting office.

2. Disclosing data to controllers outside the FMG corporation

Investigations may require the involvement of other FMG employees or employees of corporate companies and possibly also external parties such as specialized law firms, auditors or forensic experts. Of course, all internal and external parties involved in the process are obligated to the confidential treatment of disclosed information.

3. Disclosure to government agencies

If necessary, FMG may be legally obligated to provide information on compliance violations to government agencies (e.g. investigating authorities or courts). In case of such obligations, as well as seizures, we are unable to withhold the information you have submitted.

4. Whistleblower system service provider

The BKMS® system is provided by Business Keeper GmbH (member of the EQS Group), Bayreuther Str. 35, 10789 Berlin in Germany as processing on behalf of FMG.

Personal data and information entered into the whistleblower system is stored in the BKMS® system in a high-security computer center. Only FMG can review the data; the processor and third parties have no access to the data. This is ensured in a certified process through comprehensive technical and organizational measures.

Disclosure of data to third countries

As a matter of principle, personal data is not transferred to third countries outside the EU/EEA as part of the fulfillment of the duties of the reporting office.

Depending on the content of the notice, it may be necessary in individual cases to also pass on the data to recipients in third countries. In third countries, the rights of data subjects and the confidential treatment of personal data may not be legally guaranteed to the same extent as in the EU.

If you, as the reporting person, do not want us to transfer your personal data to countries outside the EU, please let us know in your report and we will check whether a transfer is not necessary to protect our legitimate interests. Please note that it may not be possible to fully process your report without passing on your data.

Duration of the storage

After the plausibility check has been carried out, the reporting office will check whether storage is required.

Irrespective of the storage periods listed below, after the notice has been checked and the notice procedure has been completed, measures are taken to make the process documentation as data-efficient as possible, e.g. by means of blacking out or pseudonyms.

The procedural documents are generally deleted after the individual case has been examined 3 years after the conclusion of the notice procedure. The documentation may be kept longer to meet the requirements of the Whistleblower Protection Act or other legislation, as long as this is necessary and proportionate.

Rights of the data subject

As a person providing notices, a person involved in the process and possibly an accused person, you are entitled to the following rights of a data subject based on the GDPR:

• Right to information
• Right to correction or deletion
• Right to the restriction of the processing
• Right to object to processing
• Right to data transferability

To exercise your rights and to revoke your consent, please contact the controller at the contact address given above. Alternatively, you can also assert your data protection rights via the BKMS® system or at the following email address: datenschutzanfrage@munich-airport.de

Please note that the reporting office must also protect the rights of third parties and can therefore only provide information in abridged form or blackened out if this would seriously impair the achievement of the processing goals (art. 14 para. 5 lit. b GDPR) or would disclose information which by its very nature should be kept secret (§ 29 para.1 BDSG).

Right for a complaint to the supervisory authority

You have the right to file a complaint with the supervisory authority if you believe that the processing of your personal data is unlawful. The contact data for the supervisory office responsible for us are: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Post office box 1349, 91504 Ansbach, Germany, Phone: +49 (0) 981 / 53 1228, poststelle@lda.bayern.de, www.lda.bayern.de.

Source of the data

If personal data has not been collected from the data subject and there is an obligation to provide information, we will refer you separately to the information provided here and let you know the source of the personal data in accordance with the circumstances of the individual case.

Please note that the appropriate period for the notification is subject to separate review criteria due to the specific circumstances of the processing of your personal data by the internal reporting office and, in particular, deviations from the period defined in Art. 14 para. 3 lit. a GDPR may also be justified in the confidentiality obligations due to overriding legitimate interests of third parties.

Change in the data protection information

We reserve the right to change our safety and data protection measures if this is required due to legal or technical developments. In these cases, we will also adapt our data protection notices accordingly. Therefore, please note the current version of our data protection information.

Miscellaneous

The communication between your terminal and the BKMS® system takes place via an encrypted connection (SSL). The IP address of your computer will not be saved while using the whistleblower portal. To maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (so-called null cookie). The cookie is only valid until the end of your session and becomes invalid when the browser is closed. As the person providing the notice, you have the option of setting up a protected mailbox in the BKMS® system with a pseudonym/user name and password of your choice. Therefore, you can communicate securely with the reporting office using your name or anonymously.

Version: April 1, 2025

See below for information on why and for how long we process your personal data, the legal basis for this, and your rights with regard to data processing if you use our LabCampus community platform.

Websites of providers to which we link here are subject to the privacy notices or policies published on those sites.

Please take time to read our privacy policy, as it contains important information about how we use your personal data.

4.24.1 Content of this policy

When we use the term “data” in this text, we are referring exclusively to personal data as defined by the GDPR.

4.24.2 Description and extent of data processing

Our platform offers you a wide range of services. For example, you can learn about the latest innovations at LabCampus and about various catering options. You can utilize services via the platform, e.g. contacting LabCampus Community and Facility Management. The community platform also has a forum for exchanging information. The forum is intended to promote interdisciplinary cooperation and thus innovation.

The LabCampus community platform can only be accessed by registered users. For this reason, we provide you with the option of creating a community account and thus registering to use our platform. To do so, enter your details and submit them to us via the form provided here. We store the data transmitted to us and do not disclose them to third parties.

4.24.2.1 Creation of a community account

To create your account, we process your work e-mail address and the password chosen by you. The password must fulfill the minimum criteria described in the terms of use. We process it only as a hash value and cannot read your password in plain text but can recognize whether a correct or incorrect password is used for further log-in attempts.

4.24.2.2 Completion of registration

Once you have registered, we first check whether your e-mail domain, i.e. the part of the address that comes after the @ symbol, is enabled for use of our platform. If this check comes back positive, your account is created and we send you a link with a request to confirm your e-mail address as part of a double opt-in procedure. In this way, we make certain that you have access to the e-mail account indicated and that you entered your e-mail address correctly. Otherwise, you receive an error message and are informed that your e-mail address has not been validated for use of the platform.

Your community account is only activated once you click on the verification link, and only then can you log in to the community platform and complete your registration. To do so, you must enter your position at the company and a nickname, which must comprise at least two letters. In addition to the information provided, we save the date and time at which you created your community account in order to log your registration with the portal and as proof of your e-mail verification if necessary. We also save the date and time of your most recent login.

Provision of the data requested is essential for the creation of your community account. Without these data, we cannot create a community account. We use the data to provide your community platform account. The data are saved in your personal central account, where you can view them at any time and change your password.

When your account is created, your traffic data as described under “3.1 Log files" above are also processed.

4.24.2.3 Communication within the platform

A contact form is provided for communication within our platform. The entries made in the form are forwarded to the e-mail account of the LabCampus team responsible for the particular inquiry. Further communication takes place by e-mail. When the information is forwarded, the text of the message and the following data are processed: the e-mail address connected to your account as the sender of the message, the date and time at which the message was sent, the information that the message came from the platform as the subject of the message, the language setting you have chosen for the platform, and the identification number assigned by the system to your account.

4.24.2.4 Interaction within the platform

You can like posts that we publish in the community. These likes, like views, are anonymous, which means that neither we nor the community members can see which posts you have viewed and which you have liked.

