Privacy policy

Introduction

Welcome to our website and thank you for your interest in privacy and data protection with regard to our services. We are pleased to provide you with information here on how your personal data are processed on our websites and in connection with the other services described in this Privacy Statement. 

1 Controllers and data protection officers

Unless another controller is expressly indicated for specific services, the controller for the purposes of all data processing covered in this Privacy Statement is:

Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
Tel. +49 89 975 00
Email: info@munich-airport.de

Contact details for Flughafen München GmbH, referred to below as "FMG" or "we" and their subsidiaries with data protection officers:

  • Flughafen München GmbH

    Contact data

    Nordallee 25
    85356 München
    Tel. +49 89 975 00
    Email: info@munich-airport.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Jost Lammers
    Nathalie Leroy
    Jan-Henrik Andersson

    Head of IT

    Florian Lesch

  • aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

    Contact data

    Terminal1, Modul D
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 212 00

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Eva Ranki

    Head of IT

    Florian Lesch

  • AeroGround Flughafen München GmbH

    Contact Data

    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 210 01

    Data Protection Officer

    Wolf Janz
    AeroGround Flughafen München GmbH
    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 215 10
    Email: datenschutz@aeroground.de

    Managing Directors

    Helmut Ehrnstraßer

    Head of IT

    Florian Lesch

  • Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH

    Contact data

    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: info.allresto@munich-airport.de

    Data Protection Officer

    -Data Protection-
    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH
    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: datenschutz.allresto@munich-airport.de

    Managing Directors

    Andreas Reichert

    Head of IT

    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH

  • Cargogate Munich Airport GmbH

    Contact Data

    Frachtgebäude Modul C
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 92 289

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Claudia Weidenbusch

    Head of IT

    Florian Lesch

  • EFM Gesellschaft für Enteisen und Flugzeugschleppen am Flughafen München

    Contact Data

    RGS 1, Vorfeld West 1
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 977 500 0

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Jörg Abel

    Head of IT

    Michael Springborn

  • eurotrade Flughafen München Handels-GmbH

    Contact Data

    Terminalstraße Mitte 18
    85356 München
    Tel. +49 89 975 936 00

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Christian Wallner
    Sven Zahn

    Head of IT

    Andre Dlugos

  • FMSicherheit Flughafen München Sicherheit GmbH

    Contact Data

    Postfach 24 11 37
    München-Flughafen
    Tel. +49 89 975 910 74

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Christian Huber

    Head of IT

    Florian Lesch

  • InfoGate Information Systems GmbH

    Contact Data

    Südallee 1
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 825 00

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Manfred Zötl

    Head of IT

    Manfred Zötl

  • LabCampus GmbH

    Contact Data

    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 65701
    Email: contact@labcampus.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Dr. Marc Wagener

    Head of IT

    Florian Lesch

  • MediCare Flughafen München Medizinisches Zentrum GmbH

    Contact Data

    MediCare Flughafen München
    Medizinisches Zentrum GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 633 28

    Data Protection Officer

    Lukas Mempel
    MediCare Flughafen München
    Medizinisches Zentrum GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 67 82 04 425
    Email: lukas.mempel@sana.de

    Managing Director

    Elmar Simon

    Head of IT

    Florian Lesch

  • Munich Airport International GmbH

    Contact Data

    Munich Airport International GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 102 14

    Data Protection Officer

    Petra Eul-Löh
    HEC Harald Eul Consulting GmbH
    Auf der Höhe 34
    50321 Brühl
    Datenschutzbeauftragter-MAI@he-c.de


    Managing Directors

    Dr. Lutz Weisser
    Lorenzo Di Loreto

    Head of IT

    Florian Lesch

  • Flughafen München Realisierungsgesellschaft mbH

    Contact Data

    Visiting address:
    Terminalstraße Mitte 26
    Bürogebäude Nord N2
    85356 München-Flughafen

    Postal address:
    Postfach 231755
    85326 München-Flughafen
    Tel. +49 89 975 54500
    Email: mucreal@munich-airport.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter.mr@munich-airport.de

    Managing Director

    Michael Hiss

  • Terminal 2 Gesellschaft mbH & Co oHG

    Contact Data

    Terminalstraße Nord 1, Ebene Z4
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 887 01

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Ivonne Kruger
    Matthias Langbehn

    Head of IT

    Uwe Winkler

2 Data processing

2.1 Data processing policy

We process your personal data in accordance with applicable data protection laws – in particular the provisions of the General Data Protection Regulation (GDPR), the German Data Protection Act (Bun-desdatenschutzgesetz) and other applicable laws.

We process personal data exclusively in accordance with the intended purposes. The main purpose is to operate Munich Airport including all ancillary business activities directly or indirectly supporting this purpose. The purposes related to specific services are concretely outlined in the corresponding descriptions.

We process your personal data only when this is permitted or required under legal regulations or with your consent.

You will find additional information on specific services in the descriptions below. Unless those descriptions specify another legal basis, the data processing is carried out in accordance with Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in operating Munich Airport, including all ancillary business activities directly or indirectly related to the purpose of business).

2.2 Recipients

Personal data can be transmitted to the following recipients or categories of recipients:

  • In-house recipients (e.g. specialist departments responsible for dedicated processing)
  • Companies of the Flughafen München Group (Our company profile offers a current overview of the group structure)
  • Cooperation partners with whom we perform our services.
  • External contractors in accordance with Art. 28 EU GDPR, if they are explicitly mentioned in the individual processing operations.
  • Business partners for whom we perform.
  • Courts, authorities or other government bodies in the event of legal obligations.

If there are other recipients, these will be mentioned separately in the individual processing activities.

2.3 Duration of storage

Personal data are stored only as long as necessary for achieving the specified purposes or in accordance with the storage and archiving periods required by law. After the relevant purpose no longer applies or the expiry of these periods, the corresponding data will be deleted routinely in accordance with the statutory regulations.

If possible, specific storage periods for the various services will be stated.

2.4 Scope of the Privacy Statement

This Privacy Statement applies to the websites of Flughafen München GmbH and the subsidiaries specified above and for other services described in this Privacy Statement.

3 Generally applicable information on data processing in relation to online services

  • 3.1 Log files

    Every time the contents of our websites are accessed, data are stored that may permit identification of data subjects.

    The following data are collected:

    • date and time of access
    • server traffic at time of access
    • IP address
    • page visited on our website
    • message indicating whether page retrieval was successful
    • transferred data volume
    • information on the device used (mobile device, desktop, etc.), operating system, browser type and versions

    The temporary storage of these data is necessary for processing the site visit in order to ensure that the website can be made available. Further data storage in log files takes place to ensure the functionality of the website and the security of the IT systems. These stored data are analyzed exclusively for purposes of analyzing technical malfunctions and possible attacks on our website. In addition, the data can by analyzed anonymously for statistical purposes.

    Categories of recipients
    Some websites are operated by external hosting services and/or through external agencies. They act on our behalf as external processors and process the data exclusively in accordance with our instructions.

    Duration of storage
    To be in a position to conduct proper investigations of technical malfunctions or possible attacks on our website and report as needed to regulatory bodies and security authorities, we delete or anonymize the log files within 14 days at the latest.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in maintaining the functionality of our website and performing statistical analysis of the use of our website). 

  • 3.2 Cookies and pixels

    3.2.1 General information on cookies

    Cookies are small files in which certain information is stored either in open or encrypted form. Cookies are sent from the server to your computer and stored there. They initially serve to identify the computer from which our website was accessed. If you log in to our website, cookies serve to notify the server of your login and check the authorizations to retrieve the page.

    Cookies can help to improve communications between our server and your computer and therefore make it easier to use our website. Cookies also make it possible to track the path of a user across various pages of the website and possibly across various websites. In addition, cookies can store information of any kind.

    Cookies can originate not only with the operator of the website but also with third-party providers. In your browser you can display a list of the cookies stored on your computer, delete some or all of these cookies, or select settings to deactivate or limit the storage of cookies. Please note that some functions (e.g. the login) will not work, or will not be fully functional, if you deactivate the storage of cookies.

    Every cookie has an expiry date when it is no longer valid and will be automatically deleted. Details on the expiry dates for certain cookies are described in the sections below.

    You can object to the use of cookies that permit the analysis of your user behavior: Tracking Preferences. Details are provided in the following sections. Please note: If you delete the cookies stored in your browser after objecting, you may have to click the links provided here again because the objection to the use of cookies containing personal data will also be documented in the form of anonymous (non-personal) cookies.

    Consent management tool 

    We have integrated the consent management tool "consentmanager" (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, info@consentmanager.net) on our website to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalized advertising. With the help of “consentmanager” you can grant or reject your consent for all functions or give your consent for individual purposes or individual functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned things and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from the end devices used, such as the IP address, are processed.

    The legal basis for processing is Art. 6 Para. 1 S. 1 lit. c) in conjunction with Art. 6 para. 3 sentence 1 lit. a) in conjunction with Art. 7 para. 1 GDPR and, in the alternative, lit. f). By processing the data, we help our customers (according to GDPR this is the responsible party) to fulfill their legal obligations (e.g. obligation to provide evidence). Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active. The log data will be deleted after three years. It may happen that we ask you again for your consent. This query takes place after one year at the latest.

    You can object to the processing. You have the right to object to reasons arising from your particular situation. To object, please send an email to info@consentmanager.net.


    3.2.2 Analytical cookies used on our websites

    3.2.2.1 etracker

    On our website, we also use the service “etracker Analytics” from etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany (www.etracker.com). Since the privacy of our visitors is important to us, data that could potentially be linked with a specific individual such as IP addresses, log-in IDs or device IDs is anonymized or pseudonymized at the earliest possible point. It is not used in any other manner, aggregated with other data or shared with third parties.

    You can find further information on data protection at etracker.

    The etracker is used on our website by means of anonymous web analysis without the use of cookies (cookie-less). If you do not refuse anonymous web analysis, your user behavior on this website will be recorded exclusively without cookies (cookie-less). More detailed information on this can be found at etracker - Cookie-less-etracking.

    In this case, the data processing takes place on the basis of the statutory provisions under Art. 6(1) (f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our concerns within the meaning of the GDPR (legitimate interest) is the optimization of our online services and our web presence. You can object to the anonymous web analysis at any time:

    Recipients
    The recipient of the data is the processor and the responsible departments.

    Transmission to third countries
    The data generated with etracker is processed and stored by etracker exclusively in Germany on behalf of the provider of this website and is thus subject to strict German and European data protection laws and standards. No transmission to third countries takes place.


    3.2.2.2 Matomo - LabCampus

    For the LabCampus website, we use Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. Cookies are used, which are saved on your computer for up to 13 months and enable a statistical analysis of the use of the website.

    In this context, usage information including the shortened IP address of the accessing computer is transmitted and stored for analysis purposes. By shortening the IP address, website users remain anonymous. Only a "session ID" (cookie) is carried and stored as the common key of a page visit. A "session" ends when the web browser is closed.

    The website access information used for usage analyses includes date, time, location (city), browser type, capabilities and language, operating system/device type, length of website visit, visits by server and local time, pages visited, usage history, search engine used and search terms used to access the LabCampus website, URL referencing the LabCampus website.

    By "turning off" the tracking, a so-called opt-out cookie is generated in the web browser. This causes Matomo to no longer collect the usage data of this website visit. Note: If this opt-out cookie is deleted by the user in the web browser settings, the collection of statistical data by Matomo is reactivated.

    The recipient of the data is the commissioned processor (Büro am Draht GmbH) as well as the responsible departments of LabCampus GmbH. The statistical data generated by the website visit is used exclusively by LabCampus GmbH to improve the online offer and the most targeted use of resources. No other use, combination with other data or transfer to third parties takes place.

    The legal basis for the placement of the Matomo cookie on your terminal device is §25 TTDSG (consent).

    The legal basis for the data processing associated with our use of Matomo is Art. 6 para. 1 p. 1 lit. f) DSGVO (balancing of interests, based on our legitimate interest in continuously adapting the design of the website to the interests and needs of users).

    If you do not consent to the placement of the Matomo cookie, no placement will be carried out. Once you have given your consent to the placement, you can revoke this at any time with effect for the future via the data protection settings of the Consent Manager.

    You can object to the described (downstream) data processing at any time, as far as it is person-related. Your opt-out will not have any adverse consequences for you. To do so, please contact: datenschutzbeauftragter@munich-airport.de.

    You can find more information about Matomo here.


    3.2.3 Pixels and advertising cookies used on our websites

    3.2.3.1 Google Ads

    Our website uses Google conversion tracking. If you have reached our website via an advertisement placed by Google, Google Ads will set a cookie on your computer. The cookie for conversion tracking is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Every Google Ads customer receives a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers.

    The information obtained using the conversion cookie is used to create conversion statistics for ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, you will not receive any information that can be used to personally identify users.

    You can find more information on the handling of user data on Google Ads in Google's data protection declaration.

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

    This data processing takes place on the basis of the statutory provisions under Art. 6(1) sentence 1 (a) (consent) of the General Data Protection Regulation (GDPR). You can revoke your consent to Google Ads via the data protection settings in the Consent Manager at any time.

    3.2.3.2 Bing Ads

    On the website we use technologies from Bing Ads (bingads.microsoft.com), which are provided and operated by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft"). Microsoft places a cookie on your device if you click on a Microsoft Bing ad. Microsoft and we can see in this way that someone clicked on an ad, was redirected to our website and reached a predetermined landing page. These cookies are not used for personal identification, only the total number of users who clicked on a Bing ad and were then forwarded to the target page can be evaluated. The landing pages are typically booking or registration confirmation pages (e.g. when booking a parking space or an event ticket).

    You can prevent the collection of the data generated by the cookie and related to your use of the website as well as the processing of this data by Microsoft by using the following link http://choice.microsoft.com/de-DE/opt-out your Declare contradiction. Further information on data protection and the cookies used by Microsoft and Bing Ads can be found on the Microsoft website.

    3.2.3.3 Marketingcookies LabCampus

    3.2.3.3.1 Google Ads - LabCampus

    The LabCampus website uses Google conversion tracking. If you have reached our website via an ad placed by Google, a cookie is set on your computer by Matomo and subsequently forwarded to Google Ads. The conversion tracking cookie is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Each Google Ads customer (here: LabCampus GmbH) receives a different cookie. Cookies can therefore not be tracked beyond the websites of Ads customers.

    The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have opted in to conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive information that personally identifies users.

    Processor

    Büro am Draht
    Blücherstr. 22
    10961 Berlin

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Data collected

    • Information about the operating system
    • Web pages visited
    • Previous website from which you accessed our site
    • Data and contain times, from website or platform accesses from our site
    • Event information (e.g., irregular system crashes)
    • General location information (e.g., city)
    • Conversion tracking
    • IP address
    • Unique ID

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TTDSG para. 1 (consent).

