Privacy policy

Every time the contents of our websites are accessed, data are stored that may permit identification of data subjects.

The following data are collected:

• date and time of access
• server traffic at time of access
• IP address
• page visited on our website
• message indicating whether page retrieval was successful
• transferred data volume
• information on the device used (mobile device, desktop, etc.), operating system, browser type and versions

The temporary storage of these data is necessary for processing the site visit in order to ensure that the website can be made available. Further data storage in log files takes place to ensure the functionality of the website and the security of the IT systems. These stored data are analyzed exclusively for purposes of analyzing technical malfunctions and possible attacks on our website. In addition, the data can by analyzed anonymously for statistical purposes.

Categories of recipients
Some websites are operated by external hosting services and/or through external agencies. They act on our behalf as external processors and process the data exclusively in accordance with our instructions.

Duration of storage
To be in a position to conduct proper investigations of technical malfunctions or possible attacks on our website and report as needed to regulatory bodies and security authorities, we delete or anonymize the log files within 14 days at the latest.

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in maintaining the functionality of our website and performing statistical analysis of the use of our website). 

3.2.1 General information on cookies

Cookies are small files in which certain information is stored either in open or encrypted form. Cookies are sent from the server to your computer and stored there. They initially serve to identify the computer from which our website was accessed. If you log in to our website, cookies serve to notify the server of your login and check the authorizations to retrieve the page.

Cookies can help to improve communications between our server and your computer and therefore make it easier to use our website. Cookies also make it possible to track the path of a user across various pages of the website and possibly across various websites. In addition, cookies can store information of any kind.

Cookies can originate not only with the operator of the website but also with third-party providers. In your browser you can display a list of the cookies stored on your computer, delete some or all of these cookies, or select settings to deactivate or limit the storage of cookies. Please note that some functions (e.g. the login) will not work, or will not be fully functional, if you deactivate the storage of cookies.

Every cookie has an expiry date when it is no longer valid and will be automatically deleted. Details on the expiry dates for certain cookies are described in the sections below.

You can object to the use of cookies that permit the analysis of your user behavior: Tracking Preferences. Details are provided in the following sections. Please note: If you delete the cookies stored in your browser after objecting, you may have to click the links provided here again because the objection to the use of cookies containing personal data will also be documented in the form of anonymous (non-personal) cookies.

Consent management tool 

We have integrated the consent management tool "consentmanager" (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, info@consentmanager.net) on our website to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalized advertising. With the help of “consentmanager” you can grant or reject your consent for all functions or give your consent for individual purposes or individual functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned things and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from the end devices used, such as the IP address, are processed.

The legal basis for processing is Art. 6 Para. 1 S. 1 lit. c) in conjunction with Art. 6 para. 3 sentence 1 lit. a) in conjunction with Art. 7 para. 1 GDPR and, in the alternative, lit. f). By processing the data, we help our customers (according to GDPR this is the responsible party) to fulfill their legal obligations (e.g. obligation to provide evidence). Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active. The log data will be deleted after three years. It may happen that we ask you again for your consent. This query takes place after one year at the latest.

You can object to the processing. You have the right to object to reasons arising from your particular situation. To object, please send an email to info@consentmanager.net.

3.2.2 Analytical cookies used on our websites

3.2.2.1 etracker

On our website, we also use the service “etracker Analytics” from etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany (www.etracker.com). Since the privacy of our visitors is important to us, data that could potentially be linked with a specific individual such as IP addresses, log-in IDs or device IDs is anonymized or pseudonymized at the earliest possible point. It is not used in any other manner, aggregated with other data or shared with third parties.

You can find further information on data protection at etracker.

The etracker is used on our website by means of anonymous web analysis without the use of cookies (cookie-less). If you do not refuse anonymous web analysis, your user behavior on this website will be recorded exclusively without cookies (cookie-less). More detailed information on this can be found at etracker - Cookie-less-etracking.

In this case, the data processing takes place on the basis of the statutory provisions under Art. 6(1) (f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our concerns within the meaning of the GDPR (legitimate interest) is the optimization of our online services and our web presence. You can object to the anonymous web analysis at any time:

Recipients
The recipient of the data is the processor and the responsible departments.

Transmission to third countries
The data generated with etracker is processed and stored by etracker exclusively in Germany on behalf of the provider of this website and is thus subject to strict German and European data protection laws and standards. No transmission to third countries takes place.

3.2.2.2 Matomo - LabCampus

For the LabCampus website, we use Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. Cookies are used, which are saved on your computer for up to 13 months and enable a statistical analysis of the use of the website.

In this context, usage information including the shortened IP address of the accessing computer is transmitted and stored for analysis purposes. By shortening the IP address, website users remain anonymous. Only a "session ID" (cookie) is carried and stored as the common key of a page visit. A "session" ends when the web browser is closed.

The website access information used for usage analyses includes date, time, location (city), browser type, capabilities and language, operating system/device type, length of website visit, visits by server and local time, pages visited, usage history, search engine used and search terms used to access the LabCampus website, URL referencing the LabCampus website.

By "turning off" the tracking, a so-called opt-out cookie is generated in the web browser. This causes Matomo to no longer collect the usage data of this website visit. Note: If this opt-out cookie is deleted by the user in the web browser settings, the collection of statistical data by Matomo is reactivated.

The recipient of the data is the commissioned processor (Büro am Draht GmbH) as well as the responsible departments of LabCampus GmbH. The statistical data generated by the website visit is used exclusively by LabCampus GmbH to improve the online offer and the most targeted use of resources. No other use, combination with other data or transfer to third parties takes place.

The legal basis for the placement of the Matomo cookie on your terminal device is §25 TTDSG (consent).

The legal basis for the data processing associated with our use of Matomo is Art. 6 para. 1 p. 1 lit. f) DSGVO (balancing of interests, based on our legitimate interest in continuously adapting the design of the website to the interests and needs of users).

If you do not consent to the placement of the Matomo cookie, no placement will be carried out. Once you have given your consent to the placement, you can revoke this at any time with effect for the future via the data protection settings of the Consent Manager.

You can object to the described (downstream) data processing at any time, as far as it is person-related. Your opt-out will not have any adverse consequences for you. To do so, please contact: datenschutzbeauftragter@munich-airport.de.

You can find more information about Matomo here.

3.2.3 Pixels and advertising cookies used on our websites

In order to learn more about the interests and demands of our visitors, we use special tools for the efficient performance of surveys that allow us to ask you for your feedback at certain touchpoints and at specific times. The providers of these tools render their services for us as part of data processing and are thus bound by our instructions.

We generally design our surveys so it is not possible to draw conclusions about individual persons during analysis and potential publication (de-facto anonymous data). This means that based on the information you provide and the supplementary knowledge that the party authorized to access it has, it is impossible to trace back to you with reasonable effort. The employees conducting the evaluation do not have access to data that would allow for personal attribution. Please make sure that the information you enter, e.g. in free text fields, does not contain any data that could allow conclusions to be drawn about you or third parties. Participation in user surveys is voluntary.