4.24.2.5 Videos and web analysis services integrated into the platform

When we embed videos on our platform, these are saved on YouTube. YouTube is a platform provided by YouTube LLC, with its registered office at 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube is a subsidiary of Google. We embed our videos via YouTube because local hosting is not sufficiently powerful for the presentation of the videos. For more information, see "3.5 Integrated videos (YouTube)."

If you have given us consent to place cookies for the statistical analysis of visitor access, i.e. reach measurement, via the consent management tool from "consentmanager" integrated into our website, we use these cookies to improve the quality of our platform and its content. These cookies tell us how the platform is used by the community, enabling us to continuously optimize our offering and our posts. For more information, see "3.2 Cookies and pixels." Information on the consent management tool is provided under "3.2.1 General information on cookies" and on reach measurement under "3.2.2.2 Matomo – LabCampus."

4.24.3 Purpose/legal basis

Your data are processed in order to make it possible to register on and login to our community platform as well as to communicate with you.

Registration on the platform is voluntary and based on your consent in accordance with Art. 6 Para. 1 (a), Art. 4 (11) in conjunction with Art. 7 Para. 4 GDPR.

In connection with the use of the platform, your data are processed in accordance with the applicable terms of use. The legal basis for this is Art. 6 Para. 1 (b) GDPR.

We process the e-mail address provided for the purpose of efficient and effective communication. This purpose also constitutes our legitimate interest. The legal basis for this is Art. 6 Para. 1 (f) GDPR.

4.24.4 Recipients/transmission to third countries

Our community platform is maintained and operated by our partner, Das Büro am Draht Software-Entwicklung GmbH, located at Blücherstrasse 22, 10961 Berlin (hereinafter "BaD"). It is hosted by our partner Hetzner Online GmbH, located at Industriestrasse 25, 91710 Gunzenhausen (hereinafter Hetzner). We use AWS Cognito for control of access and AWS Secret Manager for account management. AWS Cognito and AWS Secret Manager are offerings of Amazon Web Services EMEA SARL, located at 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter AWS). Likewise, we use AWS for the forwarding of inquiries submitted via the contact form.

BaD, Hetzner and AWS all process your data, unless we have explicitly stated otherwise here, on our behalf and according to our instructions within the European Union (EU). This means that BaD, Hetzner and AWS do not and are not permitted to use your data for themselves, particularly not for their own purposes or their own promotions.

Please note that AWS complies with the data protection code of conduct for cloud infrastructure services providers (CISPE), i.e. the code of conduct ratified by the European Data Protection Board (EDPB) and adopted by the French data protection authority CNIL in accordance with Article 40 GDPR, and therefore undertakes to comply with the EU’s data protection standards, even when data are transmitted outside of the EU, so that your personal data are adequately protected under data protection law.

4.24.5 Retention/deletion

You can delete your own account via the platform at any time by clicking "Delete account" in your account settings and telling us your reason for doing so. Your data will then be deleted. You can also send an e-mail to community@labcampus.de or request deletion via the contact form available here. Your account will then also be deleted.

Status: September 2023

The Business-to-Business (B2B) portal is available to airport users, airlines, airline associations, representatives of the licensing authority or service providers operating at the Munich site to gain access to personalised information of various kinds. To ensure that the information published on the portal is only accessible to authorised persons, you must create a personalised user profile. The portal is also used to register for newsletters, events or expedited parking or to order publications and make specific enquiries.

4.25.1 Purpose of processing

Your data will only be processed for the following purposes:

• Provide personalised information to users
• Prevent abuse of benefits (expedient parking)
• Indicator to subscribe to newsletters
• Registration/deregistration for events
• Allocation of event topics
• Avoidance of no-shows

Categories of personal data

Profile data depending on use case.

• Salutation, title, first name, last name, e-mail, company, function, street, postcode, city, country, identification documents
• Parking start, parking end, flight number departure, flight number arrival

IT usage data (system-related)

• IP address, website visited, and functions used, timestamp
• Information about the device used (mobile device, desktop, etc.), operating system, browser type and versions used
  
  

4.25.2 Legal basis

• For sending the newsletter or for passing on contact data to the Bavarian Ministry of Housing, Construction and Transport (responsible authority), consent is required (Art. 6 Para. 1 Sentence 1 Letter a GDPR).
• For contacts with business and system partners, as well as for the security of the information technology systems (log data), legitimate interest applies (Art. 6 para. 1 sentence 1 letter f GDPR).
• For event management (invitation, implementation, follow-up) of mandatory annual consultations with airport users as well as for the implementation of the approval process in the event of a fee adjustment (legal basis: Art. 6 para. 1 lit. c GDPR in conjunction with § 19b LuftVG).
  
  

4.25.3 Categories of recipients

Depending on the intended use of the portal:

• The respective competent department
• Parking control center
• Company that develops the system further (order processing contract)
• Authorities, but only if consent has been given
  
  

4.25.4 Transfer to third countries

Personal data is not transferred to third countries.

4.25.5 Duration of storage

• Deletion of the indicator that a data subject is invited to events if there is a corresponding number of no-shows.
• The deletion of the stored personal data for travel agencies takes place in rotation no later than 5 years after no further contact has taken place.
• Deletion by users themselves
  
  

4.25.6 Possibility of removal or revocation

In order to exercise his or her rights concerning the B2B portal, the person concerned may contact the B2B portal, preferably by e-mail, at the following address:

datenschutzanfrage@munich-airport.de

Status: 6.9.2023

As a transport business, the airport is required under Sections 978 et seq. of the Bürgerliches Gesetzbuch (BGB – German Civil Code) and state lost property laws to maintain a Lost & Found office In order to comply with the legal requirements, it is necessary to process personal data of finders, owners, proprietors, and employees.

Categories of personal data

The following data are collected in order to properly process the lost property, comply with legal obligations, and protect legal interests:

• First name
• Last name
• Address and country
• E-mail and telephone number
• ID card number (or alternative identification numbers)
• Billing data
  
  

Recipients

In addition to the Lost & Found employees (specialist department), the following external recipients receive your personal data:

• Finder: In the case of entitlement to a finder’s reward, the finder receives the address of the authorized recipient if the item of lost property or the auction proceeds are collected by the rightful owner within the first three years after the item of lost property is auctioned (Section 978 (2) sentence 5).
• Public authorities that are authorized recipients, such as the responsible/issuing authority for identity documents or law enforcement authorities in the case of a criminal offense
  
  

Duration of storage

The data are pseudonymized three years after the date of the auction.

Billing data are pseudonymized and stored for 10 years in accordance with the tax regulations.

Legal basis

The legal basis for the processing of your data as described in this section is Article 6 (1) sentence 1c) of the GDPR in conjunction with Sections 978 et seq. of the BGB, Section 10 of the bayerische Fundverordnung (BayFundV – Bavarian Lost Property Regulation) and Article 6 (1) sentence 1f) of the GDPR (legitimate interest).