    Place of processing

    Germany

    Retention period

    24 months

    Data recipient

    Google Ireland Limited
    Gordon House, Barrow Street
    Dublin 4, Ireland

    For more information on how Google Ads handles user data, see Google's privacy policy.

    Transfer to third countries

    We would like to point out in this context that the processed data is also sent to the Google Group in the USA as a result of the use of cookies. In terms of data protection law, the USA is an insecure third country in which there is no adequate level of data protection within the meaning of the GDPR. In order to nevertheless establish such a level, Google has concluded the so-called standard contractual clauses (SCC). Through the clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.

    3.2.3.3.2 Taboola - LabCampus

    Cookies from Taboola are used on our website. Using these cookies, we can target visitors to our website with advertising by displaying individualized ads for them. For this purpose, a small file with a sequence of numbers is stored in the browsers of the visitors. This number is used to record visitors to the website as well as anonymized data on the use of the website. Subsequently, you may be shown advertisements that are highly likely to take into account previously accessed product and information areas. In addition, we use the cookies to evaluate and support online marketing measures in order to record the effectiveness of the advertisements for statistical purposes. Thus, we can see how many website visitors have clicked on an ad and completed it. In both retargeting and completion conversion tracking, no personal data is stored. You can find more information here.

    Processor

    Taboola Germany GmbH
    Alt-Moabit 2
    10557 Berlin

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Collected data (source: Taboola)

    • Information about the operating system
    • Web pages visited
    • Previous website from which you arrived at our site
    • Data and contain times, from website or platform accesses from our site
    • Event information (e.g., irregular system crashes)
    • General location information (e.g., city)
    • Conversion tracking
    • IP address
    • Unique ID

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TTDSG para. 1 (consent).

    If you wish to object, you can do so at any time and without adverse consequences for you, here.

    Place of processing

    Germany

    Retention period

    13 months

    Data recipient

    Taboola

    Transfer to third countries

    Taboola also processes data in the USA, among other countries. We therefore point out that there is currently no adequate level of protection for the transfer of your data to the USA according to the ruling of the European Court of Justice and the opinion of the European Data Protection Board. This may entail various risks for the legality and security of data processing.

    Taboola uses the so-called standard contractual clause (Art. 46. para. 2 and 3 DSGVO) as the basis for processing data with recipients located in third countries or a data transfer there. Standard Contractual Clauses (SCC) are mandatory templates provided by the EU Commission to ensure that data complies with European data protection standards even if it is transferred to and stored in third countries (such as the USA).

    Taboola commits through the clauses to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.

    For more information on the standard contractual clauses and on the data processed through the use of Taboola, please refer to the Privacy Policy at Privacy Policy | Taboola.com or at Taboola Privacy Addendum | Taboola.com.

    3.2.3.3.3 LinkedIn (Insight-Tag) - LabCampus

    For the website LabCampus, the so-called conversion tracking with LinkedIn Insights Tag is used. For this purpose, the LinkedIn Insight Tag is integrated on our pages and a cookie is set on your end device by LinkedIn. This informs LinkedIn that you have visited our web pages, whereby your IP address is also collected. In addition, timestamps and events such as page views are stored. This enables us to statistically evaluate the use of our website in order to constantly optimize it. In this way, we learn, for example, via which LinkedIn ad or interaction on LinkedIn you came to our website. LinkedIn does not share any personal data with the website owner, but only provides reports and notifications (in which you are not identified) about the website audience and ad performance. LinkedIn also provides retargeting for website visitors so that the website owner can use this data to display targeted ads outside of their website without identifying the member.

    Processor

    LinkedIn Ireland
    Wilton Plaza, Wilton Place
    Dublin 2, Irland

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Collected data (source: LinkedIn)

    • URL
    • Referrer URL
    • IP address
    • Device and browser properties (user agent)
    • Conversion tracking
    • Retargeting function
    • Timestamp

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TTDSG para. 1 (consent).

    Place of processing

    Germany

    Retention period

    90 days

    Data recipient

    LinkedIn

    Disclosure to third countries (source: LinkedIn)

    LinkedIn is aware of the July 16, 2020 decision of the European Court of Justice and the September 8, 2020 opinion of the Swiss Federal Data Protection and Information Commissioner (FDPIC) on the repeal of the EU-US Privacy Shield and the Switzerland-US Privacy Shield. LinkedIn follows the developments and guidelines of the European Commission, the FDPIC and the US government.

    The LinkedIn Services require that data be transferred from the European Union (EU), the European Economic Area (EEA) and Switzerland to the United States of America (USA) and back. To ensure that personal data from the European Union is protected when transferred outside the EU, the General Data Protection Regulation (GDPR) requires that such transfers be made using certain legal instruments, which are described on the European Commission's website.

    LinkedIn relies on standard contractual clauses approved by the European Commission as the legal instrument for data transfers from the European Union. These clauses are contractual obligations that require companies to protect privacy and data security when transferring personal data (e.g., between LinkedIn Ireland Unlimited Company or its customers and LinkedIn Corporation). LinkedIn companies follow standard contractual clauses to ensure that the data flows necessary to provide, maintain, and develop our services are legally secure.

    Note: LinkedIn data centers for storing member information are currently located in the United States.

    For more information on conversion tracking, please click here. Please note that the data may be stored and processed by LinkedIn so that a connection to the respective user profile is possible and LinkedIn may use the data for its own advertising purposes. For more information, please see LinkedIn's privacy policy at LinkedIn Privacy Policy. You can prevent the analysis of your usage behavior by LinkedIn as well as the display of interest-based recommendations here.

    LinkedIn members can control the use of their personal data for advertising purposes in their account settings.

  • 3.3 Survey tools

    3.3.1 Informizely

    To learn more about our visitors' needs and expectations, we use the survey tool by Informizely B.V., WG-plein 425, 1054SH, Amsterdam, Netherlands on our website. This tool enables us to create surveys to request specific feedback from you at defined touch points and at selected times. Informizely B.V. processes the data for us as an external processor.

    Your participation in these user surveys is optional.

    The following data are collected:

    • IP address (anonymized through partial deletion)
    • information on the device used (mobile device, desktop, etc.), operating system, browser type and versions
    • estimated geographical location (based on the IP address)
    • website from which our website is accessed
    • certain cookie information (if user is informed)
    • user behavior, i.e. data related to how a site visitor uses a survey (e.g. number of times a survey is displayed and whether the user completes it)
    • answers (open and closed) to survey questions

    These data are deleted or anonymized no later than one year after the completion of the survey.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 a) (consent) and f) GDPR (balancing of interests based on our legitimate interest in asking visitors to our website for feedback on certain topics).

    More information on data protection at Informizely

    3.3.2 Lamapoll

    To learn more about our visitors' needs and expectations, we also use the survey tool Lamapoll, provided by Lamano GmbH & Co. KG, Prenzlauer Allee 36G, 10405 Berlin, Germany, on our website. This tool enables us to create surveys to request specific feedback from you at defined touch points and at selected times. Lamano GmbH & Co. KG processes the data for us as an external processor.

    Your participation in these user surveys is optional.

    The following data are collected:

    • Name
    • Email address
    • Answers (open and closed) to survey questions

    These data are deleted or anonymized no later than one year after the completion of the survey.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 a) (consent) and f) GDPR (balancing of interests based on our legitimate interest in asking visitors to our website for feedback on certain topics).

    More information on data protection at Lamapoll

  • 3.4 Integrated maps (Google Maps)

    Our website uses Google Maps to represent our location and generate directions. Google Maps is an online map service by the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website requiring a map, your browser will create a direct link to the Google servers and retrieve a map to display on your screen. To use Google Maps functions, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a Google server in the USA and processed there by Google. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

    Further information on the handling of user data is available in the Google privacy statement.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in showing visitors to our website their current location and information on directions to the airport).

  • 3.5 Integrated videos (YouTube)

    We embed YouTube videos in our web pages. The operator of the correspondent plugins is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website containing an embedded video, your browser will create a direct link to the YouTube servers to retrieve and run the video content on your screen. To use this function, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a YouTube server in the USA and processed there by YouTube. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

    Further information on data protection at YouTube is available in the Google privacy statement.

  • 3.6 Social media

    The social media channels used by us are described in detail in the sections below. We have a presence on the social media platforms of the following companies:

    • For our presence on this social media platform, we share responsibility with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

      The data protection officer of Facebook can be contacted via the following link: Facebook data protection officer.

      We have regulated joint responsibility in an agreement covering the respective obligations in accordance with the GDPR. The agreement stipulating the mutual obligations can be accessed via the following link: Facebook information on page insights.

      When you access our page on the Facebook platform, Facebook Ireland Ltd., as the operator of the platform in the EU, will process the user data (e.g. personal information, IP address, etc.). These user data serve in particular to create statistical information on the use of our company page on Facebook. Facebook Ireland Ltd. uses these data for market research and advertising purposes and to create user profiles. Using these profiles, Facebook Ireland Ltd. can direct targeted, interest-based advertising at the user both inside and outside Facebook.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this Facebook has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on processing activities, how to block them and on the deletion of data processed by Facebook is available in the Facebook Privacy Policy.

    • We are jointly responsible for our presence on this social media platform with Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. In our relationship with Twitter, the user conditions and privacy policy of Twitter (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Twitter has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information is available in the Twitter privacy policy.

    • We are jointly responsible for our presence on this social media platform with YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). In our relationship with YouTube, the user conditions and privacy policy of YouTube (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

      Further information on data protection at YouTube is available in the YouTube Privacy Statement.

    • We are jointly responsible for our presence on this social media platform with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as the operator of Instagram. In our relationship with Facebook, the user conditions and privacy policy of Instagram (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Facebook has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on data protection at Instagram is available in the Instagram privacy statement.

    • We are jointly responsible for our presence on this social media platform with LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn"). In our relationship with LinkedIn, the user conditions and privacy policy of LinkedIn (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that the processing through LinkedIn Ireland Unlimited Company will also be carried out through LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 in the USA.In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, LinkedIn has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on data protection at LinkedIn is available in the LinkedIn privacy policy.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("XING"). In our relationship with XING, the user conditions and privacy policy of XING (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at XING is available in the XING privacy statement.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("kununu"). In our relationship with kununu, the user conditions and privacy policy of kununu (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at kununu is available in the kununu privacy statement.

    The purpose of these social media channels is to advertise our products and services and communicate with interested parties or customers.

    When you contact us through one of these social media channels, we process the personal data associated with your query in the course of processing the query itself. These data are deleted as soon as the query is fully answered and statutory retention or archiving obligations no longer apply (e.g. in case of subsequent settlement of a contract).

    The legal basis for the related data processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in presenting our products and services and communicating with interested parties or customers).

4 Specific processing activities

Specific processing activities by FMG and its subsidiaries are described in greater detail in the following chapters.

  • 4.1 Websites

    The main website of Flughafen München GmbH and its subsidiaries is www.munich-airport.de (in German) and www.munich-airport.com (in English).

    This Privacy Statement also applies to all other websites of Flughafen München GmbH and its subsidiaries that are linked to it, in particular the following websites:

    WebsiteDomainResponsible company
    Gut für Bayern, Gut für Michgutfuerbayern.deFlughafen München GmbH
    InnovationPilotinnovationpilot.deFlughafen München GmbH
    Traveller’s Insighttravellers-insight.comFlughafen München GmbH
    Munich Airport Collaboration Portalacp.munich-airport.deFlughafen München GmbH
    ISH – Information Security Hubish-muc.comFlughafen München GmbH
    Aircraft noise map
    lx-travisrp01.munich-airport.de/data/travis.php
    Flughafen München GmbH
    Book parkingparken.munich-airport.deFlughafen München GmbH
    Airport Academymunich-airport.de/academy
    Flughafen München GmbH
    Passngrpassngr.deInfoGate Information Systems GmbH
    LabCampuslabcampus.deLabCampus GmbH
    FMG & Wohnenmunich-airport.de/fmg-und-wohnenMUC Airport Betriebs GmbH
    AirportClinicmunich-airport.de/airportclinicMunich AirportClinic GmbH
    Municonmunicon.deAllresto Flughafen München - Hotel und Gaststätten GmbH
    AirBräumunich-airport.de/airbraeuAllresto Flughafen München - Hotel und Gaststätten GmbH
  • 4.2 Contact form

    We offer you the option of using a contact form to ask us for information or support on specific questions.

    Categories of personal data
    We collect your first and last names and email address in any case so that we and/or our system partners to which your query is addressed can contact you.

    When you submit the contact form, the current IP address of the sender is saved for security reasons. Your data will be processed and treated confidentially in compliance with the applicable data protection regulations.

    We will store and process your data only to the extent and as long as required for handling your message.

    In order to process your inquiry in a subject-specific manner and to forward it internally to the right contact person, Munich Airport International GmbH, a subsidiary of Flughafen München GmbH, collects the following additional data in addition to the personal data mentioned: company & position.

    Categories of recipients
    In some cases, it will be necessary to forward your data to system partners such as airlines, government authorities or other companies in the FMG group to respond to your feedback. In addition, your data can be transmitted to external service providers for website support.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest: in answering queries from our customers and other interested parties).

    Google reCAPTCHA

    Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter: Google).

    Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.

    This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.

    The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. Google offers detailed information at https://policies.google.com/privacy concerning the general handling of your user data.

  • 4.3 Newsletter

    4.3.1. Newsletter Flughafen München GmbH


    At various locations you can subscribe to one or more email newsletters. By doing so, you give us your consent to use your email address for advertising purposes. The sender of the emails is always Flughafen München GmbH. The emails will contain information and offers on the following topics related to Munich Airport:

    • Promotions & Raffles,
    • Airport facilities and services such as parking, lounge or WLAN,
    • Useful services at the airport, e.g. car repair,
    • Travel to and from the airport, e.g. bus, train, car rental or car sharing,
    • Gastronomy and shopping at the airport,
    • Public events and experiences at the airport,
    • Flights and journeys from Munich Airport,
    • Discount offers for shopping & gastronomy,
    • Helpful tips on service topics,
    • Useful information about flights & airlines,
    • Travel offers,
    • Invitations to events.

    4.3.1.1 Registration for newsletters

    For your registration to take effect, we need a valid email address. To check that the registration is in fact coming from the owner of the email address, we employ the double opt-in process. For that purpose, we log the newsletter order, the dispatch of the confirmation email and the receipt of the requested reply. To log these events, we record the exact time and the IP address of the end device.