3.3.1 Purpose of processing

To collect feedback and evaluate the motives and interests of our visitors.

During technical performance of anonymous surveys, the following data is processed via links to our website or printed QR codes:

• Local storage data (e.g. language setting)
• Information about the device used (type of device, including device name, manufacturer, and version), operating system, and browser (including the version of each)
• Error logs
• Answers (open and completed) to the questions asked in the survey

While it is not possible to trace back to individual persons, this cannot be technically ruled out, especially in individual cases depending on the device used or based on the answers you provide in free text fields.

Data may also be stored and retrieved on your devices as part of the technical performance of surveys. The following cookies are implemented during use:

• Session cookie: this is used to recognize participation in an ongoing survey; to assign the correct questions, pages, and provided answers; and to attribute current participation. Cookies are deleted when the browser is closed.
• CSRF token: this is used to protect the participant’s data from cross-site request forgeries. The token is deleted when the browser is closed.

If we proactively e-mailed you about participating in surveys, the following data is also processed as part of such personally addressed surveys, polls, and interviews:

• Name
• E-mail address
• Answers (open and completed) to the questions asked in the survey

3.3.2 Legal basis

For temporary processing of personal use data for the technical performance of surveys, we process your data as part of a balancing of interests pursuant to Article 6(1)(f) GDPR (based on our legitimate interest in asking visitors to our website about certain topics while balancing your interest in having performance designed with as little data as possible).

The legal basis for the performance of personal surveys and e-mail contact is Article 6(1)(a) GDPR. To the extent that anonymous surveys are conducted on internal matters, the legal basis for contact and for technical performance of the survey is established in Article 6(1)(f) GDPR (based on our legitimate interest in asking visitors to our website about certain topics while balancing your interest in having performance designed with as little data as possible).

3.3.3 Categories of recipients:

The surveys are performed by the specialist departments of Flughafen München GmbH that are assigned to do so. Personal data is not transmitted to third parties.

Survey tools provided as part of data processing

• Lamano GmbH & Co. KG, Prenzlauer Allee 36G, 10405 Berlin, Germany. Additional information on data protection at Lamapoll.
• Informizely B.V., WG-plein 425, 1054SH, Amsterdam, Netherlands. Additional information on data protection at Informizely.

3.3.4 Transmission to third countries

3.3.5 Duration of storage

3.3.6 Options for removal or revocation

Our website uses Google Maps to represent our location and generate directions. Google Maps is an online map service by the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

When retrieving a page on our website requiring a map, your browser will create a direct link to the Google servers and retrieve a map to display on your screen. To use Google Maps functions, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a Google server in the USA and processed there by Google. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

Further information on the handling of user data is available in the Google privacy statement.

The legal basis for processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in showing visitors to our website their current location and information on directions to the airport).

We embed YouTube videos in our web pages. The operator of the correspondent plugins is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

When retrieving a page on our website containing an embedded video, your browser will create a direct link to the YouTube servers to retrieve and run the video content on your screen. To use this function, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a YouTube server in the USA and processed there by YouTube. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

Further information on data protection at YouTube is available in the Google privacy statement.

The social media channels used by us are described in detail in the sections below. We have a presence on the social media platforms of the following companies:

The purpose of these social media channels is to advertise our products and services and communicate with interested parties or customers.

When you contact us through one of these social media channels, we process the personal data associated with your query in the course of processing the query itself. These data are deleted as soon as the query is fully answered and statutory retention or archiving obligations no longer apply (e.g. in case of subsequent settlement of a contract).

The legal basis for the related data processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in presenting our products and services and communicating with interested parties or customers).

The Munich Airport website uses the software application “Eye-Able®” from Web Inclusion GmbH. This tool enables visitors to the website to use a button on the edge of the screen to adjust font sizes, contrasts, and filters and to save their personal settings. The files required for the application, such as JavaScript, style sheets and images, are loaded from a server operated by Flughafen München GmbH. When functions are activated, Eye-Able uses the browser’s local storage to save the settings. All settings are saved locally on your device and are not passed on.

3.7.1 Purpose of processing

With the support of the "Eye-Able®" tool, we want to give users easier access to our information online.

3.7.2 Legal basis

The legal basis for the technically required inclusion of the "Eye-Able®" service is our legitimate interest in ensuring equal participation of all people, which outweighs the data subjects’ interest in particularly data-minimized processing of their data when visiting our website in accordance with Art. 6 Par. 1 f) GDPR.

3.7.3 Recipients

The files required for the "Eye-Able®" software application, such as JavaScript, style sheets and images, are loaded from a server operated by Fluhafen München GmbH. When functions are activated, "Eye-Able®" uses the browser’s local storage to save the settings as adjusted by the user. All settings are only saved locally on your device and are not passed on.

3.7.4 Transmission to third countries

There is no transmission to third countries.

3.7.5 Possibility for removal

The locally saved files and settings can be removed by clearing the browser cache.

The main website of Flughafen München GmbH and its subsidiaries is www.munich-airport.de (in German) and www.munich-airport.com (in English).

This Privacy Statement also applies to all other websites of Flughafen München GmbH and its subsidiaries that are linked to it, in particular the following websites:

We offer you the option of using a contact form to ask us for information or support on specific questions.

Categories of personal data
We collect your first and last names and email address in any case so that we and/or our system partners to which your query is addressed can contact you.

When you submit the contact form, the current IP address of the sender is saved for security reasons. Your data will be processed and treated confidentially in compliance with the applicable data protection regulations.

We will store and process your data only to the extent and as long as required for handling your message.

In order to process your inquiry in a subject-specific manner and to forward it internally to the right contact person, Munich Airport International GmbH, a subsidiary of Flughafen München GmbH, collects the following additional data in addition to the personal data mentioned: company & position.

Categories of recipients
In some cases, it will be necessary to forward your data to system partners such as airlines, government authorities or other companies in the FMG group to respond to your feedback. In addition, your data can be transmitted to external service providers for website support.

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest: in answering queries from our customers and other interested parties).

Google reCAPTCHA

Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter: Google).

Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.

This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.

The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. Google offers detailed information at https://policies.google.com/privacy concerning the general handling of your user data.

4.3.1. Newsletter Flughafen München GmbH

If you primarily wish to receive contents relevant to you, then select personalized information.

4.4.1 User profile

To present content that is relevant to you, we need an optimal understanding of your interests. For this per-sonalized information, we therefore create a personalized user profile for you.

In this personalized user profile, we save identifying characteristics such as your name and email address together with your contractual and usage data. This ensures that we can personalize our services for you. For example, in the newsletter you will only receive content provided on countries that are likely to interest you or special tips for business travelers – depending on the aspects that apply to you.