In the Service Center at Munich Airport, you can find a wide range of services to make your stay at Munich Airport as enjoyable as possible:

• Cleaning service (only in Terminal 1)
• Depositing items (only in Terminal 1)
• Left luggage
• Coat Check
• Keys to the showers
• Keys to the Changing Places Toilet
  
  

Categories of personal data

The following data are collected to identify customers and allocate items or property and for billing:

• First name
• Last name
• Address
• Payment data

If the person picking up the item is not the customer:

• Name and address of the depositor
• Name and address of the person picking up the item (with authorization)
• ID card number (in special cases such as loss of the storage document)
  
  

Recipients

Personal data are sent to the following categories of recipients:

• Recipients within the company (specialist department, billing department)
• Suppliers (e.g. for cleaning, luggage transport)
  
  

Duration of storage

Delivery notes are stored for up to 13 months.

Billing data are stored until the end of the respective statutory retention periods of six or ten years.

Legal basis

The legal basis for the processing described in this section is Article 6 (1) sentence 1b) of the GDPR (performance of a contract or steps prior to entering into a contract) and Article 6 (1) sentence 1f) of the GDPR (legitimate interest).

Privacy Policy regarding the conduct of telephone and video conferences via MS Team

4.28.1 Introduction / scope of application

This privacy policy contains information on the processing of personal data in connection with the use of Microsoft Teams in order to conduct telephone and video conferences (online meetings) and other communication involving persons who are not present locally.

4.28.2 Data controller & contact

Unless another controller is expressly named for individual services, the controller for all processing operations covered by this privacy policy is:

Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
Tel. +49 89 975 00
E-mail: info@munich-airport.de

Contact details for Flughafen München GmbH, hereinafter also referred to as "FMG" or "we", and its subsidiaries can be found here.

4.28.3 Data protection officer & contact

Data protection officer of Flughafen München GmbH, Nordallee 25, 85356 München-Flughafen, e-mail: datenschutzbeauftragter@munich-airport.de

The contact details for data protection officers at our subsidiaries can be found here.

4.28.4 Purpose and scope of the processing of personal data

For conducting telephone and video conferences (online meetings) and other communication involving people who are not present locally.

Microsoft Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Microsoft").

When using Microsoft Teams, various types of personal data are processed. The scope of data processing depends on the information provided and settings made by the data subject and whether Microsoft Teams is used via the app or the browser.

Depending on the type and scope of participation and the individual settings of the data subject, the following personal data may be processed:

• User data (first name, last name, display name, e-mail address, profile picture, language settings, IP address, device/hardware information)
• Meeting data (date, time, meeting ID)
• Text, audio, or video data (depending on the configuration of the online meeting and the individual settings of the data subject, text entries in the chat window as well as the data collected via the microphone and video camera of the device used may be processed)
• Recordings (MP4 file of the video, audio and presentation recordings, M4A file of the audio recordings, text file of the online meeting chat)
• Telephone connection data

If the online meeting is recorded, this fact will be communicated to the data subjects in advance, and – if necessary – consent will be obtained. The fact that an online meeting is being recorded is also indicated by a banner during the meeting.

4.28.5 Legal basis for the processing of personal data

• Art. 6 (1) (1) (a) GDPR is the legal basis if the processing of personal data is based on the (implied) consent of the data subject.
• Art. 6 (1) (1) (b) GDPR is the legal basis if the processing of personal data is necessary for the performance of a contract or to implementa-tion of pre-contractual measures taken at the data subject’s request.
• Art. 6 (1) (1) (f) GDPR is the legal basis if the processing of personal data is necessary to safeguard our legitimate interests.
  
  

4.28.6 Recipients

Personal data is transmitted to the following recipients or categories of recipi-ents:

• Internal company recipients (e.g. departments responsible for pro-cessing for specific purposes, in particular the participating employees)
• Munich Airport Group companies (an up-to-date overview of the Group structure can be found at https://www.munich-airport.com/company-profile-263193)
• As a provider of Microsoft Teams, Microsoft receives knowledge of the above-mentioned personal data within the framework of the provisions of the concluded data processing agreement; this does not include the content of end-to-end encrypted communication.
  
  

4.28.7 Transmission to third countries

A transfer to a third country outside the European Union is not intended, but cannot be ruled out in the context of the use of MS Teams. The transfer is justified under data protection law, as the following instruments are used under Art. 44 et seq. GDPR:

• Adequacy decision (EU-U.S. Data Privacy Framework)
• Standard data protection clauses
  
  

4.28.8 Duration of storage

Personal data will only be stored for as long as is necessary to achieve the stat-ed purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted following the statutory provisions.

4.28.9 Data protection requests / rights of data subjects

Every data subject has the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object to processing, and the right to data portability within the scope of the statutory provisions.

Contact details for exercising your rights as a data subject:

Flughafen München GmbH
Data protection request
Nordallee 25
85356 Munich
E-mail: datenschutzanfrage@munich-airport.de

4.28.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of personal data relating to them infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

4.28.11 Obligation to provide personal data

As a rule, the data subject is not obliged to provide the personal data. Likewise, there is generally no legal requirement for provision, nor is provision necessary for the conclusion of a contract.

However, participation in online meetings is not possible without providing the minimum required personal data.

4.28.12 Automated decision-making (including profiling) and effects

Automated decision-making does not take place.

4.28.13 Reference to further information

Further supplementary information on data protection can be found in the general privacy policy.

4.28.14 Status of the information

Date: October 25, 2023

Privacy Policy regarding the conduct of applicant interviews with video via MS Teams

4.29.1 Introduction / scope of application

This privacy policy contains information on the processing of personal data in connection with the use of Microsoft Teams in order to conduct telephone and video conferences (online meetings) and other communication involving persons who are not present locally.

4.29.2 Data controller & contact

Controller of the processing activities is the respective company of Munich Airport Group to which you sent your application. Contact details for Flughafen München GmbH and its subsidiaries can be found here. 

4.29.3 Data protection officer & contact

Data protection officer of Flughafen München GmbH, Nordallee 25, 85356 München-Flughafen, e-mail: datenschutzbeauftragter@munich-airport.de

The contact details for data protection officers at our subsidiaries can be found here.

4.29.4 Purpose and scope of the processing of personal data

The Microsoft Teams application is used to conduct video interviews with applicants and online meetings.

Microsoft Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Microsoft").

When using Microsoft Teams, various types of personal data are processed. The scope of data processing depends on the information provided and settings made by the data subject and whether Microsoft Teams is used via the app or the browser.

Depending on the type and scope of participation and the individual settings of the data subject, the following personal data may be processed:

• User data (first name, last name, display name, e-mail address, profile picture, language settings, IP address, device/hardware information)
• Meeting data (date, time, meeting ID)
• Text, audio, or video data (depending on the configuration of the online meeting and the individual settings of the data subject, text entries in the chat window as well as the data collected via the microphone and video camera of the device used may be processed)

Video interviews are not recorded. As an applicant, by acknowledging the data protection information, you guarantee that you will also not make any recordings.

Communication between FMG and you as an applicant is encrypted throughout the entire video interview.

Confidentiality: As an applicant, you also guarantee that you will maintain confidentiality about presentations and all internal company information that may be shared with you by the specialist departments during a video interview. This rule also applies to screenshots, which are also prohibited.