    4.3.1.2. Basic newsletters and personalized newsletters

    If you select a basic newsletter, we will not personalize the contents to reflect your interests in detail. We therefore do not request data from you to personalize the newsletter and instead collect only the data necessary for directly providing the newsletter. Typically this means your email address and possibly your name.

    When sending corresponding e-mails to you, we may also consider the following additional information:

    • the information that you are booking or are registered for a specific offer at Munich Airport with your email address, with which you have already signed up for in the newsletter (or might have done so in the past); and
    • which consent(s) you have granted or not granted to Flughafen München GmbH.

    In addition, the newsletter content can be personalized by request to reflect your individual interests. For details on the personalization of newsletters, see personalization and user profiles.

    Subscribers may also be informed by email of circumstances relevant to the service or registration (e.g. changes in the newsletter offers or technical issues).

    4.3.1.3 Duration of storage

    Your data will be stored when you subscribe to the newsletter and retained until you unsubscribe. Your registration will be successfully completed when you click the appropriate link in the confirmation email addressed to you.

    If you do not confirm the subscription link in the email, we will store your data for two weeks. The link will then expire and it will no longer be possible to use it to confirm your subscription. After this two-week period expires, your data will be immediately deleted. Of course you can register again by repeating the subscription process.

    When you cancel your consent to one of our newsletters, the unsubscribe process will be completed within 24 hours. Your data will be anonymized one year after you unsubscribe and the transaction will be fully deleted three years after your data are anonymized.

    4.3.1.4 Unsubscribing from newsletters

    Your consent for us to save your data and to use that information to send you the newsletter can be with-drawn at any time. Every newsletter contains a link for that purpose. In addition, you can unsubscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. The withdrawal of your consent has no effect on the legality of the processing up to the time of withdrawal. Due to the lead times of the technical and organizational processes, in exceptional cases you may receive another newsletter after unsubscribing.

    Please note that a non-automated unsubscribe or data deletion request may take up to 14 days to implement depending on internal processes.

    4.3.1.5 Legal basis

    The legal basis for the data processing described in this subsection 4.3.1 is 

    • Art. 6 Para. 1 S. 1 Letter a) GDPR for the actual sending of the e-mails in conjunction with your respective statement of consent as well as
    • for the decision as to when we send which e-mail to which addressee, Art. 6 Para. 1 Clause 1 Letter f) GDPR in connection with our legitimate interest in sending as few irrelevant e-mails as possible to the recipients of our newsletter.


    4.3.2 Newsletter LabCampus GmbH

    At various points you can register for a LabCampus e-mail newsletter. By doing so, you give us permission to use your e-mail address for advertising purposes. The sender of the e-mails and controller of the processing is always LabCampus GmbH. 

    4.3.2.1 Registration for a newsletter, data, purposes, recipients

    For an effective registration we need a valid e-mail address. In order to verify that a registration is actually made by the owner of an e-mail address, we use the "double opt-in" procedure. For this purpose, we log the order of the newsletter, the sending of a confirmation e-mail and the receipt of the response requested therein. For the logging of the respective process, we record the exact time and the IP address of your end device.

    The following categories of personal data are processed: Gender (optional), title (optional), name, company name, e-mail address.

    The content of the emails is information and offers on the following topics related to LabCampus; your data will be processed exclusively for these purposes:

    • Information and updates about LabCampus
    • Event invitations
    • Interesting facts on the topics of innovation, collaboration, new work

    Your data will be transferred to the following recipients or categories of recipients:

    • Internal company recipients (e.g., departments responsible for processing for a specific purpose)
    • Cooperation partners with whom we provide our services
    • External contractors, such as online marketing service providers in accordance with Art. 28 EU-FGDPR
    • Courts, authorities or other state institutions in the event of legal obligations.

    A transfer to a third country outside the European Union is intended. Specifically, the following transfer is intended: Transfer of data to United Kingdom of England (safe third country according to the adequacy decision issued by the EU Commission pursuant to Article 45 (3) of the GDPR). 

    4.3.2.2 Legal basis

    The legal basis for the data processing described in this section 4.3 is Art. 6 para. 1 sentence 1 letter a) DSGVO in conjunction with your respective consent.

    4.3.2.3 Storage period

    Your data will be stored upon registration for the newsletter until revoked. Successful registration takes place when you click on the confirmation link in the e-mail addressed to you.

    If you do not confirm the newsletter registration link in your e-mail, we will store your data for two weeks. After that, the link becomes invalid and registration via the link is no longer possible. Your data will then be deleted immediately after this two-week period has elapsed. A new registration is of course possible via a new registration.

    As soon as you cancel our newsletter, you will be completely unsubscribed from our newsletter with immediate effect. The complete deletion of your transaction and your data will also take place with immediate effect. Please note that a non-automated unsubscription or deletion may take up to 14 business days due to internal processes.

    4.3.2.4 Newsletter withdrawal

    You can withdraw your consent to the storage of your personal data and its use for the newsletter dispatch at any time. There is a corresponding link in each newsletter for this purpose. You can also unsubscribe at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. Due to technical and organizational process runtimes, it may happen in exceptional cases that you receive another newsletter after you have unsubscribed. The legality of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

  • 4.4 Personalization and user profiles

    If you primarily wish to receive contents relevant to you, then select personalized information.

    4.4.1 User profile

    To present content that is relevant to you, we need an optimal understanding of your interests. For this per-sonalized information, we therefore create a personalized user profile for you.

    In this personalized user profile, we save identifying characteristics such as your name and email address together with your contractual and usage data. This ensures that we can personalize our services for you. For example, in the newsletter you will only receive content provided on countries that are likely to interest you or special tips for business travelers – depending on the aspects that apply to you.

    4.4.2 Data sources

    In the user profiles, we collect data from various sources within the Munich Airport group of companies to arrive at the best possible overview of your interests. These sources are based on the declarations of consent submitted by you and may include the following data:

    • the airport website
    • the airport newsletter
    • the PASSNGR app
    • online parking reservations
    • WLAN registration at the airport
    • booking/reserving airport tours, lounges, events and other offers
    • input in contact and feedback forms
    • participation in contests offering prizes
    • bonus and customer loyalty programs
    • suggestions for improvements submitted through electronic channels

    4.4.3 Contractual and usage data for personalization

    • cookies, and in particular long-term cookies
    • start and end time of use
    • opening the newsletter, app or other services
    • functions and pages accessed over time
    • clicking on newsletter content
    • origin of use, e.g. whether a search engine was used first
    • duration of page views
    • salutation
    • first name
    • last name
    • address
    • Email address
    • consents, e.g. to receive a newsletter or for the use of mobile apps
    • date of birth
    • payment and transaction data
    • telephone number
    • other contractual data

    4.4.4 Withdrawal of user profile

    You can withdraw your consent for the storage of your personal data at any time. In addition, you can un-subscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. Revoking your consent has no effect on the legality of the processing up to the time of revocation. Due to the lead times of the technical and organizational processes, it is possible in exceptional cases that the personalization of content as described in this section will continue for up to 48 hours after your with-drawal of consent.

  • 4.5 WLAN/Wifi

    The free wifi coverage at Munich Airport is provided by Telekom Deutschland GmbH. Consequently, the separate terms and conditions for the HotSpot and the privacy statement of Telekom Deutschland GmbH shall apply. Flughafen München GmbH grants access to the WLAN of Telekom Deutschland GmbH.

    Purpose of processing and categories of personal data
    If you wish to use the free wifi, you must identify yourself as a user with your email address. In addition to your email address, we collect the following data:

    • the exact time of access,
    • your browser version,
    • IP address of your end device,
    • number of times free wifi is accessed and
    • your consent to our terms and conditions for free wifi

    We collect this data for the following purposes:

    • Contacting if necessary for the purpose of contract fulfilment (in accordance with the General Terms and Conditions (GT&C) for wifi) or processing (e.g. in connection with a possible violation of the contractual terms and conditions of use)
    • Provision of a free wifi for an additional passenger and visitor service

    When you register to subscribe to our email newsletter, the data provided by you are also used for that purpose: privacy statement for the newsletter.

    Legal basis
    As part of our contractually agreed terms of use (GT&C), personal data is used for the purpose of executing the contract. In this case, Art. 6 Par. 1 sentence 1 b) GDPR is the basis for permission under data protection law. Individual users can be temporarily or permanently blocked, e.g. in particular if the terms of use are violated.

    In addition, the data processing is based on Art. 6 Par. 1 sentence 1 f) GDPR balancing of interests, based on our legitimate interest in providing the user with free wifi and thus offering an additional service, e.g. for better orientation at the airport.

    Categories of recipients
    When you are transferred to the wifi access page of Telekom Deutschland GmbH, we also transfer the email address provided by you to that company.

    We may transmit data relating to you that we have stored to courts, authorities or other governmental bodies if this is necessary to prosecute statutory violations or if we are under the obligation to render information to the respective public body for other reasons.

    Apart from the foregoing, we do not transmit your data to third parties.

    Duration of storage
    We delete the data collected in connection with your access to wifi no later than six months after you use the wifi service.

    The indicated storage periods may be exceeded in exceptional cases if and to the extent that the data in question are needed for a longer period (e.g. for purposes of the required investigation and/or prosecution of a possible violation of the terms and conditions of the contract for use of the service).

    Revocation / objection / elimination options
    Your processed personal data are, provided they are based on the lawfulness of the processing according to Art. 6 Par. 1 sentence 1 b) GDPR, required to ensure the implementation of the terms of use. There is consequently no possibility of objection to personal data processing in this regard.

    For all processing activities that we base on our legitimate interests, you have acc. Art. 21 (1) GDPR, you have the right to object to the processing at any time for reasons that arise from your particular situation.

    Cookies

    Only technically necessary cookies are used on the wifi websites. These are specifically the following functional cookies:

    • f5_cspm
    • f5avr2042896050aaaaaaaaaaaaaaaa
    • TS01*

    The purpose of the data processing is the technically perfect provision of the site.

    Categories of recipients
    There are no data available to third parties.

    Duration of storage
    The cookies are deleted after each session of the visitor. The data will not be passed on to third parties.

    Legal basis
    The legal basis for the corresponding processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR, with the legitimate interest to be able to provide the site and its content.

  • 4.6 Photography, video and sound recordings

    This privacy policy applies to photography, video and sound recordings (referred to below as "images and recordings") created by Flughafen München GmbH on various occasions (e.g. photo shoots, events). This privacy policy does not apply to data processing in connection with surveillance measures (e.g. video monitoring).

    The images or recordings may be made in connection with photo shoots or events, for example. For this purpose, we will either obtain your consent in advance or at least inform you in your personal invitation or on location (e.g. in case of public events without personal invitations) that such images or recordings will be made. We do not secretly produce images or recordings.

    Categories of personal data
    In addition to the photos, video and sound recordings, we may process other personal data that we collect from you (such as your name and email address) in connection with the recording.

    Flughafen München GmbH may use the images and recordings for print publications, in broadcasting or in electronic media for corporate communications (e.g. reports, flyers, posters, brochures, presentations, websites, intranet, press releases) and for documentation purposes (e.g. archives). The images and recordings may be shared with third parties (e.g. journalists) and disseminated in social media (e.g. Facebook, Twitter). The possible uses of the images or recordings includes all known and unknown uses as well as the editing and modification of the images or recordings. Flughafen München GmbH may grant the same utilization rights to its subsidiaries and participating interests. However, images and recordings will be utilized as de-scribed here only to the extent that this is covered by a basis for authorization (e.g. consent, contract, law).

    Duration of storage
    If you have granted us your consent or if we have entered into a contract with you, the data will be deleted with the expiry of the consent or contract. If we are processing the data on the basis of a legitimate interest pursuant to Art. 6 Par. 1 f) GDPR, the data will be deleted when the legitimate interest no longer applies.

    For FMG employees only: If the recordings are made for purposes of establishing and implementing an employment relationship, we will delete them when the corresponding purpose is fulfilled. If the processing is regulated in a works agreement, the storage periods may be stipulated in that agreement.

    Statutory archiving periods may require us to store the data for a longer period on the basis of Art. 6 Par. 1 c) GDPR.

    Categories of recipients
    If we have obtained the necessary utilization rights for the recordings, we will transfer the recordings to our subsidiaries and participating interests as required so that they can also use them. In all other respects, we will forward your data to our service providers only in compliance with the applicable data protection laws. Our service providers who may be granted access to the recordings and data include IT service providers, printers and advertising agencies.

    For our image database we use a solution provided by CELUM GmbH, Passaustrasse 26-28, 4030 Linz, Austria ("CELUM"). The image database is maintained on our servers. CELUM may access the images when providing support. We have entered into an external processing agreement with CELUM under which CELUM has undertaken to process personal data only in accordance with our instructions. Further information on data protection at CELUM is available at: https://www.celum.com/en/privacy-cookie-policy/.

    To the extent that we are permitted to use your recordings in social media channels, we cannot preclude the possibility that they will be transmitted into a country outside the EU. The US social media servers used by us are certified under the EU/US Privacy Shield Framework and are obliged to comply with the provisions of the GDPR.

    It is also conceivable that, as part of our international media relations and corporate communications, we will transfer some recordings or images in compliance with the applicable data protection regulations to media, press representatives or agencies outside the EU and the European Economic Area so that the recordings or images can be published there.

    Legal basis
    If you have granted us consent, the legal basis for processing is Art. 6 Par. 1 a) GDPR. If consent is granted by employees of FMG, the legal basis of processing under data protection laws in this case is Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 of the German Data Protection Act (BDSG).

    If we conclude a contract with you (e.g. for a photo shoot), then the use of the recordings and other personal data will serve the purposes of executing the contract and will take place in accordance with our contractually agreed utilization and exploitation rights. In that case, the legal basis for processing under data protection laws is Art. 6 Par. 1 b) GDPR.

    If the recordings are made for purposes of establishing and implementing an employment relationship with FMG, the primary legal basis for processing is Section 26 Par. 1 BDSG.

    We will produce photos, video or audio recordings at events etc. without your consent and without a contractual agreement only if a legitimate interest applies in accordance with Art. 6 Par. 1 f) GDPR. Such a legitimate interest may result from the provisions of Section 23 of the German Art Copyright Act (KUG). This is conceivable, for example, in case of:

    • images of historical interest in which you appear;
    • images in which you can be seen incidentally near a specific location or
    • images of gatherings or public events in which you participated.

    In addition to the original purpose for producing the recordings, we may also store recordings and the related data for documentation or archiving purposes unless this is prohibited under contractual or statutory regulations. In this case, our legitimate interest in accordance with Art. 6 Par. 1 f) GDPR is the use of the recordings for publications on our company's history.

    To the extent that we process data in accordance with Art. 6 Par. 1 f) GDPR, we always give due consideration to the question of whether you have overriding interests in the specific case at hand that outweigh our legitimate interests in using the data.