4.4.2 Data sources

In the user profiles, we collect data from various sources within the Munich Airport group of companies to arrive at the best possible overview of your interests. These sources are based on the declarations of consent submitted by you and may include the following data:

• the airport website
• the airport newsletter
• the PASSNGR app
• online parking reservations
• WLAN registration at the airport
• booking/reserving airport tours, lounges, events and other offers
• input in contact and feedback forms
• participation in contests offering prizes
• bonus and customer loyalty programs
• suggestions for improvements submitted through electronic channels
  
  

4.4.3 Contractual and usage data for personalization

• cookies, and in particular long-term cookies
• start and end time of use
• opening the newsletter, app or other services
• functions and pages accessed over time
• clicking on newsletter content
• origin of use, e.g. whether a search engine was used first
• duration of page views
• salutation
• first name
• last name
• address
• Email address
• consents, e.g. to receive a newsletter or for the use of mobile apps
• date of birth
• payment and transaction data
• telephone number
• other contractual data
  

4.4.4 Withdrawal of user profile

You can withdraw your consent for the storage of your personal data at any time. In addition, you can un-subscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. Revoking your consent has no effect on the legality of the processing up to the time of revocation. Due to the lead times of the technical and organizational processes, it is possible in exceptional cases that the personalization of content as described in this section will continue for up to 48 hours after your with-drawal of consent.

The free wifi coverage at Munich Airport is provided by Telekom Deutschland GmbH. Consequently, the separate terms and conditions for the HotSpot and the privacy statement of Telekom Deutschland GmbH shall apply. Flughafen München GmbH grants access to the WLAN of Telekom Deutschland GmbH.

Purpose of processing and categories of personal data
If you wish to use the free wifi, you must identify yourself as a user with your email address. In addition to your email address, we collect the following data:

• the exact time of access,
• your browser version,
• IP address of your end device,
• number of times free wifi is accessed and
• your consent to our terms and conditions for free wifi

We collect this data for the following purposes:

• Contacting if necessary for the purpose of contract fulfilment (in accordance with the General Terms and Conditions (GT&C) for wifi) or processing (e.g. in connection with a possible violation of the contractual terms and conditions of use)
• Provision of a free wifi for an additional passenger and visitor service

When you register to subscribe to our email newsletter, the data provided by you are also used for that purpose: privacy statement for the newsletter.

Legal basis
As part of our contractually agreed terms of use (GT&C), personal data is used for the purpose of executing the contract. In this case, Art. 6 Par. 1 sentence 1 b) GDPR is the basis for permission under data protection law. Individual users can be temporarily or permanently blocked, e.g. in particular if the terms of use are violated.

In addition, the data processing is based on Art. 6 Par. 1 sentence 1 f) GDPR balancing of interests, based on our legitimate interest in providing the user with free wifi and thus offering an additional service, e.g. for better orientation at the airport.

Categories of recipients
When you are transferred to the wifi access page of Telekom Deutschland GmbH, we also transfer the email address provided by you to that company.

We may transmit data relating to you that we have stored to courts, authorities or other governmental bodies if this is necessary to prosecute statutory violations or if we are under the obligation to render information to the respective public body for other reasons.

Apart from the foregoing, we do not transmit your data to third parties.

Duration of storage
We delete the data collected in connection with your access to wifi no later than six months after you use the wifi service.

The indicated storage periods may be exceeded in exceptional cases if and to the extent that the data in question are needed for a longer period (e.g. for purposes of the required investigation and/or prosecution of a possible violation of the terms and conditions of the contract for use of the service).

Revocation / objection / elimination options
Your processed personal data are, provided they are based on the lawfulness of the processing according to Art. 6 Par. 1 sentence 1 b) GDPR, required to ensure the implementation of the terms of use. There is consequently no possibility of objection to personal data processing in this regard.

For all processing activities that we base on our legitimate interests, you have acc. Art. 21 (1) GDPR, you have the right to object to the processing at any time for reasons that arise from your particular situation.

Cookies

Only technically necessary cookies are used on the wifi websites. These are specifically the following functional cookies:

• f5_cspm
• f5avr2042896050aaaaaaaaaaaaaaaa
• TS01*

The purpose of the data processing is the technically perfect provision of the site.

Categories of recipients
There are no data available to third parties.

Duration of storage
The cookies are deleted after each session of the visitor. The data will not be passed on to third parties.

Legal basis
The legal basis for the corresponding processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR, with the legitimate interest to be able to provide the site and its content.

This privacy policy applies to photography, video and sound recordings (referred to below as "images and recordings") created by Flughafen München GmbH on various occasions (e.g. photo shoots, events). This privacy policy does not apply to data processing in connection with surveillance measures (e.g. video monitoring).

The images or recordings may be made in connection with photo shoots or events, for example. For this purpose, we will either obtain your consent in advance or at least inform you in your personal invitation or on location (e.g. in case of public events without personal invitations) that such images or recordings will be made. We do not secretly produce images or recordings.

Categories of personal data
In addition to the photos, video and sound recordings, we may process other personal data that we collect from you (such as your name and email address) in connection with the recording.

Flughafen München GmbH may use the images and recordings for print publications, in broadcasting or in electronic media for corporate communications (e.g. reports, flyers, posters, brochures, presentations, websites, intranet, press releases) and for documentation purposes (e.g. archives). The images and recordings may be shared with third parties (e.g. journalists) and disseminated in social media (e.g. Facebook, Twitter). The possible uses of the images or recordings includes all known and unknown uses as well as the editing and modification of the images or recordings. Flughafen München GmbH may grant the same utilization rights to its subsidiaries and participating interests. However, images and recordings will be utilized as de-scribed here only to the extent that this is covered by a basis for authorization (e.g. consent, contract, law).

Duration of storage
If you have granted us your consent or if we have entered into a contract with you, the data will be deleted with the expiry of the consent or contract. If we are processing the data on the basis of a legitimate interest pursuant to Art. 6 Par. 1 f) GDPR, the data will be deleted when the legitimate interest no longer applies.

For FMG employees only: If the recordings are made for purposes of establishing and implementing an employment relationship, we will delete them when the corresponding purpose is fulfilled. If the processing is regulated in a works agreement, the storage periods may be stipulated in that agreement.

Statutory archiving periods may require us to store the data for a longer period on the basis of Art. 6 Par. 1 c) GDPR.

Categories of recipients
If we have obtained the necessary utilization rights for the recordings, we will transfer the recordings to our subsidiaries and participating interests as required so that they can also use them. In all other respects, we will forward your data to our service providers only in compliance with the applicable data protection laws. Our service providers who may be granted access to the recordings and data include IT service providers, printers and advertising agencies.

For our image database we use a solution provided by CELUM GmbH, Passaustrasse 26-28, 4030 Linz, Austria ("CELUM"). The image database is maintained on our servers. CELUM may access the images when providing support. We have entered into an external processing agreement with CELUM under which CELUM has undertaken to process personal data only in accordance with our instructions. Further information on data protection at CELUM is available at: https://www.celum.com/en/privacy-cookie-policy/.