Transparency during the MS Teams conference

You will be informed in advance by the recruiting team about all participants in the MS Teams conference (name, department) when you are invited to the interview. The attendance data required for participation will be made available to the interview participants announced in advance only. Transparency is ensured during the MS Teams conference through communication and visibility of all discussion partners and attendees. By taking note of the data protection information or participating in the video interview, you guarantee that you will not pass on the participation data to unauthorized persons.

Before the video interview begins, you should make sure that the people present in your room are aware that audio and/or video will be transmitted as part of the video interview and that their image and words can be transmitted to the other participants in the interview. If necessary, you should inform the persons present in the room accordingly and, if applicable, name the recipients of the voice and video transmission. If there are people in the room who are not participants in the video interview or who do not agree to a corresponding transmission, they must be given the opportunity to leave the room before the interview begins.

4.29.5 Legal basis for the processing of personal data

The processing of personal data is based on your consent pursuant to Article 6(1) letter a of the GDPR in conjunction with Section 26(2) of the BDSG (German Federal Data Protection Act) and, with regard to the content of the job interview, on the basis of Section 26(1) sentence 1 of the BDSG.

Voluntary nature of participation in video interviews and right of withdrawal

We have already informed you in advance that the video interview is only one of several options. Your participation is voluntary. Alternatively, the following options are also possible: telephone interview, on-site interview, etc.

Please contact the recruiting team if you would like to choose another option.

You have the right to revoke your consent at any time with effect for the future without giving reasons for doing so. To do this, please contact: jobs@munich-airport.de.

4.29.6 Recipients

Personal data is transmitted to the following recipients or categories of recipi-ents:

• Internal company recipients (e.g. departments responsible for pro-cessing for specific purposes, in particular the participating employees)
• Munich Airport Group companies (an up-to-date overview of the Group structure can be found at https://www.munich-airport.com/company-profile-263193)
• As a provider of Microsoft Teams, Microsoft receives knowledge of the above-mentioned personal data within the framework of the provisions of the concluded data processing agreement; this does not include the content of end-to-end encrypted communication.
  
  

4.28.7 Transmission to third countries

A transfer to a third country outside the European Union is not intended, but cannot be ruled out in the context of the use of MS Teams. The transfer is justified under data protection law, as the following instruments are used under Art. 44 et seq. GDPR:

• Adequacy decision (EU-U.S. Data Privacy Framework)
• Standard data protection clauses
  
  

4.29.8 Duration of storage

Personal data will only be stored for as long as is necessary to achieve the stat-ed purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted following the statutory provisions.

4.29.9 Data protection requests / rights of data subjects

Every data subject has the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object to processing, and the right to data portability within the scope of the statutory provisions.

Contact details for exercising your rights as a data subject:

Flughafen München GmbH
Data protection request
Nordallee 25
85356 Munich
E-mail: datenschutzanfrage@munich-airport.de

Contact details for subsidiaries of Flughafen München GmbH can be found here.

4.29.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of personal data relating to them infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

4.29.11 Obligation to provide personal data

As a rule, the data subject is not obliged to provide the personal data. Likewise, there is generally no legal requirement for provision, nor is provision necessary for the conclusion of a contract.

However, participation in online meetings is not possible without providing the minimum required personal data.

4.29.12 Automated decision-making (including profiling) and effects

Automated decision-making does not take place.

4.29.13 Reference to further information

Further supplementary information on data protection can be found in the general privacy policy.

4.29.14 Status of the information

Date: November 23, 2023

FMG offers a contact form on its website at https://www.munich-airport.de/kontaktanfrage-parken-4624305, which parking customers, interested parties and website visitors can use to contact FMG about various topics relating to parking at Munich Airport.

Description and scope of data processing

As part of your contact request, the data you enter via the input form will be processed. This includes your contact details, the information you provide, and any supporting documents you may have provided with your message.

Contact data:

• Salutation, title, surname, first name
• Postal address
• E-Mail-address, telephone number

Information and facts:

• Booking-ID, online booking
• Your message: Reason for inquiry

Any uploaded attachments:

• e.g. proof of eligibility for discounted parking
  
  

Purpose of processing

The data or data categories referring to your person will be processed to process your request, which you have communicated to us via the free text field under "Your Message." The "Parking Contact Request" contact form generally serves the purpose of enabling interested parties, website visitors, and especially parking customers to address their concerns and inquiries regarding parking at Munich Airport to Flughafen München GmbH. This applies in particular to the following topics:

• Technical problem
• Receipt
• Complaint
• Payment dispute
• Barrier-free parking
• Registration for travel agency parking
• General inquiries, e.g. regarding rates, online reservations, parking garages, etc.
  
  

Legal Basis for processing of personal data

The processing of personal data is based on the following legal bases:

• Art. 6 (1) (b) GDPR
  If your request concerns services already provided on a contractual basis, processing your request is necessary for the performance of a contract.
  
  
• Art. 6 (1) (f) GDPR
  Necessity to safeguard the legitimate interests of Flughafen München GmbH: FMG has a legitimate interest in enabling parking customers, website visitors and interested parties to communicate barrier-free and uncomplicatedly with regard to topics relevant to these groups of people and to make appropriate contact.
  
  
• Art. 9 (2) (a) GDPR
  If special categories of personal data according to Art. 9 (1) GDPR (e.g. health data) are processed to check eligibility for reduced rates in barrier-free parking, this is done with express consent according to Art. 9 (2) (a) GDPR.
  
  

Recipients/Categories of recipients

In general, service providers employed and contracted by FMG to manage our IT systems may receive your personal data. Operators of data centers that host the applications we use may also have access to your personal data.

To offer the parking contact request service, FMG uses a customer experience management IT system from a Berlin-based provider and dialogue management software from a Munich-based provider. Corresponding data processing agreements have been concluded with the software solution providers, which oblige them, in particular, to comply with all data protection requirements and to act only within the framework of the instructions of Flughafen München GmbH.

Transmission to third countries

Transfer to a third country outside the European Union is not intended but cannot be ruled out in the context of possible email correspondence. The transfer is justified under data protection law, as the following instruments are used in accordance with Articles 44 et seq. of the GDPR:

• Adequacy decision (EU-U.S. Data Privacy Framework)
• Standard data protection clauses.
  
  

Duration of storage

Your data will be deleted no later than one year after the process is completed. If the regular limitation period pursuant to Section 195 of the German Civil Code (BGB) applies, the data will be deleted no later than four years after the process is completed.

Necessity of data and consequences of non-provision

Personal data are provided on a voluntary basis. If you do not provide these data, we may as a consequence not be able to process your inquiry.

Possibility of objection and removal

For all processing activities that we base on our legitimate interests, you have the right to object to processing at any time for reasons arising from your particular situation, in accordance with Art. 21 (1) GDPR.

Please do send your objection to Kontakt.parken@munich-airport.de. We reserve the right to review your request individually before implementing a restriction or cessation of processing or deletion.

We do offer various options for charging your electric vehicle while parking.

The charging and payment process is performed by using the bar code on the parking ticket and is linked to the parking transaction. Please scan the bar code of your parking ticket at the scanner of the eSelector and start the charging process by selecting the charging point.