  • 4.7 Passngr app website

    Passngr is the app shared by a number of German airports. With this app, you always have all of your travel information on hand: your flight data, important information for finding your way in your departure and arrival airports, and the most convenient way of getting to and from the airport. The Passngr app is offered and operated by InfoGate Information Systems GmbH, a subsidiary of Flughafen München GmbH.

    For the Passngr app website (https://www.passngr.de), the general privacy information for websites provid-ed in this Privacy Statement applies. In addition, you can enter your mobile phone number on this website to ask for a link to be sent to the Passngr app on your phone. We will use your mobile phone number for this purpose only and will then delete it.

    The privacy policy for the Passngr app can be accessed directly from the app under "Settings" – "About the Passngr app".

  • 4.8 Parking reservations

    1. Description and scope of the specific data processing
    You can quickly and easily make advance parking reservations on our website at parken.munich-airport.de. The provider and contractual partner is Flughafen München GmbH.

    During the booking process for your parking space, the following data are collected:

    • company
    • salutation
    • first name
    • surname
    • address
    • e-mail address
    • telephone number
    • other contract data (planned and actual start of parking, planned and actual end of parking, product, parking area / parking garage, price, possible promotions or promotion codes)
    • time of booking
    • payment details
    • affiliate network

    If you register with us or book without a customer account, we will collect, save and process the above data to make the booking process easier for you. We use your data, among other things, to confirm and provide the booked services (including additional services), invoice processing, reimbursement in the event of cancellation, quality assurance, contact if necessary, e.g. in the case of rebooking, car park or product changes or air traffic restrictions. You can have your customer account deleted by sending an email to our Customer Service Center (info.parken@munich-airport.de). A deletion only takes place after the completion of any ongoing or future parking processes and the associated payment processing.

    In addition to booking your parking space, we offer you optional additional services during the booking process, so-called premium services such as a car wash, interior cleaning, etc. In addition to the data mentioned, we also collect the following data:

    • license plate
    • vehicle manufacturer
    • vehicle model
    • vehicle color

    The additional services are carried out and carried out by our service provider. If the additional services are booked, a copy of the booking confirmation will be sent to the service provider's scheduling department. The service provider can thus plan the corresponding resources for the implementation of the service more efficiently and better allocate the vehicle for the implementation of the service. This also facilitates customer communication, especially when booking additional services.

    2. Purposes of processing
    1) Booking of parking spaces
    2) Booking of additional services such as car wash and interior cleaning

    3. Legal bases
    The legal basis for the appropriate data processing are

    • article 6 Par. 1 sentence b) GDPR, fulfillment of the contract for the online booking of parking spaces and the booking of any additional services including online booking conditions, airport usage regulations
    • article 6 Par. 1 sentence c) GDPR: fulfillment of the legal obligation to comply with statutory retention periods with regard to the storage of invoices for the services provided

    4. Storage period
    After your booking, the data will be stored until the respective statutory retention period of ten years has expired. Data that you have additionally provided for booking an optional additional service will be stored for two years.

    5. Recipient
    The personal data you provide will be collected, stored and processed by us, our system provider as contract processors and the credit card acquirers or payment service providers involved to process your booking and the parking and payment process. In the event that additional services are booked, these will be transmitted to our service provider, who will save and process them.

    6. Transmission to third countries
    There is a transfer to the United Kingdom (processor location).

    7. Options for elimination / revocation
    Your processed personal data are, if they are based on the lawfulness of the processing according to Art. 6 Par. 1 sentence b) or c) GDPR, necessary in order to conclude / carry out the contract with Flughafen München GmbH as part of your parking process or the additional service you have booked guarantee. There is consequently no possibility of objection in this regard.

  • 4.9 Automatic number plate detection at parking entrances

    4.9.1 Description and scope of data processing

    The number plate of your vehicle is read by an infrared camera when entering the parking area. After successful entry, the parking system stores the identified number plate along with the entry time and the entry post.

    The number plate is also stored in the system for parking facility management purposes until the vehicle has exited the facility. 

    The data are used exclusively for the purposes stated under 4.9.2 and will not be passed on to third parties.

    In the automatic capture of number plates and the related processing of parking transactions, the following personal data are processed:

    • The captured infrared image of the vehicle number plate in clear text, the parking facility used, the entry and exit device, the entry and exit times (date, time), the card number on the ticket or the medium used for long-term parking access.
    • In case of short-term parking tickets and online reservations, the parking charge.
    • In case of long-term parking tickets, the data of the contractual partner (last name, first name, company).
    • In case of online reservations, the email and postal address.

    4.9.2 Purposes of the data processing

    Personal data are processed for the following purposes

    1. Processing the parking transaction
    2. Improved traffic flow
    3. Opening barriers
    4. Proof of parking times in case of improper reimbursement claims
    5. Issuing receipts at a later date
    6. Avoiding and prosecuting criminal offenses and property damage
    7. Identifying and taking action against violations of parking facility regulations
    8. Blocking number plates in the system

    4.9.3 Legal basis for data processing

    The legal grounds for the data processing are as follows:

    • For the purposes stated in 1, 2, 3, 4, 5, 7: Art. 6 (1)(b) GDPR
      Performance of contracts, e.g. contract for parking space rental / terms of use agreement, terms and conditions for parking, special terms and conditions for online bookings, Airport Rules and Regulations.
    • For purposes 6 and 8: Art. 6 (1)(f) GDPR
      Safeguarding our legitimate interests (e.g. damage claims, controlling access to our premises, preventing the fraudulent evasion of parking charges).

    4.9.4 Legitimate interests

    The purposes listed under 6 and 8 enable us to pursue our legitimate interests in preventing the fraudulent evasion of parking charges, pursuing possible claims to damages and asserting our right to control access to our premises. The processing is also necessary and appropriate for fulfilling those purposes.

    4.9.5 Duration of storage

    The number plate images are deleted from the parking system one day after the successful exit from the parking facility and the completion of the parking transaction. In the system that manages the parking facilities and stores the relevant data records, the record is deleted after 92 days.

    4.9.6 Right to object / right to erasure

    To the extent that the legal basis for processing your personal data is based on Art. 6 (1)(b) or (c) GDPR, this processing is required in order to enter into or fulfill a contractual relationship with Flughafen München GmbH in connection with your parking transaction. Consequently, there is no right to object in that regard.

    For all processing activities carried out by us on the basis of our legitimate interests, you have the right, on grounds related to your particular situation, to object to such processing at any time pursuant to Art. 21 (1) GDPR.

  • 4.10 Bookings/reservations

    4.10.1 Airport tours

    On our website at munich-airport.de/airport-tours you can find a selection of seasonal and year-round tours for adults and children where you can obtain in-depth insights into Munich Airport's operations.

    The provider of the products and services is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when tours are booked:

    • first name
    • last name
    • email address
    • telephone number
    • tour data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, Regiondo GmbH, and by the credit card acquirer or payment services provider involved in the processing of your booking and the tour and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.2 Lounge bookings

    You can find a list of lounges available at the airport on our website at munich-airport.de/lounges. For some of these lounges you can book tickets or vouchers through our website. The provider of the lounges that can be booked is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the lounge use and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sen-tence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.3 Events

    On our website at munich-airport-camarketing.regiondo.de and allresto.regiondo.de you can find events hosted by Flughafen München GmbH and Allresto Flughafen München Hotel und Gaststätten GmbH. For some of these events you can book tickets or vouchers through our website. The event providers are Flughafen München GmbH and/or Allresto Flughafen München Hotel und Gaststätten GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data may be collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data
    • recipients

    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the event and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).


    4.10.4 Events LabCampus

    On our website labcampus.de you will find events organized by LabCampus GmbH. You can register online for some of these events via our website. The provider of the events and the person responsible under data protection law is LabCampus GmbH.

    Contact the data protection officer: datenschutzbeauftragter@munich-airport.de.

    Categories of personal data

    The following data will be collected during registration:

    • First name
    • Surname
    • Company
    • Position (optional)
    • E-mail address

    Purpose of processing

    Your data will be processed for event invitation, implementation and communication based on relevant legitimate interests. Without providing the required data, you will not be able to participate in the event. Following the event, we will send you a one-time email, together with a note on our services, with the most important information at the event.

    Legal basis

    The legal basis of the corresponding processing of your data is Art. 6 para. 1 lit. f DSGVO (legitimate interest of the responsible party).

    Duration of storage

    Your data that we process as part of the event will be deleted by LabCampus GmbH after the event has been held and the follow-up has been completed.

    Categories of recipients & transfer to third countries

    Your data will only be processed by LabCampus GmbH. A transfer to third parties or third countries is not intended.

    Revocation/removal options

    In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of an objection, participation in an event may not be possible. To exercise your rights of access, rectification, erasure, restriction of or objection to the processing and transfer of personal data, to lodge a complaint with the supervisory authority and for further information, please contact: LabCampus GmbH, P.O. Box 23 17 55, 85326 Munich Airport or by e-mail: events@labcampus.de,

  • 4.11 Contests, prize draws, and campaigns in general

    The section of the Privacy Statement applies to our processing of personal data of participants in contests, prize draws or campaigns run by Flughafen München GmbH. If you subscribe to a newsletter when taking part in a contest, please note the privacy information regarding newsletters.

    4.11.1 Implementation

    For purposes of implementing the prize draw, we process the personal data of the participants – in particular the email address and, at the appropriate time, the address of the winner – which we need for recording the participants' details, notifying the winner and presenting the prize.

    For purposes of implementing the prize draw, we store the participants' personal data until the draw is completed and the winner is notified and for a further period in case the winner does not reply when notified so that a new winner must be drawn.

    In addition, we store the winner's personal data – including the address obtained when the winner is notified – to complete the necessary steps for awarding the prize and, if applicable, for the duration of any additional statutory retention periods.

    Contest participants are not required by law or contractual provisions to provide the above-mentioned personal data. However, for purposes of entering into the contract, i.e. participation in the prize draw, it is necessary to provide the data in our registration form marked as mandatory (as opposed to optional input). The address of the winner obtained after the draw is necessary for sending the prize.

    4.11.2 Forwarding data to other recipients

    Unless otherwise indicated elsewhere in this Privacy Statement, we transfer your personal data to the following additional recipients or categories of recipients:

    • Newsletter mailing and customer relationship management service providers
    • Cooperation partners used by us to deliver our services


    4.11.3 Legal basis

    Legal basis for the data processing described in the section "Contests, prize draws, campaigns":

    • consent of the data subject (Art. 6 Par. 1 sentence 1 a) GDPR
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
    • legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) Defense of legal claims
  • 4.12 Express Queue

    “Express Queue” at Munich Airport

    1. Introduction / Scope

      This Privacy Statement contains information about the processing of personal data in conjunction with the use of the “Express Queue,” a service offered by Flu-ghafen München GmbH (FMG) to book a time slot at the security and passport control checkpoints in Terminal 1 in Module B and C.
      Web pages of other providers, for instance those referenced via links, are subject to the privacy notices and statements provided therein.
      The information in this Privacy Statement is intended to help fulfill our informa-tional duties under data protection law – particularly the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This Privacy Statement uses terms that are defined in the GDPR.

    2. Controller & Contact

      The controller (within the applicable scope) is:
      Flughafen München GmbH
      Nordallee 25
      85356 München-Flughafen
      Email: support-express.queue@munich-airport.de

      Further details in the Legal Notice

    3. Contact for the Data Protection Officer

      Data Protection Officer for Flughafen München GmbH, email: datenschutz-beauftragter@munich-airport.de

    4. Categories of Personal Data

      The following categories of personal data are processed:
      - Email address
      - Flight number, flight destination and airline
      - Number of passengers in the booking transaction (group size)
      - Data that is collected automatically for technical reasons when you visit the Munich Airport information page for the “Express Queue.” Detailed in-formation about the data processed in this context can be found under 3.1 of the Privacy Statement for Munich Airport.
      - The Munich Airport information page for the “Express Queue” performs an anonymous (cookie-less) web analysis. Detailed information about this can be found under 3.2.2.1 of the Privacy Statement for Munich Airport.
      - Data that is collected automatically for technical reasons when you visit the booking page operated by our external implementation partner, for instance your browser type and version, your operating system, the date and time of access, your anonymized IP address, internet service provider, and similar data (“Usage Data”).

    5. Purposes of Processing Personal Data

      Your data will be processed exclusively for the following purposes:
      - Booking the time slot for the security checkpoint at Munich Airport
      - Reviewing of the booking at Munich Airport by airport employees (QR code)

    6. Legal Basis for Processing Personal Data & Legitimate Interests

      The processing of personal data takes place on the following legal basis:
      - Usage Data when the website is called up (information page and booking page for the “Express Queue”) Purpose: operating the website Legal basis: our legitimate interest (Art. 6 Para. 1 lt. f GDPR)
      - Email address, flight number, flight destination and airline, number of passengers Purpose: providing the “Express Queue” service (i.e. creating and sending the booking barcode) Legal basis: consent for processing (Art. 6 Para. 1 lt. a GDPR)
      - Purpose: following and implementing the applicable legal provisions, fulfilling our rights and duties Legal basis: statutory obligations (Art. 6 Para. 1 lt. c GDPR), our legitimate interest (Art. 6 Para. 1 lt. f GDPR)
      - Tracking data Purpose: website analyses The Munich Airport information page for the “Express Queue” performs an anonymous (cookie-less) web analysis. The booking page itself also does not contain any cookies. However, if you call up other areas of the Munich Airport website after that, cookies may be used; you will need to provide your consent for these. Legal basis: Art. 6 Para. 1 lt. a GDPR (further details can be found in the general Privacy Statement for Munich Airport.)

    7. Recipients

      Personal data is transmitted to the following recipients and/or categories of recipients:
      - The cooperation partner (with registered offices in the EU) and any sub-contracted processors (with registered offices in the US) that we use to provide our services. With the cooperation partner, we have established the necessary agreement for contracted data processing pursuant to Art. 28 GDPR; with the subcontracted processor, the cooperation partner has in turn created the necessary basis for transfers in compliance with data protection law (conclusion of the standard EU contractual clauses pursuant to Art. 46 GDPR).

    8. Transfers to Third Countries

      Any transfer to a third country outside the European Union requires involving the subcontractor (with registered offices in the US) of our cooperation partner. Such transfer is subject to the provision of suitable guarantees. These are provided in the standard EU contractual clauses concluded between the partners (pursuant to Art. 46 GDPR).

    9. Length of Storage

      Personal data shall be stored only for as long as necessary to achieve the above-mentioned purposes, or as long as required by the statutory storage and retention periods. Once the respective purpose no longer applies and/or these periods have ended, the corresponding data is routinely erased according to the statutory provisions.