To the extent that we are permitted to use your recordings in social media channels, we cannot preclude the possibility that they will be transmitted into a country outside the EU. The US social media servers used by us are certified under the EU/US Privacy Shield Framework and are obliged to comply with the provisions of the GDPR.

It is also conceivable that, as part of our international media relations and corporate communications, we will transfer some recordings or images in compliance with the applicable data protection regulations to media, press representatives or agencies outside the EU and the European Economic Area so that the recordings or images can be published there.

Legal basis
If you have granted us consent, the legal basis for processing is Art. 6 Par. 1 a) GDPR. If consent is granted by employees of FMG, the legal basis of processing under data protection laws in this case is Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 of the German Data Protection Act (BDSG).

If we conclude a contract with you (e.g. for a photo shoot), then the use of the recordings and other personal data will serve the purposes of executing the contract and will take place in accordance with our contractually agreed utilization and exploitation rights. In that case, the legal basis for processing under data protection laws is Art. 6 Par. 1 b) GDPR.

If the recordings are made for purposes of establishing and implementing an employment relationship with FMG, the primary legal basis for processing is Section 26 Par. 1 BDSG.

We will produce photos, video or audio recordings at events etc. without your consent and without a contractual agreement only if a legitimate interest applies in accordance with Art. 6 Par. 1 f) GDPR. Such a legitimate interest may result from the provisions of Section 23 of the German Art Copyright Act (KUG). This is conceivable, for example, in case of:

• images of historical interest in which you appear;
• images in which you can be seen incidentally near a specific location or
• images of gatherings or public events in which you participated.

In addition to the original purpose for producing the recordings, we may also store recordings and the related data for documentation or archiving purposes unless this is prohibited under contractual or statutory regulations. In this case, our legitimate interest in accordance with Art. 6 Par. 1 f) GDPR is the use of the recordings for publications on our company's history.

To the extent that we process data in accordance with Art. 6 Par. 1 f) GDPR, we always give due consideration to the question of whether you have overriding interests in the specific case at hand that outweigh our legitimate interests in using the data.

Passngr is the app shared by a number of German airports. With this app, you always have all of your travel information on hand: your flight data, important information for finding your way in your departure and arrival airports, and the most convenient way of getting to and from the airport. The Passngr app is offered and operated by InfoGate Information Systems GmbH, a subsidiary of Flughafen München GmbH.

For the Passngr app website (https://www.passngr.de), the general privacy information for websites provid-ed in this Privacy Statement applies. In addition, you can enter your mobile phone number on this website to ask for a link to be sent to the Passngr app on your phone. We will use your mobile phone number for this purpose only and will then delete it.

The privacy policy for the Passngr app can be accessed directly from the app under "Settings" – "About the Passngr app".

1. Description and scope of the specific data processing
You can quickly and easily make advance parking reservations on our website at parken.munich-airport.de. The provider and contractual partner is Flughafen München GmbH.

During the booking process for your parking space, the following data are collected:

• company
• salutation
• first name
• surname
• address
• e-mail address
• telephone number
• other contract data (planned and actual start of parking, planned and actual end of parking, product, parking area / parking garage, price, possible promotions or promotion codes)
• time of booking
• payment details
• affiliate network

If you register with us or book without a customer account, we will collect, save and process the above data to make the booking process easier for you. We use your data, among other things, to confirm and provide the booked services (including additional services), invoice processing, reimbursement in the event of cancellation, quality assurance, contact if necessary, e.g. in the case of rebooking, car park or product changes or air traffic restrictions. You can have your customer account deleted by sending an email to our Customer Service Center (info.parken@munich-airport.de). A deletion only takes place after the completion of any ongoing or future parking processes and the associated payment processing.

In addition to booking your parking space, we offer you optional additional services during the booking process, so-called premium services such as a car wash, interior cleaning, etc. In addition to the data mentioned, we also collect the following data:

• license plate
• vehicle manufacturer
• vehicle model
• vehicle color

The additional services are carried out and carried out by our service provider. If the additional services are booked, a copy of the booking confirmation will be sent to the service provider's scheduling department. The service provider can thus plan the corresponding resources for the implementation of the service more efficiently and better allocate the vehicle for the implementation of the service. This also facilitates customer communication, especially when booking additional services.

2. Purposes of processing
1) Booking of parking spaces
2) Booking of additional services such as car wash and interior cleaning

3. Legal bases
The legal basis for the appropriate data processing are

• article 6 Par. 1 sentence b) GDPR, fulfillment of the contract for the online booking of parking spaces and the booking of any additional services including online booking conditions, airport usage regulations
• article 6 Par. 1 sentence c) GDPR: fulfillment of the legal obligation to comply with statutory retention periods with regard to the storage of invoices for the services provided

4. Storage period
After your booking, the data will be stored until the respective statutory retention period of ten years has expired. Data that you have additionally provided for booking an optional additional service will be stored for two years.

5. Recipient
The personal data you provide will be collected, stored and processed by us, our system provider as contract processors and the credit card acquirers or payment service providers involved to process your booking and the parking and payment process. In the event that additional services are booked, these will be transmitted to our service provider, who will save and process them.

6. Transmission to third countries
There is a transfer to the United Kingdom (processor location).

7. Options for elimination / revocation
Your processed personal data are, if they are based on the lawfulness of the processing according to Art. 6 Par. 1 sentence b) or c) GDPR, necessary in order to conclude / carry out the contract with Flughafen München GmbH as part of your parking process or the additional service you have booked guarantee. There is consequently no possibility of objection in this regard.

4.9.1 Description and scope of data processing

The number plate of your vehicle is read by an infrared camera when entering the parking area. After successful entry, the parking system stores the identified number plate along with the entry time and the entry post.

The number plate is also stored in the system for parking facility management purposes until the vehicle has exited the facility. 

The data are used exclusively for the purposes stated under 4.9.2 and will not be passed on to third parties.

In the automatic capture of number plates and the related processing of parking transactions, the following personal data are processed:

• The captured infrared image of the vehicle number plate in clear text, the parking facility used, the entry and exit device, the entry and exit times (date, time), the card number on the ticket or the medium used for long-term parking access.
• In case of short-term parking tickets and online reservations, the parking charge.
• In case of long-term parking tickets, the data of the contractual partner (last name, first name, company).
• In case of online reservations, the email and postal address.

4.9.2 Purposes of the data processing

Personal data are processed for the following purposes

1. Processing the parking transaction
2. Improved traffic flow
3. Opening barriers
4. Proof of parking times in case of improper reimbursement claims
5. Issuing receipts at a later date
6. Avoiding and prosecuting criminal offenses and property damage
7. Identifying and taking action against violations of parking facility regulations
8. Blocking number plates in the system

4.9.3 Legal basis for data processing

• For the purposes stated in 1, 2, 3, 4, 5, 7: Art. 6 (1)(b) GDPR
  Performance of contracts, e.g. contract for parking space rental / terms of use agreement, terms and conditions for parking, special terms and conditions for online bookings, Airport Rules and Regulations.