Please note: If you are using a parking garage with automatic number plate detection, your vehicle license plate may also be linked with the parking ticket as part of the entire parking process. (Please cf. paragraph 4.9 Privacy Policy Privacy Policy - Munich Airport (munich-airport.com)).

Payment for the electricity charged and if applicable for the parking charges is made before the exit at automatic pay stations. Further information concerning charging of your electric vehicle can be found here: Charging electric vehicles - Munich Airport (munich-airport.com).

4.31.1 Scope of processing

In addition to the data collected during the parking process and if applicable for an online reservation, following data are processed:

• Amount of energy charged (Kilowatt hours (kWh))
• Amount to be paid for charging
• eSelector used
• Charge point used
• Date, time, duration of charging process

Further information regarding the scope of data processing during the parking process and for online reservations can be found in this data privacy statement under paragraph 4.8 Park-ing reservations and paragraph 4.9 Automatic number plate detection at parking entrances.

4.31.2 Purpose of processing

Data are processed for following purposes:

• Handling of charging and payment process
  
  

4.31.3 Legal basis

The processing of personal data is based on following legal basis:

• Necessary for the fulfillment of a contract to which the data subject is party (cf. Art. 6(1) sentence 1 lit. b) 1st variant GDPR): Allgemeine Einstellbedingungen Parken (General Conditions Parking).
  
  

4.31.4 Recipients

Personal data are transmitted to following recipients resp. categories of recipients:

• Producer of a software for the operation of charging points as well as maintenance and support of the software with headquarters in Germany.
  
  

4.31.5 Transmission to third countries

A transfer to a third country outside the European Union is not intended.

4.31.6 Duration of storage and criteria for defining the duration

The data record is stored for up to 92 days in the system for controlling the parking facilities and storing the relevant data records.

4.31.7 Necessity of the data and consequences of non-provision

• The provision of personal data is contractually required. If you do not provide your da-ta, this may mean that we cannot fulfill the contract concluded for the use of the parking garage including the use of the charging points.
  
  

4.31.8 Possibility of removal or revocation

Your processed personal data are required, insofar as they are based on the lawfulness of processing in accordance with Art. 6 para. 1 lit. b or c GDPR, to ensure the conclu-sion/execution of the contract with Flughafen München GmbH as part of your parking process. Consequently, there is no possibility of objection in this regard.

Special security precautions apply at airports. Only authorized persons may be granted access to the airside security area.

Controller and data protection officer

Flughafen München GmbH

Data protection officer
Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
e-mail datenschutzbeauftragter@munich-airport.de

Scope of processing

When accessing the airside security area, the following categories of data are collected by scanning the boarding pass:

• Last name, first name
• Boarding pass data (including sequence number, flight data, booking class, seat number)
• Boarding pass scanner number, scan time
• The boarding pass data is derived from your booking data with your airline, which you confirmed when you checked in with your airline.
  
  

Purpose of processing

Processing is used to ensure authorization for access to the airside security area (access control).

Legal basis

Necessity for compliance with a legal obligation to which the controller is subject as an airport operator [see Article 6, paragraph 1, sentence 1, letter c) GDPR]. The legal obligation arises from Section 8 of the German Aviation Security Act (LuftSiG).

Categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

Group companies: FMSicherheit Flughafen München Sicherheit GmbH

Some of the data is also available to airline employees at the gate for individual queries as part of the process for optimizing the punctuality of check-in (see "Optimization of punctuality during check-in and departure").

Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

Term of storage and criteria for determining the effective period

The data on your boarding pass will be stored for 30 days in the boarding pass control system in order to be able to trace any faults and comply with official requests. After 30 days, the data is pseudonymised and used for statistical purposes (aggregated figures) for operational analysis. The pseudonymous data will be deleted after 18 months.

Data source

The data is collected as part of boarding pass scans during boarding pass checks.

Necessity of the data and consequences of failure to provide data

The provision of personal data is voluntary. However, it is not permissible to grant you access to the airside part of Munich Airport if you do not provide this data.

Status of the information

Date: March 25, 2024

If any passengers have failed to appear at the gate of their flight during the boarding process, a decision must be made as to whether the gate will be closed and the baggage of these passengers will be unloaded to ensure punctual departure. Airlines' gate staff can search for the last contact point of a boarding pass scan by seat number or boarding sequence number, so that they can better assess whether the missing passengers can still be expected soon.

Controller and data protection officer

Flughafen München GmbH

Data protection officer
Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
E-mail: datenschutzbeauftragter@munich-airport.de

Scope of processing

• Flight and seat number
• Boarding sequence number
• Boarding pass scanner number (location), scan time
  
  

Purpose of processing

Optimization of punctuality of check-in and departure.

Legal basis

Required for the purposes of pursuing the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [see Article 6, paragraph 1, sentence 1, letter f) GDPR]. The legitimate interests consist of punctual handling and adherence to the flight schedule and thus serve all of the data subjects.

Categories of recipients

Boarding pass scanner number (location) and scan time are transmitted to the following recipients on the basis of the flight and seat number or boarding sequence number:

Airlines or their employees, or authorized employees at the gate

Group company: aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

Term of storage and criteria for determining the effective period

Retrieval via the seat number or boarding sequence number is possible only until the flight is closed.

Data source

The scan time and location are recorded as part of boarding pass scans during boarding pass checks (see 4.36).

Necessity of the data and consequences of failure to provide data

The provision of personal data is voluntary. However, it is not permissible to grant you access to the airside part of Munich Airport if you do not provide this data.

Status of the information

Date: March 25, 2024

4.34.1 Scope of processing

For customer communication with partners and service providers, the following data is processed by the FMG departments and subsidiaries with which the customers are in contact:
First name/last name, business e-mail address, telephone number and, if applicable, fax number, company (employer) incl. address, communication content

4.34.2 Purpose of processing

Customer relationship management
(maintaining contact directories and lists, processing of offers and orders, communication with contact persons)

4.34.3 Legal basis

Art. 6 (1) sentence 1 lit. f GDPR: Legitimate interest (efficient processing of quotations and orders as well as corresponding business correspondence)
Art. 6 (1) sentence 1 lit. b GDPR: if the data subject becomes or is a party to the contract.
Art. 6 (1) sentence 1 lit. c GDPR: if required by law, e.g. for validation of supplier relationships.

4.34.4 Recipients

In the course of communication with data subjects and the processing of contracts, the providers of the applications and IT systems used by FMG may also receive your personal data, e.g. operators of data centers that host applications used by us may have access to your personal data. In the case of any third country transfers of personal data outside the EEA, the requirements of Chapter V of the GDPR are met by us as the controller and by the processors involved.

4.34.5 Duration of storage and criteria for defining the duration

Your data will generally be stored for as long as is necessary to achieve the above-mentioned purpose and will be deleted once the purpose no longer applies. This is usually the case when the business relationship has ended and there are no statutory retention periods to the contrary.

4.34.6 Possibility of removal or revocation

If your data is processed on the legal basis of legitimate interest, you have the right to object to the processing of your data at any time. In the event of changes to contacts (contact persons) and contact details, please get in touch with your direct contact person.