      Specifically, the following storage periods apply:
      - Email addresses are stored for 72 hours.

    10. Data Protection Requests / Data Subject Rights

      Data protection law grants various rights to data subjects with regard to their personal data, particularly the right to obtain information about the relevant personal data; to obtain rectification, erasure, or restriction of processing; to object to processing; to data portability; and to revoke consent at any time.

      - Information: You have the right to request information from the controller pursuant to Art. 15 GDPR regarding your processed personal data. Please note that in certain circumstances, the right to information may be restricted by statutory provisions (particularly § 34 BDSG).
      - Rectification: You have the right to request immediate rectification from the controller pursuant to Art. 16 GDPR of inaccurate personal data concerning you. With consideration for the purposes of processing, you have the right to request the completion of incomplete personal data.
      - Erasure: You have the right to request that the controller erase your per-sonal data under the provisions of Art. 17 GDPR.
      - Restriction of processing: You have the right to request that the controller restrict processing of personal data concerning you, as defined in Art. 18 GDPR.

      As a precaution, the following is hereby noted: as a rule, so that data can be blocked at any time, certain personal data concerning the data subject must be kept in a lock file.
      - Data portability: Under the provisions of Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller or to have it transmitted directly from one controller to another.
      - Objection: Under the provisions of Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you.
      - Revoking consent: You have the right to revoke your consent at any time with effect for the future. The processing of personal data on the basis of such consent shall remain legal until the time when it is revoked.
      - Contact information for exercising your rights as a data subject:
      Flughafen München GmbH
      Data Protection Inquiry
      Nordallee 25
      85356 Munich
      Email: datenschutzanfrage@munich-airport.de

    11. Right to Lodge a Complaint with a Supervisory Authority

      Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you is illegal. The responsible supervisory authority for the private sector is the Bavarian Data Pro-tection Supervisory Authority (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

    12. Obligation to Provide Personal Data

      - The provision of personal data is not required by law.
      - The provision of personal data is necessary in order to use the “Express Queue.”
      - If you do not provide this data, you will not be able to use the FMG service “Express Queue.”

    13. Source of the Data

      The personal data is gathered directly from you.

    14. Automated Decision-Making (Including Profiling) and Consequences

      Automated decision-making does not take place.

    15. Explanation of Processing of Special Categories of Personal Data

      The Munich Airport information page for the “Express Queue” does not use cookies. The booking page also does not use cookies. Further information can also be found in the Privacy Statement on the booking page. Other areas of the Munich Airport website are subject to the general Privacy Statement.

    16. Reference to Further Information

      Additional information about data protection can be found in the general Privacy Statement of Flughafen München GmbH, which is linked below: https://www.munich-airport.de/scrivito/privacy-policy-376755.

    17. Version

      Date: October 4th, 2022
  • 4.13 MuniCon conference center

    The municon conference center is operated by Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH. The municon conference center is located at the heart of Munich Airport in the north building of the Munich Airport Center, thus providing a professional setting for meetings, training seminars, presentations or major events.

    The website of the municon conference center offers the opportunity to complete a contact form to submit a callback request. Further information is available under Contact form.

    Categories of personal data
    The following data are collected when the request is submitted:

    • salutation
    • first name
    • last name
    • telephone number
    • email address

    Recipients
    The data will be used exclusively to make the requested call and, if applicable, to book a conference room. The data will not be shared with third parties.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

  • 4.14 Aircraft noise complaints

    We offer you the possibility of using a contact form to contact us directly regarding aircraft noise. Relevant data collected in this case can be found under Contact form.

    Categories of personal data

    • name and contact data (e.g. telephone number, email address and postal address)
    • location data to concretely specify the cause of the complaint and the underlying event

    Special categories of personal data will be noted only to the extent that complainants provide such infor-mation on their own initiative. As they are not needed for the processing of complaints, no further processing will take place. Your data will be processed solely for the following purposes: Processing aircraft noise complaints, including reporting on the number and geographical distribution of aircraft noise complaints at the meetings of the Aircraft Noise Commission and in the Integrated Report of FMG (only the number of com-plaints).

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • recipients within the FMG Group (e.g. departments with a role in the processing of noise complaints)
    • aircraft Noise Commission of Munich Airport (only information on the number and geographical distribution of noise complaints)
    • interested members of the public through the Integrated Report (only the number of aircraft noise complaints)
    • airport associations (only information on the number and geographical distribution of noise complaints)
    • courts, public authorities or other government bodies in case legal obligations apply

    Legal basis
    Legal basis for the processing of personal data: Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (see Art. 6 Par. 1 sentence 1 f) GDPR). FMG has a legitimate interest in limiting the impact of airport operations on the surrounding residents in the interests of good relations with its neighbors and maintaining transparency with regard to environmental issues. In addition, legitimate interests result from the responsibilities of the Aircraft Noise Commission (Section 32b of the Aviation Act (LuftVG), Rules of Procedure of the Aircraft Noise Commission). The Aircraft Noise Commission is formed to engage in consultations with the approval authority, the Federal Supervisory Authority for Air Navigation Services (BAF) and the air traffic management organization. It is notified of measures taken to reduce aircraft noise to protect residents, but can also propose measures on its own initiative. To be able to discharge this responsibility, it is necessary to have knowledge of certain personal data, in particular geographical data and the related geographical distribution and number of aircraft noise complaints.

    In case of inquiries under the Environmental Information Act (UIG) regarding the number and geographical distribution of complaints and the reason for the complaint, a special legal basis applies: the UIG.

  • 4.15 Applicant portal

    We are pleased to provide you with the following information on how your personal data will be processed if you apply with Flughafen München GmbH and its subsidiaries, and what rights you have under data protection law. You can apply online through the applicant portal, by email or by regular mail. Your data will then be entered in the applicant portal and processed by the appropriate entity. The company within the Flughafen München GmbH Group that is responsible for your application and the processing of your personal applicant data is the company advertising the position or receiving your unsolicited application. Your data will be passed on to other companies within the Group or stored in the applicant pool only with your direct consent.

    If you consent to your application being shared within the Group, your data may be passed on to the companies listed under section 1, "Controllers and data protection officers". This will increase your visibility and the possibility of being considered for a position.

    If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies listed under section 1 once you have given your consent. That means you give us permission to store your application for a specified period of time and consider it for vacancies where applicable.

    You can also apply for jobs with us through our social media recruiting partner’s platform and your personal account on this platform. The platform provider is responsible for processing data on the platform and within your personal account. Information on data processing can be found here:

    https://hire.heyjobs.co/en-us/privacy-policy/

    If you decide to apply to Flughafen München GmbH from your personal account on the platform after seeing a vacancy, we process the following data in our Flughafen München GmbH account on the platform:

    • First name and surname
    • Cover letter for the specific position at Flughafen München GmbH
    • Telephone number
    • E-mail address
    • Other data that may also be requested depending on the job profile (e.g. qualifications, work experience)

    When you send your application, these data are stored in the Flughafen München GmbH account on the platform, e-mailed to the employees in the HR department responsible for recruitment and (manually) sent to the Flughafen München GmbH applicant portal so that we can continue to process your application. The further information on the subsequent flow of data and how your data is handled is the same as when data is processed directly via the applicant portal. Please see the explanations below for related information on the purpose, legal basis, recipient, duration of storage etc.

    Recipients of your data in the Flughafen München account at our platform partner may include the Flughafen München human resources department and the platform partner’s IT administrator. Applicant information stored in the Flughafen München GmbH account at our social media recruiting partner is automatically deleted no more than six months after it is received. Applicant information sent by e-mail is also deleted after no more than six months.

    4.15.1 Purposes of data processing

    We and the service providers acting on our behalf process personal data for the following purposes:

    1. Filling posted positions and vacancies

    2. Filling future vacancies (unsolicited applications)

    3. Sharing within the Group

    4. Reviewing or identifying previous applications (multiple applications by the same candidate)

    5. Protecting children (applicants under 16 years of age)

    6. Ensuring the consent of legal guardians (applicants under 16 years of age)

    Without the declarations of consent from the legal guardians, applications from applicants under 16 years of age cannot be accepted or can only be partially processed. This also applies when consent is revoked.

    7. Safeguarding and protecting our rights

    Changes in purpose:

    8. In case you are hired, some of your personal data will also be used for purposes related to your employment relationship (e.g. to prepare your contract). The processing is carried out on the basis of the following legal provisions: Art. 6 Par. 1 b) GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 Par. 1 of the German Data Protection Act (BDSG).

    9. If you consent to the inclusion of your data in the applicant pool, we reserve the right to consider your application for other current or future vacancies and (if you consent to "sharing within the Group") forward your application to the companies specified in section 1 as needed. For information on the storage and deletion of data, refer to the section "Duration of storage and possibilities to have data erased" below.

    4.15.2 Legal basis

    • Purpose 3 and 9: Your consent (Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 BDSG)
    • Purpose 5 and 6: Consent of your parents for the processing of your application data (Art. 6 Par. 1 a) GDPR in conjunction with Art. 8 GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 BDSG)
    • Purpose 1, 2 and 4: Taking steps prior to entering into a contract in response to your inquiry for potentially establishing an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG)
    • Purpose 8: Decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG)
    • Purpose 7: Safeguarding our legitimate interests (Art. 6 Par. 1 f) GDPR): Legitimate interests on our part relate to the assertion and protection of our rights.

    Please note that more than one of the above legal grounds for processing may apply.

    4.15.3 Categories of personal data

    The following categories of personal data are processed:

    1) Applicant data that you enter in the application form. This generally involves the following data:

    • Salutation*
    • Title
    • First name*
    • Last name*
    • Date of birth
    • Country*
    • E-mail address*
    • Telephone*
    • Highest level of education completed / currently being pursued*
    • Native language
    • Foreign language

    Fields marked with an asterisk (*) are required

    In addition, depending on the specific job posting and target group, personal data may be required and processed in other input fields.

    In case of applicants under 16 years of age (in particular for high school students' internships, other internships, vocational training and, in exceptional cases, also for other positions), the following additional data:

    • Name and signature of the legal guardians
    • Declarations of consent from the legal guardians

    2) Applicant data which you provide by attaching documents (application documents, application photo, etc).

    If you use the "Upload CV" function, the selected documents will be automatically extracted and analyzed. This is done by a subcontractor of the applicant portal operator.

    3) Applicant data from other platforms (Xing, LinkedIn, Dropbox, etc.) that you allow to be transferred and processed by granting a release. This is done through automated extraction/analysis by the subcontractor of the applicant portal provider. Depending on the platform, a CV may be generated from the available profile data and attached to your application in addition to having your data imported into the application form. You may remove this attachment where appropriate.

    That information includes – among other items – the following personal data if entered in the profile or document:

    • Name and address data (title, salutation, last name, first name, street, postal code, city, country, etc.)
    • Contact data (e-mail address, telephone number, etc.)
    • Profile photo
    • Current position
    • Date of birth
    • If applicable, other data categories contained in the document or displayed before obtaining your permission to access them.

    4) Log data collected by the applicant portal provider to ensure proper system operation, error correction and defense against attacks.

    This includes the following personal data, which is erased after 180 days:

    • User name
    • Applicant name (first and last name)
    • IP address

    5) We reserve the right to record applicant information (see 1) and documents in the system manually. For this purpose, a subcontractor of the applicant portal provider can use the “parsing” function. This automatically extracts/analyzes the selected documents.

    4.15.4 Categories of recipients

    1) Use / sharing of data within the Group

    Your data can be accessed only by employees of Flughafen München GmbH and the Group companies for which the vacancy is being filled. If you consented to having your application shared within the Group, your data may also be shared with the companies specified under section 1, "Controllers and data protection officers".

    If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies specified under section 1. In this case, you will receive an e-mail from us requesting your permission to include you in the applicant pool. Please see section 14.6.5 for the retention period.

    2) Applicant portal service provider

    Your personal data will be transferred by the applicant portal provider to an external data center (a subcontractor of the applicant portal provider) for processing. A contract has been signed with the applicant portal provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by Flughafen München GmbH.

    In the event of applications for the subsidiary MAI (Munich Airport International GmbH), we forward the data to an external personnel service provider. A data processing agreement has been entered into with this service provider as well that requires the service provider, in particular, to comply with all requirements of data protection law and to act solely as instructed by Flughafen München GmbH.

    3) Online test service provider (for vocational training positions)

    Your personal data will be processed and stored by the provider of an online test. The online test is used only in the late selection stages for vocational training positions and cooperative degree programs offered by Flughafen München GmbH. To take the online test, you will receive an email with further information. A contract has been signed with the online test provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by Flughafen München GmbH.

    4) Service providers (general)

    We engage external service providers to perform tasks such as programming or data hosting. We have selected these service providers with care and monitor them regularly, particularly with regard to their careful handling and protection of the data that they process. We require all service providers to sign a contract to maintain confidentiality and comply with the data protection requirements of the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

    5) Platforms

    The platforms of the following providers can be used to complete the application form quickly and easily during the application process:

    • Dropbox International Unlimited Company (One Park Place - Floor 5 - Upper Hatch Street - Dublin 2 – Ireland)
    • XING AG (Gänsemarkt 43 - 20354 Hamburg - Germany)
    • LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

    Please note that these providers and/or their servers may operate at locations outside the EU or the EEA (e.g. in the USA). When an applicant uses a platform, information – which may include personal data – may be sent to and possibly utilized by the platform provider. Please refer to the data protection statement of each platform provider for information on which specific data is stored by the provider in such cases and how it is used.

    The applicant portal does not use platform providers' social plugins; these are only links to the platforms. Nor do we use the platforms to capture any personal data or how it is used.

    After clicking on the button, you will be transferred to the platform provider's login screen. After logging in and releasing the data, the data will be automatically extracted and analyzed by the subcontractor for the applicant portal.

    If you wish to ensure that no data of any kind is processed by the platform providers, enter your data manually in the application form and refrain from using the platforms.

    6) Other third parties

    We will transfer your personal data to other parties only to the extent that this is required to take steps prior to entering into a contract, if we or another party have a legitimate interest in the data transfer, or if you grant us your permission. In addition, data can be transferred to other parties if we are required to do so by law or under an administrative or court order. Your data will not be used for advertising purposes.

    4.15.5 Duration of data storage and possibility of erasure

    Applicant data

    1) Your data will generally be deleted six months after your hiring date, your notification that your application was unsuccessful, or your decision to turn down an offer of employment.