• For purposes 6 and 8: Art. 6 (1)(f) GDPR
  Safeguarding our legitimate interests (e.g. damage claims, controlling access to our premises, preventing the fraudulent evasion of parking charges).

4.9.4 Legitimate interests

4.9.5 Duration of storage

The number plate images are deleted from the parking system one day after the successful exit from the parking facility and the completion of the parking transaction. In the system that manages the parking facilities and stores the relevant data records, the record is deleted after 92 days.

4.9.6 Right to object / right to erasure

For all processing activities carried out by us on the basis of our legitimate interests, you have the right, on grounds related to your particular situation, to object to such processing at any time pursuant to Art. 21 (1) GDPR.

4.10.1 Airport tours

On our website at munich-airport.de/airport-tours you can find a selection of seasonal and year-round tours for adults and children where you can obtain in-depth insights into Munich Airport's operations.

The provider of the products and services is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data are collected when tours are booked:

• first name
• last name
• email address
• telephone number
• tour data

Recipients
The personal data provided by you will be collected, stored and processed by us, Regiondo GmbH, and by the credit card acquirer or payment services provider involved in the processing of your booking and the tour and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.2 Lounge bookings

You can find a list of lounges available at the airport on our website at munich-airport.de/lounges. For some of these lounges you can book tickets or vouchers through our website. The provider of the lounges that can be booked is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data are collected when bookings are made:

• first name
• last name
• email address
• telephone number
• booking details
• payment data

Recipients
The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the lounge use and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sen-tence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.3 Events

On our website at munich-airport-camarketing.regiondo.de and allresto.regiondo.de you can find events hosted by Flughafen München GmbH and Allresto Flughafen München Hotel und Gaststätten GmbH. For some of these events you can book tickets or vouchers through our website. The event providers are Flughafen München GmbH and/or Allresto Flughafen München Hotel und Gaststätten GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

Categories of personal data
The following data may be collected when bookings are made:

• first name
• last name
• email address
• telephone number
• booking details
• payment data
• recipients

The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the event and payment transaction.

Duration of storage
After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

Legal basis
The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

4.10.4 Events LabCampus

On our website labcampus.de you will find events organized by LabCampus GmbH. You can register online for some of these events via our website. The provider of the events and the person responsible under data protection law is LabCampus GmbH.

Contact the data protection officer: datenschutzbeauftragter@munich-airport.de.

Categories of personal data

The following data will be collected during registration:

• First name
• Surname
• Company
• Position (optional)
• E-mail address

Purpose of processing

Your data will be processed for event invitation, implementation and communication based on relevant legitimate interests. Without providing the required data, you will not be able to participate in the event. Following the event, we will send you a one-time email, together with a note on our services, with the most important information at the event.

Legal basis

The legal basis of the corresponding processing of your data is Art. 6 para. 1 lit. f DSGVO (legitimate interest of the responsible party).

Duration of storage

Your data that we process as part of the event will be deleted by LabCampus GmbH after the event has been held and the follow-up has been completed.

Categories of recipients & transfer to third countries

Your data will only be processed by LabCampus GmbH. A transfer to third parties or third countries is not intended.

Revocation/removal options

In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of an objection, participation in an event may not be possible. To exercise your rights of access, rectification, erasure, restriction of or objection to the processing and transfer of personal data, to lodge a complaint with the supervisory authority and for further information, please contact: LabCampus GmbH, P.O. Box 23 17 55, 85326 Munich Airport or by e-mail: events@labcampus.de,

The section of the Privacy Statement applies to our processing of personal data of participants in contests, prize draws or campaigns run by Flughafen München GmbH. If you subscribe to a newsletter when taking part in a contest, please note the privacy information regarding newsletters.

4.11.1 Implementation

For purposes of implementing the prize draw, we process the personal data of the participants – in particular the email address and, at the appropriate time, the address of the winner – which we need for recording the participants' details, notifying the winner and presenting the prize.

For purposes of implementing the prize draw, we store the participants' personal data until the draw is completed and the winner is notified and for a further period in case the winner does not reply when notified so that a new winner must be drawn.

In addition, we store the winner's personal data – including the address obtained when the winner is notified – to complete the necessary steps for awarding the prize and, if applicable, for the duration of any additional statutory retention periods.

Contest participants are not required by law or contractual provisions to provide the above-mentioned personal data. However, for purposes of entering into the contract, i.e. participation in the prize draw, it is necessary to provide the data in our registration form marked as mandatory (as opposed to optional input). The address of the winner obtained after the draw is necessary for sending the prize.

4.11.2 Forwarding data to other recipients

Unless otherwise indicated elsewhere in this Privacy Statement, we transfer your personal data to the following additional recipients or categories of recipients:

• Newsletter mailing and customer relationship management service providers
• Cooperation partners used by us to deliver our services

4.11.3 Legal basis

Legal basis for the data processing described in the section "Contests, prize draws, campaigns":

• consent of the data subject (Art. 6 Par. 1 sentence 1 a) GDPR
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
• legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) Defense of legal claims

The municon conference center is operated by Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH. The municon conference center is located at the heart of Munich Airport in the north building of the Munich Airport Center, thus providing a professional setting for meetings, training seminars, presentations or major events.

The website of the municon conference center offers the opportunity to complete a contact form to submit a callback request. Further information is available under Contact form.

Categories of personal data
The following data are collected when the request is submitted:

• salutation
• first name
• last name
• telephone number
• email address

Recipients
The data will be used exclusively to make the requested call and, if applicable, to book a conference room. The data will not be shared with third parties.

Legal basis
The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

We offer you the possibility of using a contact form to contact us directly regarding aircraft noise. Relevant data collected in this case can be found under Contact form.

Categories of personal data

• name and contact data (e.g. telephone number, email address and postal address)
• location data to concretely specify the cause of the complaint and the underlying event

Special categories of personal data will be noted only to the extent that complainants provide such infor-mation on their own initiative. As they are not needed for the processing of complaints, no further processing will take place. Your data will be processed solely for the following purposes: Processing aircraft noise complaints, including reporting on the number and geographical distribution of aircraft noise complaints at the meetings of the Aircraft Noise Commission and in the Integrated Report of FMG (only the number of com-plaints).