If you published a review about Munich Airport on Google Maps, we evaluate this review in order to learn from it and improve the services at Munich Airport. For suitable reviews, we can also publish an answer, e.g. to answer a question contained in the review.

4.35.1 Responsible person and contact

Google is responsible for Google Maps and the reviews published there. Further information on this can be found in Google's privacy policy.

Flughafen München GmbH is responsible for the evaluation of the reviews published on Munich Airport as described here. Their contact details and the contact details of the data protection officer can be found above in section 1.

4.35.2 Scope of processing

We process the following data categories of the published reviews:

• Social media platform on which the review was published
• Date/time of the review (and possibly the last edit)
• Number of stars awarded
• Review text
• If applicable, the answer we published to the review
• If applicable, the name of the reviewer published by Google

We use techniques from the field of "artificial intelligence" to automatically discover structures and patterns in the published reviews and gain insights from them. We also use such techniques to automatically prepare possible answers to new reviews from previous reviews and our responses to them. The publication of an answer (and the answer text) is always based on the decision of a human employee.

4.35.3 Purposes of processing

• Improvement of services at Munich Airport
• Communication with the reviewers about the points they have addressed
  
  

4.35.4 Duration of storage

The data of individual reviews are stored and evaluated by us for up to 10 years, so that we can track and evaluate trends and developments in the quality of our services over longer periods of time.

4.35.5 Legal basis

The legal basis for the processing described in this section is Art. 6 (1) sentence 1 (f) GDPR (balance of interests, based on our legitimate interest in improving the services at Munich Airport and communicating with our reviewers about it).

4.35.6 Right to object

You can object to the processing of your data described here at any time, e.g. by e-mail to datenschutzanfrage@munich-airport.de. In the event of your objection, we will no longer process the data of your review(s), unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.

4.35.7 Categories of recipients & transmission to third countries

The recipients of the review data processed by us are our responsible specialist department and the contract processors for IT services that we use. A transfer to third countries is not intended.

4.35.1 Scope

This privacy policy contains information on the processing of your personal data in con-nection with participation in the Munich Airport Advent Calendar competition, visiting this website and participating in the voluntary survey in the Munich Airport Advent Calendar competition.

To participate in the Advent calendar competition, interested participants sign up on the Advent calendar platform and access a protected area with their own password.

If you have signed up for the newsletter as part of participating in the Advent calendar competition, please refer to the information in section 4.3 Newsletter of the privacy policy on the Munich Airport website.

For websites of other providers, to which, for example, links are referred, the data protection information and declarations there apply.

4.35.2 Data protection officer & contact to the data protection officer

The person responsible for data protection law is:

Flughafen München GmbH
Route and Passenger Development
Nordallee 25, 85356 München-Flughafen
E-Mail: digital@munich-airport.de

Data protection officer contact details
datenschutzbeauftragter@munich-airport.de

4.35.3 Categories of personal data

The following categories of personal data are processed from the registered participants:

Processing in the context of the Advent calendar competition:

• Title

• Name
• E-mail address
• Password (for login)

Processing in the context of the voluntary survey:

• Frequency of participation in the competition

• Country of origin and postal code
• Travel frequency
• Year of birth + - 15 years
• Travel behavior
• Feedback on user-friendliness
• Recording of the airport visit
• IT usage data (IP address, time stamp)

4.35.4 Purposes of processing

The personal data is processed exclusively for the following purposes:

Advent calendar competition:

• Identification and notification of the winners after the draw of the daily prizes and the main prize

• Personal address of the logged-in users: on the Advent calendar platform and in the email communication required within the scope of the competition during the competition period
• Identification of participants to exclude multiple participation
• Transmission of the winner's data to the sponsor partner of the competition for contacting and providing the winnings (e.g. to airline partners for personalized flight tickets)
  
  

• The aggregated, non-personally identifiable data of the participants generated from the surveys will be further processed for the purposes of optimizing the user experience within the competition, as well as optimizing advertising measures.
  
  

4.35.5 Legal basis for the processing of personal data

Advent calendar competition:

The processing of personal data for participation in the competition is based on the follo-wing legal basis: fulfillment of a contract (terms and conditions of participation in the competition) concluded between the competition participants and the person responsible [cf. Art. 6 (1) b) GDPR].

Survey:

The processing of personal data for participation in the survey is based on the following legal basis: Consent [cf. Art. 6 (1) a) GDPR].

You have the option to revoke your consent at any time without giving reasons by sending an e-mail to digital@munich-airport.de. The processing of personal data based on consent remains lawful until the time of revocation.

4.35.6 Recipients:

Personal data is transmitted to the following recipients or categories of recipients:

• Internal: Employees of the participating specialist departments

• External:
  

  - Employees of the commissioned agency, which is used on the basis of a contract for order processing for hosting and administrative support.
  - For data of the winners: respective sponsor partners of the competition
  

4.35.7 Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

4.35.8 Duration of storage

The deletion of the personal data of all registered participants in the survey will take place after the survey and the associated organizational processes have been evaluated, no later than 28.02.2025.

The data of the winners can be stored until the expiry of statutory limitation periods. This period corresponds to the standard limitation period for claims under Section 195 of the Bürgerliches Gesetzbuch (BGB – German Civil Code). Unless another starting point for the limitation period is determined, the period begins at the end of the year in which the claim arose (Section 199 (1) BGB). The data are erased if they are no longer required and this is not precluded by legal retention periods.

4.35.9 Obligation to provide personal data

The Advent calendar competition is a contract-like legal relationship. The provision of the data is contractually required for participation and execution of the competition. Failure to provide the data means that participation in the Advent calendar competition is not possible.

The survey on the Advent calendar competition is a voluntary participation based on informed consent in accordance with Art. 6 (1) a) GDPR. The provision of the data is neither contractually nor legally required. Failure to provide the data means that participation in the survey is not possible.

4.35.10 Data source

Independent data entry by the participants.

4.35.11 Automated decision-making (including profiling) and effects

Automated decision-making does not take place.

4.35.12 Explanations on special processing of personal data

• Log data / log files

  Every time you access content on our websites, data is stored that may allow identification.

• Date and time of access

• Server load at the time of the request
• IP address
• Visited page on our website
• Notification of whether the call was successful
• Amount of data transferred
• Information about the device used (mobile device, desktop, etc.), operating system, browser type and versions used

4.35.13 Purposes of processing

The temporary storage of this data is necessary for the execution of a website visit to ena-ble the delivery of the website. Further storage in log files takes place to ensure the functionality of the website and the security of the information technology systems. This stored data is evaluated exclusively for the analysis of technical malfunctions and possible attacks on our website. In addition, the data can be analyzed anonymously for statistical purposes.

4.35.14 Legal basis

The legal basis for the corresponding processing of your data is Art. 6 (1) sentence 1 (f) GDPR (balance of interests, based on our legitimate interest in maintaining the functionality of the website and statistically evaluating the use of our website).

4.35.15 Categories of recipients

Individual websites are operated by external hosting service providers and/or managed by external agencies. These will each act on our behalf as a data processor and process the data exclusively in accordance with our instructions.