    In case of an application for a vocational training position or a cooperative degree program, all your data will be stored for six months after your application is rejected, you refuse an offer, or your are invited to your first day of work. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

    In case of an application for a high school student's internship, all your data will be stored for six months after your application is rejected, you refuse an offer, or the internship has ended. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

    2) If you have consented to be included in our applicant pool, you will receive a notification about your continued inclusion in the pool after five months. If you consent to remain included in the pool, you will be notified again after a further five-month period. If you do not contact us after this notification, all your data will be erased within three months.

    3) If you wish to have your data erased early or withdraw one of your permissions, please send an e-mail with your name, the e-mail address you provided when applying, the job title and company and, for unambiguous identification, your date of birth to jobs@munich-airport.de or contact the person in charge of the advertisement.

    4) Please note that when the data is erased, all data associated with the application in question will be removed, making it impossible to obtain information on the application.

    Log data

    Log data – collected by the applicant portal provider – is erased after 180 days. Log data that has to remain on file for evidentiary purposes will not be erased until the final disposition of the matter and may, in specific cases, be forwarded to the investigating authorities.

    Use of cookies

    The applicant management system provider only uses temporary (session) cookies. These cookies are automatically deleted as soon as the user closes the browser.

    CookiePurposeStored dataDuration of storage
    JSESSIONIDThe purpose of this cookie is to identify your computer during your visit to the application portal pages.Session IDSession
    dvinciSessionIdThe purpose of this cookie is to identify your computer during your visit across all products.Session  IDSession

    The use of technically necessary (session) cookies is based on our legitimate interests under Art. 6 Par. 1 f) GDPR. Technically necessary cookies must be included to ensure that the applicant management system works correctly.

    4.15.6 Transfer to third countries

    Data is not transmitted to third countries as defined by data protection law.

    4.15.7 Objection to processing

    See chapter 6.5 of the privacy policy on how to object to the processing of your personal data on the basis of our legitimate interests (Art. 6 Par. 1 f) GDPR).

    You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point Art. 6 Par. 1 f) GDPR. In this case, we will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is done for the establishment, exercise or defense of legal claims.

  • 4.16 Airport Collaboration Portal

    The Airport Collaboration Portal (ACP) serves as the entry point for several applications that fall under various areas of responsibilities and serve various purposes. The portal is operated by Flughafen München GmbH.

    Purpose of data processing
    Your data will be processed solely for the following purposes:

    • registration in the ACP system and
    • granting user privileges for applications
    • registration enables the user to be granted access to applications within the ACP. These include: AIS Airport Information System, Delaycodeclearing, night flight requests, LGS-Baggage.

    Categories of personal data
    Participation in the Airport Collaboration Portal (ACP) is a quasi-contractual legal relationship; the data not marked as optional must be submitted for user management purposes.

    The following categories of personal data are collected:

    • first name
    • name
    • organization
    • company
    • department
    • email address
    • telephone number
    • airport ID number

    Recipients
    The specialized department has access to the personal data.

    Duration of storage
    Access data (login) are deleted when the individual leaves the company or when the access privileges are revoked.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

    Data protection inquiries
    To exercise rights pertaining to the Airport Collaboration Portal (ACP), the data subject can contact us, preferably by email, at: acp@munich-airport.de.

  • 4.17 FMG und Wohnen

    To offer accommodation to our future employees, existing staff, and partners in the vicinity of the airport, we cooperate with MUC Airport Betriebs GmbH.

    Housing inquiries can be submitted to Flughafen München GmbH at: munich-airport.de/fmg-und-wohnen. After an initial review, inquiries are forwarded to MUC Airport Betriebs GmbH via that company's booking software. The data transmitted in this online form are exported in an email that is transferred only within the protected airport network to a special email account that can be accessed only by the responsible employees.

    Purpose of processing
    We process your personal data solely for purposes of processing and handling your booking inquiry, checking your authorization to access the "FMG und Wohnen" service, entering into a contract, executing a contract, processing your booking and to communicate with you to offer and deliver the "FMG und Wohnen" service. A further purpose is to execute and defend our rights.

    Categories of personal data

    • salutation
    • first name
    • last name
    • address
    • telephone number
    • email address
    • airport company
    • personnel number (if available)
    • booking date

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 f) GDPR (balancing of interests based on our legitimate interest in checking access authorizations, asserting and defending our rights and forwarding inquiries from our customers).

    Recipients
    We collect, store and process the personal data provided by you exclusively for the purposes stated above (in particular the processing of your booking). For this purpose, however, we must forward the data. As a result, the data are forwarded to the booking tool apaleo GmbH operated by MUC Airport Betriebs GmbH.

    The required transfer of personal data to MUC Airport Betriebs GmbH takes place as required to achieve the stated purposes. After the transfer of the data, the hotel is the sole controller responsible for the processing carried out there under data protection laws. Consequently, Flughafen München GmbH assumes no responsibility for data processing in the hotel operations.

    Duration of storage
    Your personal data will be stored for a maximum of 12 months after the contract is fully executed. The data will be deleted after that period ends. Please note that statutory retention periods, for example under the German Fiscal Code (AO) or the German Commercial Code (HGB), as legitimate purpose limitations, represent an exception and are handled according to the applicable requirements.

  • 4.18 Processing damage events and claims 

    The following text contains information on the processing of your personal data in connection with damages of all kinds, including insurance claims and other ways of settling damages.

    Purpose of processing
    The purpose of the data processing is the comprehensive handling of the damage event, which is not possible without processing your personal data. We process your data in accordance with the relevant data protection regulations, in particular the Insurance Policy Act (Versicherungsvertragsgesetz – VVG) and all other applicable laws.

    Categories of personal data
    To process the damage event, we store and process the personal data of the concerned parties (e.g. first name, last name, date of birth, address, telephone number) as well as data regarding the events (e.g. the damage event) and material facts (e.g. vehicle identification data) that may relate to natural persons.

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
    • Companies in the FMG Group
    • Cooperation partners used by us to deliver our services
    • External contractors as defined in Section 28 of the EU-GDPR; at present, these are: FMV – Flughafen München Versicherungsvermittlungsgesellschaft mbH / Marsh GmbH
    • Insurance companies involved in the handling of the damage event

    Duration of storage
    We process and store your personal data as long as necessary to meet our legal obligations. The damage reports and files are retained in accordance with the statutory retention periods.

    Legal basis
    The legal basis for the processing of personal data is as follows:

    • Consent [see Art. 6 Par. 1 sentence 1 a) GDPR] (in cases where we request consent)
    • Necessity for the performance of a contract to which the data subject is a party [see Art. 6 Par. 1 sentence 1 b) GDPR, first option] or to complete steps prior to entering into a contract.
    • In addition, we process your personal data to meet legal obligations. The need to comply with a legal obligation to which the data controller is subject [see Art. 6 Par. 1 sentence 1 c) GDPR].
      • Insurance Policy Act and other relevant laws
      • Fulfillment of obligations to our insurer.
    • We also process your data to safeguard legitimate interests pursued by us or third parties (Art. 6 Par. 1 f) GDPR), i.e. where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. [see Art. 6 Par. 1 sentence 1 f) GDPR].
      • Asserting our own damage claims
      • Fulfillment of obligations to our insurer
      • Defending damage claims pursued against our company
      • Defense and cooperation in case of criminal and administrative proceedings

    In exceptional cases, special categories of personal data are processed (e.g. health-related data). In such cases, the data are generally processed on the basis of Art. 9 GDPR e.g. Art. 9 Par. 2 e) GDPR if these data are manifestly made public by you.

    Source of the data
    If the personal data are not obtained directly from the data subject, they are obtained from

    • Vehicle inquiries, e.g. the "Green Card Office" in Hamburg
    • Witnesses, persons involved in an accident and other third parties
    • Generally accessible sources
  • 4.19 Star Alliance Biometrics

    Star Alliance Biometrics is a product of Star Alliance Service GmbH (hereinafter referred to as "Star Alliance") and enables the voluntary biometric identification (facial recognition) of passengers at the airport. Terminal 2 Gesellschaft mbH & Co oHG (hereinafter referred to as "Terminal 2 Gesellschaft" respectively “we”) currently supports the use of the biometric identification service offered by Star Alliance Biometrics at the following access points: boarding pass control.

    At the airport access points managed by Terminal 2 Gesellschaft, which have integrated the Star Alliance Biometrics’ identification service, a short video sequence will be recorded of you if you wish to use the biometric identification service. A photo is extracted from the video sequence and sent to Star Alliance for biometric matching with your biometric profile stored in Star Alliance Biometrics.

    Scope of application

    This data protection notice refers exclusively to the recording of the short video sequence/photo of your face by the camera at the access point in the Terminal 2 Gesellschaft's area of responsibility.

    For the subsequent data processing in connection with the biometric matching in the area of responsibility of Star Alliance as well as for the enrolment for Star Alliance Biometrics and the use of the corresponding Star Alliance Navigator App, the Star Alliance Privacy Notice applies.

    Data controller

    Controller for data processing within the scope of this data protection notice is

    Terminal 2 Gesellschaft mbH & Co oHG
    Terminal Street North 1, Level Z4
    P.O. Box 23 17 55
    85326 Munich-Airport

    You can reach our data protection officer at datenschutzbeauftragter@munich-airport.de.

    Processed personal data

    A short video sequence and an extracted photo of your face are processed.

    Purpose and legal basis of the data processing

    Processing is necessary to enable the use of the biometric identification service at the boarding pass control, i.e. for Star Alliance to biometrically match the photo taken with your biometric profile stored in Star Alliance Biometrics.

    The legal basis for this processing is your consent given in Star Alliance Biometrics to be identified at Munich Airport via the Star Alliance Biometrics’ identification service (Art. 6 para. 1 p. 1 lit. a) DSGVO).

    You can withdraw your consent at any time in the profile management of the Star Alliance Navigator App. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 

    Please note:

    Unless you have given your consent or withdrawn it, you are neither permitted nor able to (successfully) use the biometric identification service. Alternative means of boarding pass control (e.g. boarding pass scan) are available to you. You are neither contractually nor legally obliged to use the biometric identification service.

    Should you - contrary to the express notice at the access point - attempt to use the biometric identification service without being enrolled for Star Alliance Biometrics or without having given your consent to be identified at Munich Airport, a video sequence/photo will nevertheless be taken of you and sent to Star Alliance for biometric matching. However, the identification will then fail and the identification process will be completed with an error message.  

    Storage period

    Your personal data will be deleted as soon as the identification process at the boarding pass control is completed.

    Categories of recipients

    Your personal data will be transmitted to the following (categories of) recipients:

    • The Star Alliance to perform the biometric matching and
    • IT service providers who provide the system(s) / software used and who have been contractually committed as processors in accordance with the GDPR.


    Your rights of data subjects

    You have the following rights:

    • Right of access, Art. 15 GDPR
    • Right of rectification, Art. 16 GDPR
    • Right to erasure ("right to be forgotten"), Art. 17 GDPR
    • Right to restrict processing, Art. 18 GDPR
    • Right to data portability, Art. 20 GDPR
    • Right to object, Art. 21 GDPR

    To exercise your rights, you can contact us by e-mail at datenschutzanfrage@munich-airport.de.

    In order to be able to process your request, we would like to point out that we process your personal data collected within the scope of the data protection request in accordance with Art. 6 Para. 1 S. 1 lit. f) DSGVO (for documentation and discharge purposes) and delete it after 3 years.

    Furthermore, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

    No automated decision making including profiling takes place.

    Important note:

    However, we would like to point out once again that we only record a short video sequence as part of the biometric identification process and use a photo from this and delete both from our systems immediately after the identification process is complete. The above-mentioned rights can therefore generally not be implemented, if only because no more personal data is available from you.

  • 4.20 Privacy notice cctv

    Contact details controller (cctv responsible officer)

    »CCTV Videoverantwortliche/r« der Flughafen München GmbH
    Nordallee 25, 85356 München-Flughafen, Deutschland
    E-Mail: cctv@munich-airport.de

    Contact details data protection officer

    For contact information, please refer to Controllers and data protection officers.

    Description and scope of data processing

    Flughafen München GmbH collects, stores and processes personal data in the context of video surveillance only to the extent required by law, for the necessary purposes or in the legitimate interest of the company (see 1.4).

    Purpose and lawfulness of processing

    Data processing is required because of:

    • Legal obligation to which the controller is subject (in particular aviation security law / § 8 LuftSiG).
    • Vital interests of the data subject or another natural person.
    • Public interest or in the exercise of official authority vested in the controller.
    • Legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
    • Corpus of legislation (General Data Protection Regulation »DSGVO«).

    Purpose of data processing and legitimate interest of the controller:

    • Aviation Security (e. g. protection of life and limb of persons, protection of protection, etc.)
    • Execution of property rights
    • Safety (e. g. firefighter control, safeguarding employees, guests and equipment, etc.)
    • Operational processes related to airport and aviation procedures to ensure functioning infrastructure procedures (u. a. baggage handling, passenger flow control, apron monitoring
    • Miscellaneous provision

    Legitimate interests of the controller

    • Exercise property rights and property protection
    • Operational requirements and procedures
    • Aviation security
    • Enforcement of law and order

    Duration of data storage and criteria for storage

    Data is will take place in individual cases. Storage in general of the duration of data storage depend on the individual situation, camera location, surveillance purpose and user. Details regarding storage are defined in the controller’s CCTV user manual.

    Recipients of data

    Individuals or user groups with access rights in accordance with the CCTV Access Control process. User access in controlled by a detailed access control process, which grants access to live video footage or stored video data depending on the role of user. Users are public authorities, public agencies, affiliated companies and/or subsidiaries and airlines.

    Data transfer to third countries

    A transfer of personal data to third countries is not intended.

    Possibilities for removal/revocation

    You have the right to have your personal data removed and revoked in case of processing based on our legitimate interests according to Art. 6 para. 1 lit. f) DSGVO. In addition, you have the right to claim a complaint with the supervisory authority, specifically in the member state of your residence, your work place or the place of the alleged violation if you consider the processing of your personal data shall constitute a breach of the respective EU legislation General Data Protection Regulation.

    Rights of data subjects / rights of affected / your rights

    For more information on your rights to information, correction, deletion, restriction of processing, objection and data portability, please refer to Your rights.

  • 4.21 Customer Acquisition of LabCampus

    4.21.1 Events and Lead Generation Campaigns

    For the purpose of customer acquisition and network building, LabCampus conducts (promotional) events and lead generation campaigns. Contact data provided to LabCampus in this context will be processed by LabCampus as follows:

    Categories of personal data

    The following categories of personal data are processed:

    • first name
    • surname
    • company name
    • e-mail adress (if necessary)
    • telephone- / mobile number (if necessary)
    • position (if necessary)

    Purpose of processing

    Your Data will be processed for the purpose of arranging appointments, sending information about our products and services, news and event notices from LabCampus.