Recipients
Personal data are sent to the following recipients or categories of recipients:

• recipients within the FMG Group (e.g. departments with a role in the processing of noise complaints)
• aircraft Noise Commission of Munich Airport (only information on the number and geographical distribution of noise complaints)
• interested members of the public through the Integrated Report (only the number of aircraft noise complaints)
• airport associations (only information on the number and geographical distribution of noise complaints)
• courts, public authorities or other government bodies in case legal obligations apply

Legal basis
Legal basis for the processing of personal data: Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (see Art. 6 Par. 1 sentence 1 f) GDPR). FMG has a legitimate interest in limiting the impact of airport operations on the surrounding residents in the interests of good relations with its neighbors and maintaining transparency with regard to environmental issues. In addition, legitimate interests result from the responsibilities of the Aircraft Noise Commission (Section 32b of the Aviation Act (LuftVG), Rules of Procedure of the Aircraft Noise Commission). The Aircraft Noise Commission is formed to engage in consultations with the approval authority, the Federal Supervisory Authority for Air Navigation Services (BAF) and the air traffic management organization. It is notified of measures taken to reduce aircraft noise to protect residents, but can also propose measures on its own initiative. To be able to discharge this responsibility, it is necessary to have knowledge of certain personal data, in particular geographical data and the related geographical distribution and number of aircraft noise complaints.

In case of inquiries under the Environmental Information Act (UIG) regarding the number and geographical distribution of complaints and the reason for the complaint, a special legal basis applies: the UIG.

We are pleased to provide you with the following information on how your personal data will be processed if you apply with Flughafen München GmbH and its subsidiaries, and what rights you have under data protection law. You can apply online through the applicant portal, by email or by regular mail. Your data will then be entered in the applicant portal and processed by the appropriate entity. The company within the Flughafen München Group that is responsible for your application and the processing of your personal applicant data is the company advertising the position or receiving your unsolicited application. Your application documents will be passed on to other companies within the Group or stored in the applicant pool only with your direct consent.

If you consent to your application being shared within the Group, your data may be passed on to the companies listed under section 1, "Controllers and data protection officers". This will increase your visibility and the possibility of being considered for a position.

If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies listed under section 1 once you have given your consent. That means you give us permission to store your application for a specified period of time and consider it for vacancies where applicable.

You can also apply for jobs with us through our social media recruiting partner’s platform and your personal account on this platform. The platform provider is responsible for processing data on the platform and within your personal account. Information on data processing can be found here:

https://hire.heyjobs.co/en-us/privacy-policy/

If you decide to apply to us from your personal account on the platform after seeing a vacancy, we process the following data in our account on the platform:

• First name and surname
• Cover letter for the specific position
• Telephone number
• E-mail address
• Other data that may also be requested depending on the job profile (e.g. qualifications, work experience)

When you send your application, these data are stored on the platform, e-mailed to the employees in the HR department responsible for recruitment and (manually) sent to our applicant portal so that we can continue to process your application. The further information on the subsequent flow of data and how your data is handled is the same as when data is processed directly via the applicant portal. Please see the explanations below for related information on the purpose, legal basis, recipient, duration of storage etc.

Recipients of your data may include the human resources department and the platform partner’s IT administrator. Applicant information stored in the account at our social media recruiting partner is automatically deleted no more than six months after it is received. Applicant information sent by e-mail is also deleted after no more than six months.

4.14.1 Purposes of data processing

We and the service providers acting on our behalf process personal data for the following purposes:

1. Filling posted positions and vacancies

2. Filling future vacancies (unsolicited applications)

3. Sharing within the Group

4. Reviewing or identifying further applications within the Group (multiple applications by the same candidate)

5. Protecting children (applicants under 16 years of age)

6. Ensuring the consent of legal guardians (applicants under 16 years of age)

Without the declarations of consent from the legal guardians, applications from applicants under 16 years of age cannot be accepted or can only be partially processed. This also applies when consent is revoked.

7. Safeguarding and protecting our rights

Changes in purpose:

8. In case you are hired, some of your personal data will also be used for purposes related to your employment relationship (e.g. to prepare your contract). The processing is carried out on the basis of the following legal provisions: Art. 6 Par. 1 b) GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 Par. 1 of the German Data Protection Act (BDSG).

9. If you consent to the inclusion of your data in the applicant pool, we reserve the right to consider your application for other current or future vacancies and (if you consent to "sharing within the Group") forward your application to the companies specified in section 1 as needed. For information on the storage and deletion of data, refer to the section "Duration of storage and possibilities to have data erased" below.

4.14.2 Legal basis

• Purpose 3 and 9: Your consent (Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 BDSG)
• Purpose 5 and 6: Consent of your parents for the processing of your application data (Art. 6 Par. 1 a) GDPR in conjunction with Art. 8 GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 BDSG)
• Purpose 1, 2 and 4: Taking steps prior to entering into a contract in response to your inquiry for potentially establishing an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG) If there is a multiple application within the Group, the transfer will only be made with regard to the title, time and status of your application to the other Group company on the basis of our legitimate interest (Art. 6 Para. 1 lit. f DSGVO) for internal administrative purposes in order to simplify the application process.
• Purpose 8: Decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG)
• Purpose 7: Safeguarding our legitimate interests (Art. 6 Par. 1 f) GDPR): Legitimate interests on our part relate to the assertion and protection of our rights.

Please note that more than one of the above legal grounds for processing may apply.

4.14.3 Categories of personal data

The following categories of personal data are processed:

1) Applicant data that you enter in the application form. This generally involves the following data:

• Salutation*
• Title
• First name*
• Last name*
• Date of birth
• Country*
• E-mail address*
• Telephone*
• Highest level of education completed / currently being pursued*
• Native language
• Foreign language

Fields marked with an asterisk (*) are required

In addition, depending on the specific job posting and target group, personal data may be required and processed in other input fields.

In case of applicants under 16 years of age (in particular for high school students' internships, other internships, vocational training and, in exceptional cases, also for other positions), the following additional data:

• Name and signature of the legal guardians
• Declarations of consent from the legal guardians

2) Applicant data which you provide by attaching documents (application documents, application photo, etc).

If you use the "Upload CV" function, the selected documents will be automatically extracted and analyzed. This is done by a subcontractor of the applicant portal operator.

3) Applicant data from other platforms (Xing, LinkedIn, Dropbox, etc.) that you allow to be transferred and processed by granting a release. This is done through automated extraction/analysis by the subcontractor of the applicant portal provider. Depending on the platform, a CV may be generated from the available profile data and attached to your application in addition to having your data imported into the application form. You may remove this attachment where appropriate.

That information includes – among other items – the following personal data if entered in the profile or document:

• Name and address data (title, salutation, last name, first name, street, postal code, city, country, etc.)
• Contact data (e-mail address, telephone number, etc.)
• Profile photo
• Current position
• Date of birth
• If applicable, other data categories contained in the document or displayed before obtaining your permission to access them.

4) Log data collected by the applicant portal provider to ensure proper system operation, error correction and defense against attacks.

This includes the following personal data, which is erased after 180 days:

• User name
• Applicant name (first and last name)
• IP address

5) We reserve the right to record applicant information (see 1) and documents in the system manually. For this purpose, a subcontractor of the applicant portal provider can use the “parsing” function. This automatically extracts/analyzes the selected documents.