4.35.16 Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

4.35.17 Duration of storage

In order to be able to research appropriately in the event of technical malfunctions or possible attacks on our website and report to supervisory authorities and security bodies if necessary, we delete or anonymize the log data no later than one month.

4.35.18 Automated decision-making (including profiling) and effects

Automated decision-making does not take place.

4.35.19 Website tracking: eTracker

On the website of the Advent calendar competition, we use the service "etracker Analytics" of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com). Because the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized as early as possible. It is not used in any other manner, aggregated with other data or shared with third parties.

Here you can find more information on data protection at etracker.

The etracker is used on our website by anonymous web analysis without the use of Cookies (cookie-less). If you do not object to anonymous web analysis, your usage behavior on this website will be recorded exclusively without Cookies (cookie-less). Further information on this can be found under etracker -Cookie-less-etracking.

Data processing in this case is based on the legal provisions of Art. 6 (1) f) GDPR (legiti-mate interest). Our aim is to optimize the Advent calendar competition for the benefit of the participants, which is also our purpose.

4.35.20 Recipients of the data

internally: Employees of the participating specialist departments
External: Employees of the commissioned agency and the service provider used for web analysis.

4.35.21 Transmission to third countries

The data generated by etracker is processed and stored exclusively in Germany on behalf of the provider of this website by etracker and is therefore subject to the strict German and European data protection laws and standards. No transmission to third countries takes place.

4.35.22 Data protection requests / rights of data subjects

Data protection law grants you various rights with regard to your personal data, including, without limitation, the right of access to personal data concerning you, the right to rectification, erasure, restriction of processing, objection to processing, data portability, and to withdraw consent at any time. Unless otherwise indicated for the individual processing operations, you may contact datenschutzanfrage@munich-airport.de to establish your rights.

4.35.23 Right of access

You have the right to request information from the controller pursuant to Art. 15 GDPR about your personal data processed by the controller. Please note that the right of access may be restricted under certain circumstances in accordance with legal provisions (in-cluding, without limitation, Section 34 of the German Federal Data Protection Act (BDSG)).

4.35.24 Rectification

You have the right to request from the controller without undue delay the rectification of inaccurate personal data concerning you in accordance with Art. 16 GDPR. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

4.35.25 Restriction/blocking

You have the right to request from the controller, within the framework of the provisions of Art. 18 GDPR, the restriction of the processing of personal data concerning you.

As a precaution, we note the following: Certain personal data of the data subject must usually be kept in a blocked data file to ensure that data is properly blocked at all times.

4.35.26 Erasure

You have the right to request from the controller the erasure of your personal data under the conditions of Art. 17 GDPR.

4.35.27 Objection

Under the conditions of Art. 21 GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation. In this case, we will only process your data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done for the establishment, exercise or defense of legal claims.

4.35.28 Revocation

You have the right to revoke your consent at any time with effect for the future. The processing of personal data based on consent remains lawful until the time of revocation.

4.35.29 Data portability

Under the conditions of Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, to transmit it to another controller and to request that the personal data be transmitted directly from one controller to another.

4.35.30 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

Comprehensive information on your data subject rights can also be found in the data protection declaration on the Munich Airport website in sections 6 and 7.

4.35.31 Status of the information

27.11.2024

Introduction / scope of application

This data protection declaration contains information on the processing of personal data in connection with boarding pass scanning at the self-checkout counters in the shops of eurotrade Flughafen München Handels-GmbH (eurotrade).

In order to optimize our sales processes at the cash registers of the eurotrade shops in the security area at Munich Airport, we are currently introducing self-checkout cash registers. In order to test customers' acceptance of scanning their own boarding passes independently, we are planning the temporary, voluntary scanning of specified boarding pass data for all sales at the self-checkout tills, including sales that do not fall under the legal requirements for the sale of tobacco or alcohol products or sales exempt from value-added tax.

Information on the required scanning of boarding passes to fulfill the requirements of the excise tax regulations for the sale of tobacco and alcohol products or for VAT exemptions according to the German Value-Added Tax Act can be found under section 4.39 of the Privacy Policy on the FMG website.

Unless the requirements according to the processing in clause 4.39 are met, no personal data will be processed during the scanning process. The only information collected from the boarding pass is the flight number, flight time, and destination.

The information contained in this notice is intended to contribute to ensuring the necessary transparency in accordance with data protection obligations – in particular under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This notice uses terminology from the GDPR.

Data controller & contact

The person responsible for data protection law is:
eurotrade Flughafen München Handels-GmbH (eurotrade)
Terminalstraße Mitte 18, 85356 München-Flughafen, cs.eurotrade@munich-airport.de

Data protection officer & contact

Data Protection Officer at eurotrade:
datenschutzbeauftragter@munich-airport.de

Scope of processing

• Flight number, flight time, destination

There is no linking of any payment information through the use of payment cards (e.g. debit or credit cards). Similarly, there is no processing of special categories of personal data.

Purpose of processing

• Optimization of our sales processes at the cash registers of the eurotrade shops in the security area at Munich Airport
• Assessment of customer acceptance for independently scanning their own boarding passes during the payment process
  
  

Legal basis

The processing of the data is carried out on the following legal bases:

• Necessity of protecting the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject prevail [cf. Art. 6 (1) sentence 1 (f) GDPR].
  The legitimate interests are based on the purposes of the processing.
  
  

Categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

• External contractors in accordance with Art. 28 GDPR, currently these are:
  o Infrastructure service provider for the cash register system
• If necessary, other responsible parties such as persons with a duty of professional secrecy, e.g. auditors, tax consultants or lawyers, banks or insurance companies.
  
  

Transmission to third countries

There is no transfer of data to third countries outside the European Union.

Term of storage and criteria for determining the effective period

Your data will only be stored temporarily for the duration of the optimization project (up to 30 days).

Necessity of the data and consequences of failure to provide data

• Unless the sale falls under the requirements of clause 4.39, the provision of the scanned data is neither contractually nor legally required and is carried out voluntarily. If you do not provide your data, you can still make the purchase.
  
  

Possibility of erasure or withdrawal

For legal basis legitimate interest:

You have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation.

Please address your objection to eurotrade Customer Service at cs.eurotrade@munich-airport.de. We reserve the right to examine your request individually before implementing a restriction or cancellation of processing and deletion.

Alternatively, you can also skip the scanning process on the display at the self-checkout counter.

Data protection requests / rights of data subjects

Data protection law grants data subjects various rights with regard to their personal data, in particular rights to information about the personal data concerned, to rectification, to erasure, to restriction of processing, to object to processing, to data portability and to withdraw consent at any time.

Contact details for exercising your data subject rights in relation to this specific processing activity:

eurotrade Flughafen München Handels-GmbH
Terminalstraße Mitte 18, 85356 Munich
E-Mail datenschutz.eurotrade@munich-airport.de

Detailed information

• You can find information on your rights as a data subject under Articles 15–21 of the GDPR in Section 6 and
• For information on exercising data subject rights, please refer to Section 7 of this data protection declaration.