    After providing your telephone/mobile number or if you ask us on the phone to send you information electronically by e-mail, we will also use this data with your consent to contact you individually and send you information. Without providing the required data, we cannot send you this information.

    If, in the context of telemarketing campaigns, we receive personal data from publicly accessible sources or from information provided by your colleagues and process this data for the above-mentioned purposes, we will inform you of this within one month or at the latest at the time of the first contact.

    For registration to our newsletter, we refer to section 4.3.2 of this privacy policy, which also applies to registration via business cards as part of promotional campaigns and events.

    Legal basis

    The legal basis for the processing of your personal data given to us is Art. 6 para. 1 sentence 1 letter f) GDPR (legitimate interest). The legal basis for the processing of personal data based on the handover of your business cards is Art. 6 para. sentence 1 letter a) GDPR (your consent by handing over the business card).

    Storage period

    We store your data for the purpose of contacting you until we receive your objection, but at the longest for a period of two years to the end of the year after the last communication, provided that no contractual relationship has been established.

    Categories of recipients & transfer to third countries

    Your data will be processed by LabCampus GmbH. A transfer to third countries is not intended. Recipients of the data are the responsible departments at LabCampus GmbH, as well as processors for marketing services and for the provision of IT services and those for the improvement, maintenance and support of these services.

    Objection

    You can object to the processing of your data at any time by sending an e-mail to: contact@labcampus.de. In the event of your revocation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of your objection, no further contact can be established by LabCampus.

    Withdrawal of your given consent

    If we process personal data on the basis of your consent, you can withdraw this at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent doesn´t affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. The lawfulness of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

    4.21.2 LabCampus LinkedIn Lead Ads

    This data protection information applies to the following LinkedIn profiles: https://www.linkedin.com/company/labcampus/

    LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn") is responsible for the processing of personal data entered by visitors while visiting our LinkedIn profile.

    We use LinkedIn Lead Ads to generate contacts and addresses. Lead Ads are an ad format that is displayed to registered LinkedIn users. They contain form functions that enable the simple and rapid generation of leads. After the user actively consents (opt-in), contact information the user has stored with LinkedIn is entered into forms:

    • Name
    • Email address
    • Company

    Once the data in the form has been sent successfully, the user is shown a thank-you page where we can integrate a call to action (e.g. a referral to the LC landing page). We do not send your personal data to third-party advertisers or advertising networks.

    The processing of this data serves the purpose specified above and takes place on the basis of Art. 6 Par. 1 a) GDPR on the basis of your voluntary consent upon registering and logging in to LinkedIn. We store your data until your consent is revoked. You can revoke your consent with future effect at any time by sending an email to contact@labcampus.de

    We do not know the full extent of data collection, i.e. which of a visitor's data is collected by LinkedIn overall and the purposes for which it is processed by LinkedIn. The necessary information has not been provided to us by LinkedIn. Please understand that we can only provide information to the extent allowed for by our knowledge of the data processing within our area of responsibility and our influence on this data processing.

    We would also like to point out that your data may also be processed outside the European Union and the European Economic Area. This could result in risks, e.g. because it could complicate the enforcement of user rights. Further details can be found in the privacy policies of the individual providers.

    The Data Protection Officer of LinkedIn can be contacted through the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

    Further information on data processing by LinkedIn can be found at: https://privacy.linkedin.com/

  • 4.22 Airport Academy

    4.22.1 Introduction/application


    This data protection declaration includes information for the processing of personal data in connection with the inquiry, registration, processing, organization and administration of trainings and advanced training for external persons. The inquiry or the registration can be completed via our Online Learning Portal, other digital registration media, by phone, by email or form. The further processing and administration is performed in our event management systems, for example, for the proof of participation (e.g. aviation security training) or for the processing of the payment procedure in our accounting system.

    The data will be stored and processed confidential and only in accordance with the legal regulations or the data security and the data protection. You should know which data we store and how we process them.

    The data protection information and declarations stated there are applicable to Internet pages of other providers that may be linked.

    4.22.2 Categories of personal data

    The following categories of personal data is processed:

    1. The following personal data (data identified with a * are mandatory) are handled during the registration for presence and web-based trainings (via the “Online Learning Portal”, “Event Manager”, forms and by phone or email):

    Contact data of the participant, such as,

    • Salutation*
    • Firstname*
    • Lastname*
    • Phone/ mobile number*
    • Fax number
    • Email*

    The following data will be recorded additionally in the Online Learning Portal for certain courses and for the creation of a user account:

    • Birthdate*
    • Birthplace*

    Address data of the participant

    • Street*
    • Zip code, City*
    • Country*

    Possibly contact data of the person who books, such as:

    • Salutation
    • Firstname
    • Lastname
    • Phone number
    • Fax number
    • Email*

    Invoice data

    • Invoice address*
    • Order number
    • Customer number

    2. Storage in the event management system (e.g. for the administration of the completed trainings and advanced trainings as well as the traceability of the qualification)

    This includes, among others, the following personal data:

    Contact data of the participant, such as:

    • Salutation*
    • Firstname*
    • Lastname*
    • Phone/ mobile number*
    • Fax number
    • Email*
    • Address data of the participant
    • Street*
    • Zip code, City*
    • Country*

    Possibly contact data of the person who books, such as:

    • Salutation
    • Firstname
    • Lastname
    • Phone number
    • Fax number
    • Email

    In addition, the following data is stored and processed for certain courses (for example, legally mandated):

    • Birthdate*
    • Birthplace*

    3. Storage in the accounting system (for example, for the settlement and invoicing of trainings and qualifications)

    This includes, among others, the following personal data:

    • Salutation*
    • Firstname*
    • Lastname*
    • Phone/ mobile number
    • Fax number
    • Email

    Address data of the invoiced person or the participant

    • Street*
    • Zip code, City*
    • Country*

    Possibly contact data of the person who books, such as:

    • Salutation
    • Firstname*
    • Lastname*
    • Phone number*
    • Fax number
    • Email*
    • Invoice data
    • Invoice address*
    • Order number
    • Customer number

    4. Transfer to the central access control system (for the access authorization to the safety area)

    This includes, among others, the following personal data:

    The following data will be transfered:

    • Salutation*
    • Firstname*
    • Lastname*
    • Birthdate*
    • Birthplace*
    • Company name*
    • Personal identification number (internal 6-digit number)
    • Training result and training date*

    5. Log data that is recorded to secure the operation - Online Learning Portal

    Log data is recorded in the Online Learning Portal. The data is used to address failures and security incident (e.g. for the resolution of attack attempts). Log files whose further storage is required for evidence purposes are excluded from the deletion until the final clarification of the respective incident and can in individual cases be transfered to the investigative authorities.

    4.22.3  Purposes of the processing of person related data

    Your data is exclusively processed for the following purposes:

    1. For the processing of registration, organization and administration of the trainings and advanced trainings
    2. For proof of a seminar or WBT participation
    3. For the obtainment and the proof of a certain qualification
    4. For the transfer to the ID card office (aviation safety training - to obtain an airport ID or access right to the safety area)
    5. For the provision of a certificate (for example, EASA proof)
    6. For invoicing
    7. To establish a contact or to answer questions
    8. To maintain and defend our rights

    4.22.4 Legal principles for the processing of personal data and justified interests

    The processing of personal data is based on the following legal principle:

    • Purpose 1, 2, 3, 4, 5, 6 - Requirement for the fulfillment of a contract whose contract party is the affected person [see art. 6 para. 1 p. 1 lit. b) 1st variant GDPR]
    • Purpose 1, 3, 7 - Requirement for the execution of pre-contract actions that are performed on the request of the affected person [see art. 6 para. 1 p. 1 lit. b) 2nd variant GDPR]
    • Purpose 2, 3, 4, 5, 6, 8 - Requirement for the fulfillment of a legal obligation, which the responsible person is subject to [see art. 6 para. 1 p. 1 lit. c) GDPR]. The legal obligation is based on the implementation regulation DVO(EU)2015/1998 (all trainings as per section 11) as well as the EASA requirements VO (EU) 139/2014 and VO (EU) 139/2014. This applies to all trainings in accordance with the rules ADR.OR.D.035 and ADR.OR.F.080 as well as section ADR.OR.D.017.
    • Purpose 1, 2, 3, 4, 5, 6, 8 - Requirement for the protection of justified interest of the responsible person or a third party, assumed that the interests or basic rights and fundamental freedoms of the affected person are not higher ranking [see art. 6 para. 1 p. 1 lit. f) GDPR]. The justified interests include the information, sensitization and qualification for persons active on the airport facilities via an Online Learning Portal and presence seminars (e.g. sensitization for security subjects, occupational safety, etc.) and for the execution of trainings between FMG and the employer of the affected person.

    4.22.5 Recipients

    Personal data will be transfered to the following recipients or categories of recipients and the data will be processed there:

    • Internal company recipients (e.g. departments responsible for purpose-based processing): Only employees of Flughafen München GmbH, whose contribution to the organization and administration of the trainings and advanced trainings as well as for answering inquiries is required, have access to your data. This includes, among others, employees of the AirportAcademy. In addition, a limited number of IT persons have access to the data due to their administrative activities. Your personal data - among others, for the aviation safety training, the “Flughafen Lieferungen” (airport delivery) training and the Safety Management training - will be transfered to the corporate safety department of Flughafen München GmbH. The access control system is hosted internally and has no connection to the outside. Your personal data will be transfered for invoicing to the account department of Flughafen München GmbH.
    • Companies of the Flughafen München corporation, see Overview of the corporate structure of the Flughafen München Corporation
    • External employees as per art 28 GDPR, these include currently: If required, trainers that are assigned to provide a training and an advanced training, as well as meeting hotels for the handling of workshops.
    • Courts, public authorities or other government bodies in case of legal obligations such as reliability review to the Luftamt Süd (aviation authority south).

    4.22.6 Transfer to third countries

    A transfer to a third county outside the European Union is not intended.

    4.22.7 Duration of the storage

    Personal data will only be stored as long as this is required to achieve the listed purposes or as long as it is required to satisfy the legal storage and record retention time periods. The respective data will be deleted as a matter of routine and in accordance with the legal regulations after the discontinuance of the respective purpose or after the above time periods expire.

    The following storage deadlines specifically apply:

    1. Online Learning Portal: The personal data will be deleted completely after the expiration of all certification validities and after a follow-up time of 6 months.
    2. Event-Manager (registration forms): The personal data will be deleted after 6 years.
    3. Event management system and accounting system: Personal data of persons that completed an aviation safety training will be deleted from the event management system 6 years after the end of the validity of the aviation training. The personal data of all other persons will be deleted 6 years after the last seminar participation. As per § 147 AO / § 257 HGB, invoices will be deleted 10 years after the end of the calendar year, while proposals will be deleted 6 years after the end of the calendar year.

    Please note, that the entire data are removed after the deletion is completed and conclusions can no longer be made.

    4.22.8 Obligation for the provision of personal data

    • The provision of the personal data is legally mandated for the execution of trainings in accordance with section 11 of DVO(EU)2015/1998, among others, aviation safety training. A non-provision means that airport IDs or work permits for the activity at the Munich airport cannot be issued.
    • The provision and storage of personal data as part of the relevant EASA trainings are regulated in the EASA requirements VO (EU) 139/2014 and VO (EU) 139/2014. The rules ADR.OR.D.035 and ADR.OR.F.080 as well as section ADR.OR.D.017 are applicable. A non-provision means that airport IDs or work permits for the activity at the Munich airport cannot be issued.
    • The provision and storage of personal data as part of the hazardous product training are regulated in annex 18 of the Convention on International Civil Aviation including the “Technical Instructions for the Safe Transport of Dangerous Goods by Air” (ICAO T.I.) issued by the International Civil Aviation Organization (ICAO) Doc 9284-AN/905, as well as DOC 10147 whose application is, among others, specified:
      - in the regulation (EC) No 965/2012 of the Council dated October 05, 2012 for the specification of technical regulations and administrative processes with respect to the aviation in accordance with the regulation (EC) No 1139/2018 of the European Parliament and of the Council as well as
      -  in the regulation (EC) No 139/2014 of the Council dated February 12, 2014 for the specification of requirements and administrative processes with respect to the aviation in accordance with the regulation (EC) No 2018/1139 of the European Parliament and the Council.

    A non-provision results in the fact that a registration for required trainings cannot be made. Proofs and certificates for possibly required trainings can also not be issued.

    • The provision and storage of personal data as part of the hazardous product trainings in Austria are regulated in the 303rd regulation of the Federal Minister for Science and Transport about the transport of hazardous materials (Dangerous Goods Transport Ordinance - GGBV)
    • § 2, 11 and 14 of the Dangerous Goods Transport Law, BGBI. I No. 145/1998, in its BGBl version. I No. 108/1999, 5th section - “Training of persons involved in the transport of hazardous materials as part of the civil aviation”
    • A non-provision results in the fact that a registration for required trainings cannot be made. Proofs and certificates for possibly required trainings can also not be issued.
    • The provision of personal data is required for the planning, execution and administration (incl. settlement purposes) of trainings and qualifications and therefore for the execution of pre-contractual actions as well as for the execution of the contractually booked service. A non-provision results in the fact that a registration for required trainings cannot be made. Proofs and certificates for possibly required trainings can also not be issued.
    • In addition, a legal or contractual obligation for the provision of personal data may exist.

    4.22.9 Data source

    If the personal data was not obtained from the affected person, then they are obtained from

    1. Generally accessible sources
    2. Though self-delivery of the person that inquires or books
    3. From the access control system, personal data such as:
      - Salutation
      - Lastname
      - Firstname
      - Birthdate/ birthplace
      - Residence address
      - Company name incl. invoice address
      - Personal identification number
      - Status of the reliability review

    4.22.10 Automated decision making (also profiling) and impacts

    As a matter of principle, an automated decision making does not take place. Only the issue of the certificate can depend on a variety of factors (e.g. participating in a certain part or the entire WBT, examination tests, etc.) depending on the type of the WebBasedTrainings (WBT). The existence of these factors is normally checked automated by the respective WBT program.

    4.22.11 Explanations about special processing of personal data

    Use of cookies

    Online Learning Portal

    1. Description and scope of the data processing

    On the Online Learning Portal of the Airport Academy, we only use technically required cookies - they can be found under 2. (List and description of the cookies). These so-called function cookies are always activated because they are required for the basic functions of the website. The use of the applied cookies guarantees functions. This website cannot be used as intended without these cookies. The purposeful use of the Online Learning Portals of the Airport Academy is not possible without these cookies.