4.14.4 Categories of recipients

1) Use / sharing of data within the Group

Your data can be accessed only by employees of Flughafen München GmbH and the Group companies for which the vacancy is being filled. If you consented to having your application shared within the Group, your data may also be shared with the companies specified under section 1, "Controllers and data protection officers".

If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies specified under section 1. In this case, you will receive an e-mail from us requesting your permission to include you in the applicant pool. Please see section 14.6.5 for the retention period.

2) Applicant portal service provider

Your personal data will be transferred by the applicant portal provider to an external data center (a subcontractor of the applicant portal provider) for processing. A contract has been signed with the applicant portal provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

In the event of applications for the subsidiary MAI (Munich Airport International GmbH), we forward the data to an external personnel service provider. A data processing agreement has been entered into with this service provider as well that requires the service provider, in particular, to comply with all requirements of data protection law and to act solely as instructed by Flughafen München GmbH.

3) Online test service provider (for vocational training positions)

Your personal data will be processed and stored by the provider of an online test. The online test is used only in the late selection stages for vocational training positions and cooperative degree programs offered by Flughafen München GmbH. To take the online test, you will receive an email with further information. A contract has been signed with the online test provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

4) Service providers (general)

We engage external service providers to perform tasks such as programming or data hosting. We have selected these service providers with care and monitor them regularly, particularly with regard to their careful handling and protection of the data that they process. We require all service providers to sign a contract to maintain confidentiality and comply with the data protection requirements of the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

5) Platforms

The platforms of the following providers can be used to complete the application form quickly and easily during the application process:

• Dropbox International Unlimited Company (One Park Place - Floor 5 - Upper Hatch Street - Dublin 2 – Ireland)
• XING AG (Gänsemarkt 43 - 20354 Hamburg - Germany)
• LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

Please note that these providers and/or their servers may operate at locations outside the EU or the EEA (e.g. in the USA). When an applicant uses a platform, information – which may include personal data – may be sent to and possibly utilized by the platform provider. Please refer to the data protection statement of each platform provider for information on which specific data is stored by the provider in such cases and how it is used.

The applicant portal does not use platform providers' social plugins; these are only links to the platforms. Nor do we use the platforms to capture any personal data or how it is used.

After clicking on the button, you will be transferred to the platform provider's login screen. After logging in and releasing the data, the data will be automatically extracted and analyzed by the subcontractor for the applicant portal.

If you wish to ensure that no data of any kind is processed by the platform providers, enter your data manually in the application form and refrain from using the platforms.

6) Other third parties

We will transfer your personal data to other parties only to the extent that this is required to take steps prior to entering into a contract, if we or another party have a legitimate interest in the data transfer, or if you grant us your permission. In addition, data can be transferred to other parties if we are required to do so by law or under an administrative or court order. Your data will not be used for advertising purposes.

4.14.5 Duration of data storage and possibility of erasure

Applicant data

1) Your data will generally be deleted six months after your hiring date, your notification that your application was unsuccessful, or your decision to turn down an offer of employment.

In case of an application for a vocational training position or a cooperative degree program, all your data will be stored for six months after your application is rejected, you refuse an offer, or your are invited to your first day of work. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

In case of an application for a high school student's internship, all your data will be stored for six months after your application is rejected, you refuse an offer, or the internship has ended. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

2) If you have consented to be included in our applicant pool, you will receive a notification about your continued inclusion in the pool after five months. If you consent to remain included in the pool, you will be notified again after a further five-month period. If you do not contact us after this notification, all your data will be erased within three months.

3) If you wish to have your data erased early or withdraw one of your permissions, please send an e-mail with your name, the e-mail address you provided when applying, the job title and company and, for unambiguous identification, your date of birth to jobs@munich-airport.de or contact the person in charge of the advertisement.

4) Please note that when the data is erased, all data associated with the application in question will be removed, making it impossible to obtain information on the application.

Log data

Log data – collected by the applicant portal provider – is erased after 180 days. Log data that has to remain on file for evidentiary purposes will not be erased until the final disposition of the matter and may, in specific cases, be forwarded to the investigating authorities.

Use of cookies

The applicant management system provider only uses temporary (session) cookies. These cookies are automatically deleted as soon as the user closes the browser.

The use of technically necessary (session) cookies is based on our legitimate interests under Art. 6 Par. 1 f) GDPR. Technically necessary cookies must be included to ensure that the applicant management system works correctly.

4.14.6 Transfer to third countries

Data is not transmitted to third countries as defined by data protection law.

4.14.7 Objection to processing

See chapter 6.5 of the privacy policy on how to object to the processing of your personal data on the basis of our legitimate interests (Art. 6 Par. 1 f) GDPR).

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point Art. 6 Par. 1 f) GDPR. In this case, we will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is done for the establishment, exercise or defense of legal claims.

The Airport Collaboration Portal (ACP) serves as the entry point for several applications that fall under various areas of responsibilities and serve various purposes. The portal is operated by Flughafen München GmbH.

Purpose of data processing
Your data will be processed solely for the following purposes:

• registration in the ACP system and
• granting user privileges for applications
• registration enables the user to be granted access to applications within the ACP. These include: AIS Airport Information System, Delaycodeclearing, night flight requests, LGS-Baggage.

Categories of personal data
Participation in the Airport Collaboration Portal (ACP) is a quasi-contractual legal relationship; the data not marked as optional must be submitted for user management purposes.

The following categories of personal data are collected:

• first name
• name
• organization
• company
• department
• email address
• telephone number
• airport ID number

Recipients
The specialized department has access to the personal data.

Duration of storage
Access data (login) are deleted when the individual leaves the company or when the access privileges are revoked.

Legal basis
The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

Data protection inquiries
To exercise rights pertaining to the Airport Collaboration Portal (ACP), the data subject can contact us, preferably by email, at: acp@munich-airport.de.

To offer accommodation to our future employees, existing staff, and partners in the vicinity of the airport, we cooperate with MUC Airport Betriebs GmbH.

Housing inquiries can be submitted to Flughafen München GmbH at: munich-airport.de/fmg-und-wohnen. After an initial review, inquiries are forwarded to MUC Airport Betriebs GmbH via that company's booking software. The data transmitted in this online form are exported in an email that is transferred only within the protected airport network to a special email account that can be accessed only by the responsible employees.

Purpose of processing
We process your personal data solely for purposes of processing and handling your booking inquiry, checking your authorization to access the "FMG und Wohnen" service, entering into a contract, executing a contract, processing your booking and to communicate with you to offer and deliver the "FMG und Wohnen" service. A further purpose is to execute and defend our rights.

Categories of personal data

• salutation
• first name
• last name
• address
• telephone number
• email address
• airport company
• personnel number (if available)
• booking date

Legal basis
The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 f) GDPR (balancing of interests based on our legitimate interest in checking access authorizations, asserting and defending our rights and forwarding inquiries from our customers).