Status of the information

Date: 03.11.2025

1. Introduction / scope of application

This data protection declaration contains information on the processing of personal data with regard to security control in connection with the legally required safeguarding of security areas against unauthorized access by climbing over the balustrade ("balustrade monitoring") as well as by using a boarding pass multiple times at the boarding pass checkpoint (known as 'tailgating'). In addition, we will provide information on measures for assessing passenger occupancy rates and avoiding queues at the checkpoints.

For processing purposes related to the monitoring of balustrades, the prevention of tailgating, and assessing passenger occupancy in the control area of Terminal 2, a local camera and video sensor system is used. This system uses AI to recognize objects within the required and defined viewing area as persons. It then immediately blurs the objects that have been recognized as persons, before converting them into data points and generating an alarm message for the control room staff. Person-related image data is only processed locally, is immediately anonymized, and is not stored at any time. In the event of an alarm, a temporary video sequence image of the trigger event is displayed on the alarm screen, thereby allowing security personnel to identify and address the person in question.

The information contained in this privacy policy is intended to help fulfill the information obligations under data protection law, especially under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This privacy policy uses terms defined in the GDPR.

2. Data controller & contact

The party responsible for data protection is:

Terminal 2 Gesellschaft mbH & Co oHG (T2 GmbH)
P.O. Box 23 17 55
85326 Munich Airport
Tel. +49 89 975 887 01, Email: cctv@munich-airport.de

3. Data protection officer & contact

Data protection officer of Terminal 2 GmbH: datenschutzbeauftragter@munich-airport.de

4. Scope of processing

The following categories of personal data are processed:

• Video stream in the recording area in front of the check-in area Terminal 2 center, along the balustrade around the queue in front of the security check, and at the Sector A to Sector D eGates for AI-based object recognition to take place
  
  

5. Purposes of processing

We process personal data for the following purposes:

Purpose 1

• Effective detection and identification of unauthorized crossings over the balustrade after the boarding pass check and before the security check in Terminal 2, as well as subsequent triggering of an alarm to enable the security personnel to carry out a subsequent check and, if necessary, to perform detection ("balustrade monitoring").

Purpose 2

• Effective detection and identification of the unauthorized passing-through of more than one person per boarding pass at the boarding pass checkpoint in Terminal 2, and subsequent triggering of an alarm to enable security personnel to carry out subsequent checks and, if necessary, to perform detection ("tailgating").

Purpose 3

• The system will be further developed to optimize the valid detection of incidents where people step over the barriers without authorization, and of tailgating incidents, as well as how many people are in passenger areas, passenger occupancy, and queue formation.

Purpose 4

• Detection of how full areas are, passenger occupancy levels, and queue formation in the areas in front of the check-in area and the boarding pass checkpoint, in addition to taking measures to resolve queues and bottlenecks.
  
  

6. Legal basis

The processing of personal data is carried out on the following legal bases:

Purposes 1, 2:

• Necessary in order to safeguard the legitimate interests of Terminal 2 GmbH, unless the interests or fundamental rights and freedoms of the data subject prevail [cf. Art. 6 para. 1 p. 1 lit. f GDPR]
• In accordance with § 8 (1) No. 1 and No. 4 of the Aviation Security Act (LuftSiG)

In particular, No. 4:

"to secure the airside areas against unauthorized access and, insofar as these are security areas or sensitive parts of security areas, to only permit access to persons who hold special authorization"

• In accordance with the Annex to Implementing Regulation (EU) 2015/1998 laying down detailed measures for the implementation of the common basic standards on aviation security
• In accordance with Articles 4 and 12 of Regulation (EC) No 300/2008 on common rules in the field of civil aviation security
• In connection with clause 4.2.1 National Aviation Security Programme

Our legitimate interests lie in the business interest of Terminal 2 GmbH in maintaining air traffic safety. In addition, we have a legitimate interest in fulfilling our obligations under Section 8 of the LuftSiG (security measures of airport operators) and under point 1 of the Annex to Directive (EU) 2015/1998 (access to security areas, monitoring for the purpose of supervision between the landside, airside, security areas, sensitive areas and, if necessary, demarcated areas) by means of efficient and effective detection of unauthorized crossings of balustrades between the boarding card checkpoint and the security checkpoint, as well as the unauthorized use of the same boarding pass multiple times at the boarding card checkpoint by more than one person.

Purpose 3, 4:

• Necessary in order to safeguard the legitimate interests of Terminal 2 GmbH, unless the interests or fundamental rights and freedoms of the data subject prevail [cf. Art. 6 para. 1 p. 1 lit. f GDPR]

Our legitimate interests lie in the business interest of Terminal 2 GmbH in maintaining the safety of air traffic, the efficient and passenger-friendly handling of passengers, and the proper implementation of personnel security and protection measures. In addition, we have a legitimate interest in ensuring that the detection of unauthorized balustrade crossings and tailgating is carried out efficiently and effectively.

Purpose 4:

• Necessary in order to safeguard the legitimate interests of Terminal 2 GmbH, unless the interests or fundamental rights and freedoms of the data subject prevail [cf. Art. 6 para. 1 p. 1 lit. f GDPR]
• pursuant to § 8 (1) No. 1 of the LuftSiG

Our legitimate interests lie in the business interest of Terminal 2 Gesellschaft in maintaining the safety of air traffic. Furthermore, we have a legitimate interest in designing and maintaining the airport facilities, rooms, and equipment in such a way that the necessary structural and technical security, the transportation of passengers and luggage, and the proper implementation of personnel security and protection measures, as well as the control of airside areas, are as efficient as possible for passengers.

7. Categories of recipients

Personal data is transmitted to the following recipients or categories of recipients:

• External contractors in accordance with Art. 28 GDPR, with whom the necessary agreements have been concluded. Currently, these are:
  o the provider of the video analysis system
  o the IT service provider that has been engaged
  
  

8. Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

9. Term of storage and criteria for determining the effective period

Your personal data is only collected and processed in real time. No storage of this data takes place.

10. Necessity of the data and consequences of failure to provide data

The provision of personal data is voluntary. However, if you do not provide this data, it may result in you not being allowed to pass through the necessary checkpoints.

11. Possibility of erasure or withdrawal

You have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation.

Please send your objection to [cctv@munich-airport.de]. We reserve the right to examine your request on an individual basis before implementing a restriction or cancellation of processing and deletion.

12. Data protection requests / rights of data subjects

Data protection law grants data subjects various rights with regard to their personal data, in particular rights to information about the personal data concerned, to rectification, to erasure, to restriction of processing, to object to processing, to data portability and to withdraw consent at any time.

Contact details for exercising your data subject rights in relation to this specific processing activity:

Contact details for exercising your rights as a data subject:

Terminal 2 Gesellschaft mbH & Co oHG (T2 GmbH)
Terminalstraße Nord 1, Ebene Z4, Postfach 23 17 55, 85326 Munich Airport
E-Mail: datenschutzanfrage@munich-airport.de

Detailed information

• You can find information on your rights as a data subject under Articles 15–21 of the GDPR in Section 6 and
• For information on exercising data subject rights, please refer to Section 7 of this data protection declaration.

Status of the information

Date: 03.06.2025