    The path of a user across different pages of the website can be traced by using the applied cookies. It permits an effective navigation during the visit on the Online Learning Portal. Only the information required for the specific processing purpose will be stored in the cookies. These are neither personal nor do they provide information about the user. The Flughafen München GmbH is responsible for the applied cookies (= First Party Cookie). Third party cookies are not used.

    The applied cookies are also used for the identification of the computer from which our website was contacted. If you login to our website, then the cookies are used to communicate the login to the server and to check the authorization for the call-up of the website. The cookie marks the logged-in user as a valid user and permits the call-up of secured data.

    In addition, your safety is increased because the used cookies protect against Cross-Site-Request-Forgery.

    2. Purposes, legal principles and duration of the storage

    The specific purposes of the applied cookies, the associated legal principles as well as the information about the storage duration can be found in the following overview:

    CookienamePurposeLegal PrincipleStorage Duration
    __Host-fmg_online_learning_portal_sessionThis cookie includes an encrypted session ID which refers to a session file with data about the currently logged-in user. This cookie permits the authentication of follow-on inquiries after a successful initial login.Art. 6 para. 1 lit. f GDPR2 hours in case of inactivity; a continuous extension by 2 hours is granted in case of an activity; a transfer to the server does not take place after the expiration date. The deletion depends on the browser settings.
    __Host-XSRF-TOKENThis cookie is used for the protection against Cross-Site-Request-Forgery (CSRF). It includes an encrypted CSRF-TOKEN, which is queried in each form used by the applicationArt. 6 para. 1 lit. f GDPR2 hours in case of inactivity; a continuous extension by 2 hours is granted in case of an activity; a transfer to the server does not take place after the expiration date. The deletion depends on the browser settings.
    __Host-user_logged_inThis cookie is used at the time of login, it marks the logged-in user as a valid user and it permits the call-up of secured data.Art. 6 para. 1 lit. f GDPR2 hours in case of inactivity; a continuous extension by 2 hours is granted in case of an activity; a transfer to the server does not take place after the expiration date. The deletion depends on the browser settings.
    __Host-lara-vel_cookie_consentThis cookie stores the notice of the information through a click by the user on the OK button of the cookie banner on the start page. After a first information confirmation it will not be queried again until the expiration of the service life.Art. 6 para. 1 lit. f GDPR365 days of a fixed service life; a transfer to the server does not take place after the expiration date. The deletion depends on the browser settings. A new valid cookie will be set via a new agreement query.


    The use of the technically required (session) cookies is based on our justified interests as per art. 6 para. 1 lit. f DSG-VO. The integration of the technically required cookies is needed to guarantee a flawless use of the Online Learning Portal.

    3. Option for removal

    You have the right to object against the use of cookies. Using your browser, you have the option to get the cookies displayed that exist on your computer, to delete the existing cookies or to establish the configuration in such a way that not all or no cookies can be stored. Please note that some functions (for example the login) do no longer work or do not correctly work if you deactivate the cookies settings.

  • 4.23 Luggage handling

    This information about the processing of your personal data is based on the processing of your personal data as part of the luggage handling and securing of a fast, accurate and correct flight dispatching by Flughafen München GmbH (FMG).

    4.23.1 Description and scope of the specific data processing

    Based on § 45 LuftVZO, FMG - as the airport operator - is responsible to provide and develop the infrastructure for the reliable execution of the air traffic.

    This also includes the administration and the operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment - starting with the transport from the check-in counters of the airlines including the required sorting and ending with the transport on the destination conveyors as well as the transport of the pieces of luggage that are subject to control to and from the control points.

    FMG receives the required personal data of the airlines to fulfill the tasks as the airport operator as part of the provision of the central infrastructure of the luggage system with luggage transport and sorting.

    To fulfill the tasks, FMG additionally provides information about the status of the luggage based on a request by your airline.

    This includes the following data:

    • Salutation, name (last and first)
    • Flight data
    • Location data about the piece of luggage in the transportation system

    4.23.2 Purposes and legal principles

    Purposes:

    • Fulfilling the tasks as the airport operator to provide and develop the infrastructure for the reliable execution of the air traffic
    • Administration and operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment
    • Fulfilling the tasks as the airport operator to implement the required safety measures
    • Defense against legal claims
    • Fulfilling the requirements of public safety authorities

    Legal principles:

    • Fulfillment of legal obligations (art. 6 para. 1 lit. c GDPR a.o. i.c.w. § 45 LuftV-ZO, § 5 para. 3, § 8 and § 9 LuftSiG, VO EU 2015/1998)
    • Protection of legitimate interests for an effective and efficient disposition of pieces of luggage, for the clarification of questions (a.o. public authorities, customs), for the delivery of contractual services to FMG customers (e.g. airlines) and for the clarification and defense against legal claims (art. 6 para. 1 lit. f GDPR)

    4.23.3 Recipients of personal data

    • FMG internal departments for the execution of the luggage sorting and luggage loading
    • Airlines, ground handling services
    • Public authorities, courts

    4.23.4 Transfer to recipients in third countries

    The a.m. personal data are transmitted via the SITA network to the airline with which you established a transport contract. If the airline has its seat in a third country outside the EU, then this can involve a data transfer to this third country.

    Contracting partner of FMG for access to the SITA network is SITA Switzerland Sarl, 26 Chemin de Joinville, 1216 Cointrin, Schweiz. In accordance with Art. 45 GDPR, the EU Commission has decided that Switzerland offers an adequate level of data protection.

    4.23.5 Storage duration

    • 100 days in the operational system
    • 15 months in the archive system

    4.23.6 Source of the data

    Data subject/airlines.

5 External booking requirements

On our website you will be redirected to the external booking platforms described below. The bookings are processed independently of Flughafen München GmbH. The privacy policy of the provider in question will apply.

5.1 Package travel arrangements

The booking process "Package holidays" is operated by travianet GmbH, a company in the FTI Group, with headquarters in Deggendorf, Germany. The process is subject to the privacy policy of travianet GmbH.

5.2 Car rentals

The booking process "Car rentals" is operated by TravelJigsaw Limited with headquarters in London, UK. The trade name of the rental car booking platform is Rentalcars.com. The process is subject to the terms of the privacy policy of Rentalcars.com.

6 Your rights

Under data protection laws, data subjects have various rights with regard to their personal data, in particular a right to information on the personal data in question, the rectification and erasure of data, the restriction of processing, objection to processing, data portability and the right to withdraw consent at any time. Unless otherwise indicated in the various processing steps, you can exercise your rights by contacting datenschutzanfrage@munich-airport.de. Further information on the processing of your personal data when asserting your rights or other data protection inquiries can be found in Individual processing activities in the appropriate section.

6.1 Information

The data subject has the right pursuant to Art. 15 GDPR to obtain information from the controller on the processing of his/her personal data by the controller. Please note that this right may be restricted under certain circumstances in accordance with statutory regulations (in particular Section 34 of the German Data Protection Act (BDSG)).

6.2 Rectification

The data subject has the right pursuant to Art. 16 GDPR to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Depending on the purposes of the pro-cessing, the data subject has the right to have incomplete personal data completed.

6.3 Right to restriction / blocking of processing

The data subject has the right pursuant to Art. 18 GDPR to obtain from the controller restriction of processing of personal data pertaining to him/her.

By way of clarification, please note: To ensure that a data block can be complied with at all times, it is generally necessary to keep certain personal data of the data subject in a restricted data file.

6.4 Erasure

The data subject has the right, pursuant to the criteria set out in Art. 17 GDPR, to obtain from the controller the erasure of personal data pertaining to him/her.

6.5 Objection

The data subject has the right, pursuant to the criteria set out in Art. 21 GDPR, to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds warranting protection for the processing which override your interests, rights and freedoms or which serve to establish, exercise or defend against legal claims.

6.6 Withdrawal

The data subject has the right to withdraw his/her consent with future effect at any time. The withdrawal of consent shall not affect the lawfulness of processing of personal data based on consent granted prior to the withdrawal.

6.7 Data portability

The data subject has the right, pursuant to Art. 20 GDPR, to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit the data to another controller or to have the data transmitted directly from one controller to another.

6.8 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they believe that the processing of personal data relating to them violates the law. The supervisory authority in the state of Bavaria responsible for the non-public area of the airport is the Bavarian State Office for Data Protection Supervision, Ansbach.

7. Exercising the rights of the data subject

This information about the processing of your personal data refers to the processing and answering of your inquiries in accordance with art. 15-21 of the General Data Protection Regulation (GDPR).

Flughafen München GmbH (in the following: FMG) or the subsidiary/affiliated company to which your data protection inquiry refers or to which you addressed your inquiry are responsible with respect to legal data protection.

The contact data can be found in section 1 of this data protection declaration. The contact data of the identified data protection officer can also be found here.

Note: Inquiries that affect subsidiaries/affiliated companies of FMG must be addressed directly to the subsidiary/affiliated company of FMG. A current overview of the corporate structure can be found on the website under https://www.munich-airport.com/company-profile-263193.

Please note that many other companies are also active on the premises of the Munich airport and these companies may - on their own responsibility - process data about you. This refers, for example, to airlines that start and land on the Munich airport. The respective inquiries should be addressed directly to the data protection officers of the respective airline. An overview of the airlines can be found here.

7.1 Description and scope of the specific data processing

7.1.1  Coordination/processing/answering of your inquiry

On one hand, we process your personal data for the on-time, content-correct and complete processing and the answering of your inquiry. For this purpose it is required to hand your inquiry to selected internal FMG departments that can normally process your personal data and therefore can research for applicable personal data.

In close cooperation with the data protection officer of FMG, the corporate Compliance unit reviews your inquiry, performs an identification with the affected departments, coordinates the obtaining of the required information, prepares the answer to your inquiry and answers it centrally addressed to you. An external legal advice is obtained if this is required.

The department selection is made individually and depends on your relationship with FMG (whether you are, for example, a passenger, a subscriber of a newsletter, participant in contests, user of the free WIFI, user of the contact form of the website, user of the online parking lot booking, supplier or other contract partner, etc.).

The personal data that you transmitted to us directly through your inquiry and those that we process based on the FMG services that you used are processed.

This can, for example, include the following data:

  • Salutation, name (last and first)
  • Address
  • Email address, phone, fax number
  • IP address, log files,
  • Time stamps (day, date, time)

A complete, final listing of all data is not possible, because it depends on your specific inquiry and the services used by you.

The processing activity does not generally include special categories of personal data (e.g. health data, data about religious or ideological beliefs, data about the racist or ethnic family background). However, this may be possible in individual cases if it is necessary for the processing of the specific inquiry.

7.1.2 Answer and documentation of completed inquiries

After we answered your inquiry, we store our answer delivered through the respec-tive communication channels as well as the associated documentation.

Stored are through this process:

  • Your inquiry
  • The internal compilation of the provided documentation
  • The provided documentation
  • A digital copy of the answer (e.g. by email or the fax/letter answer stored in a PDF format)

This also affects inquiries that were answered by us with a required identification question about your person and which could not be further processed due to the lack of an identification confirmation by you.

7.2 Purposes and legal principles

7.2.1 Processing/answering of your inquiry

We process your personal data for the purpose of the on-time processing and answering of your inquiry. The obligation for answering is based on our own commitment to the transparency against the affected persons as well as the GDPR-conforming processing of personal data. The processing and answering of your inquiry is also based on the requirements in section III GDPR, especially art. 12-21 GDPR (legal basis art. 6 para. 1 lit. c GDPR).

Our justified interests to correctly and completely answer your inquiry with regards to content in a timely manner are also based on the above (legal basis art. 6 para. 1 lit. f GDPR). The processing of your personal data as described here is required for this purpose. Basic rights and freedoms of third parties must be incorporated accordingly.

7.2.2 Answer and documentation of completed inquiries, legal defense

We store the required documents for completed and answered inquiries by affected persons for a specified time to counteract possible later legal disputes (especially for the defense against claims) and to be able to address accountabilities (especial-ly against the regulating authority). Our justified interests are also based on the above (legal basis art. 6 para. lit. f GDPR). The processing of your personal data as described here is required for this purpose.

7.3 Recipients of personal data

7.3.1 Processing/answering of your inquiry

  • Internal FMG departments that can potentially process your personal data 
  • Corporate area Compliance by FMG
  • Data protection officer of FMG
  • Possible IT service providers as processors
  • In an individual case: External partners for the processing/answering of the inquiry or the defense of legal claims (e.g. external lawyer's offices)
  • Courts, public authorities or other government bodies in case of legal obligations

7.3.2 Answer and documentation of completed inquiries

  • Corporate area Compliance by FMG
  • Data protection officer of FMG
  • Possible IT service providers as processors
  • In an individual case: External partners for the processing/answering of the inquiry or the defense of legal claims (e.g. external lawyer's offices)
  • Courts, public authorities or other government bodies in case of legal obligations

7.4 Transmissions to third countries

A transfer of your above mentioned personal data to third countries does not take place.

7.5 Storage duration

The data is archived for up to three years. This period is in accordance with the regular period of limitation for claims as per § 195 BGB. The period starts with the end of the year in which the first claim was generated (§ 199 para. 1 BGB) if a different start of the period of limitation has not been determined.

The data is deleted if the data is no longer needed and if the legal archiving obliga-tions do not oppose this.

7.6 Source of the data

Your personal data that we handle as part of the processing and answering of your inquiry are regularly provided by you. We either received the data from you as part of the inquiry, or the personal data are the result of the service booked by you, or the service used by you. We do not use any other source for the data acquisition. In individual cases, however, it is possible that third parties have transmitted certain data about you to us (e.g. an airline you use, with which you take off or land at Munich Airport).

7.7 Requirement of the provision of personal data

The provision of your personal data is not legally or contractually required, or re-quired for the establishment of a contract. You are not obligated to provide your da-ta.

However, the non-provision of your data may result in the fact that we cannot allo-cate certain data that is stored in our devices to your person and therefore cannot process and answer your inquiry or can only partly process and answer your inquiry.

7.8 Automated decisions, profiling

An automated decision making in accordance with art. 22 GDPR that causes a legal effect against you or a profile generation do not take place.

7.9 Option for removal/for revocation

By addressing datenschutzanfrage@munich-airport.de, you have the option to object to the processing of your personal data. However, a revocation may result in the fact that we cannot process and answer your inquiry or we cannot completely process and answer your inquiry.

Additional information about your rights in accordance with art. 15-21 GDPR can be found under item 6 of the data protection declaration.


8 Changes to the Privacy Statement

We reserve the right to amend this Privacy Statement to ensure that it is always in compliance with the current legal requirements or to implement changes in our services in the Privacy Statement, e.g. when introducing new services. For your next visit to our website the new Privacy Statement will then apply.

9 Status

Jan. 2023