Recipients
We collect, store and process the personal data provided by you exclusively for the purposes stated above (in particular the processing of your booking). For this purpose, however, we must forward the data. As a result, the data are forwarded to the booking tool apaleo GmbH operated by MUC Airport Betriebs GmbH.

The required transfer of personal data to MUC Airport Betriebs GmbH takes place as required to achieve the stated purposes. After the transfer of the data, the hotel is the sole controller responsible for the processing carried out there under data protection laws. Consequently, Flughafen München GmbH assumes no responsibility for data processing in the hotel operations.

Duration of storage
Your personal data will be stored for a maximum of 12 months after the contract is fully executed. The data will be deleted after that period ends. Please note that statutory retention periods, for example under the German Fiscal Code (AO) or the German Commercial Code (HGB), as legitimate purpose limitations, represent an exception and are handled according to the applicable requirements.

The following text contains information on the processing of your personal data in connection with damages of all kinds, including insurance claims and other ways of settling damages.

Purpose of processing
The purpose of the data processing is the comprehensive handling of the damage event, which is not possible without processing your personal data. We process your data in accordance with the relevant data protection regulations, in particular the Insurance Policy Act (Versicherungsvertragsgesetz – VVG) and all other applicable laws.

Categories of personal data
To process the damage event, we store and process the personal data of the concerned parties (e.g. first name, last name, date of birth, address, telephone number) as well as data regarding the events (e.g. the damage event) and material facts (e.g. vehicle identification data) that may relate to natural persons.

Recipients
Personal data are sent to the following recipients or categories of recipients:

• Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
• Companies in the FMG Group
• Cooperation partners used by us to deliver our services
• External contractors as defined in Section 28 of the EU-GDPR; at present, these are: FMV – Flughafen München Versicherungsvermittlungsgesellschaft mbH / Marsh GmbH
• Insurance companies involved in the handling of the damage event

Duration of storage
We process and store your personal data as long as necessary to meet our legal obligations. The damage reports and files are retained in accordance with the statutory retention periods.

Legal basis
The legal basis for the processing of personal data is as follows:

• Consent [see Art. 6 Par. 1 sentence 1 a) GDPR] (in cases where we request consent)
• Necessity for the performance of a contract to which the data subject is a party [see Art. 6 Par. 1 sentence 1 b) GDPR, first option] or to complete steps prior to entering into a contract.
• In addition, we process your personal data to meet legal obligations. The need to comply with a legal obligation to which the data controller is subject [see Art. 6 Par. 1 sentence 1 c) GDPR].

• Insurance Policy Act and other relevant laws
• Fulfillment of obligations to our insurer.

• We also process your data to safeguard legitimate interests pursued by us or third parties (Art. 6 Par. 1 f) GDPR), i.e. where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. [see Art. 6 Par. 1 sentence 1 f) GDPR].

• Asserting our own damage claims
• Fulfillment of obligations to our insurer
• Defending damage claims pursued against our company
• Defense and cooperation in case of criminal and administrative proceedings

In exceptional cases, special categories of personal data are processed (e.g. health-related data). In such cases, the data are generally processed on the basis of Art. 9 GDPR e.g. Art. 9 Par. 2 e) GDPR if these data are manifestly made public by you.

Source of the data
If the personal data are not obtained directly from the data subject, they are obtained from

• Vehicle inquiries, e.g. the "Green Card Office" in Hamburg
• Witnesses, persons involved in an accident and other third parties
• Generally accessible sources

Star Alliance Biometrics is a product of Star Alliance Service GmbH (hereinafter referred to as "Star Alliance") and enables the voluntary biometric identification (facial recognition) of passengers at the airport. Terminal 2 Gesellschaft mbH & Co oHG (hereinafter referred to as "Terminal 2 Gesellschaft" respectively “we”) currently supports the use of the biometric identification service offered by Star Alliance Biometrics at the following access points: boarding pass control.

At the airport access points managed by Terminal 2 Gesellschaft, which have integrated the Star Alliance Biometrics’ identification service, a short video sequence will be recorded of you if you wish to use the biometric identification service. A photo is extracted from the video sequence and sent to Star Alliance for biometric matching with your biometric profile stored in Star Alliance Biometrics.

Scope of application

This data protection notice refers exclusively to the recording of the short video sequence/photo of your face by the camera at the access point in the Terminal 2 Gesellschaft's area of responsibility.

For the subsequent data processing in connection with the biometric matching in the area of responsibility of Star Alliance as well as for the enrolment for Star Alliance Biometrics and the use of the corresponding Star Alliance Navigator App, the Star Alliance Privacy Notice applies.

Data controller

Controller for data processing within the scope of this data protection notice is

Terminal 2 Gesellschaft mbH & Co oHG
Terminal Street North 1, Level Z4
P.O. Box 23 17 55
85326 Munich-Airport

You can reach our data protection officer at datenschutzbeauftragter@munich-airport.de.

Processed personal data

A short video sequence and an extracted photo of your face are processed.

Purpose and legal basis of the data processing

Processing is necessary to enable the use of the biometric identification service at the boarding pass control, i.e. for Star Alliance to biometrically match the photo taken with your biometric profile stored in Star Alliance Biometrics.

The legal basis for this processing is your consent given in Star Alliance Biometrics to be identified at Munich Airport via the Star Alliance Biometrics’ identification service (Art. 6 para. 1 p. 1 lit. a) DSGVO).

You can withdraw your consent at any time in the profile management of the Star Alliance Navigator App. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 

Please note:

Unless you have given your consent or withdrawn it, you are neither permitted nor able to (successfully) use the biometric identification service. Alternative means of boarding pass control (e.g. boarding pass scan) are available to you. You are neither contractually nor legally obliged to use the biometric identification service.

Should you - contrary to the express notice at the access point - attempt to use the biometric identification service without being enrolled for Star Alliance Biometrics or without having given your consent to be identified at Munich Airport, a video sequence/photo will nevertheless be taken of you and sent to Star Alliance for biometric matching. However, the identification will then fail and the identification process will be completed with an error message.  

Storage period

Your personal data will be deleted as soon as the identification process at the boarding pass control is completed.

Categories of recipients

Your personal data will be transmitted to the following (categories of) recipients:

• The Star Alliance to perform the biometric matching and
• IT service providers who provide the system(s) / software used and who have been contractually committed as processors in accordance with the GDPR.

Your rights of data subjects

You have the following rights:

• Right of access, Art. 15 GDPR
  
• Right of rectification, Art. 16 GDPR
• Right to erasure ("right to be forgotten"), Art. 17 GDPR
• Right to restrict processing, Art. 18 GDPR
• Right to data portability, Art. 20 GDPR
• Right to object, Art. 21 GDPR

To exercise your rights, you can contact us by e-mail at datenschutzanfrage@munich-airport.de.

In order to be able to process your request, we would like to point out that we process your personal data collected within the scope of the data protection request in accordance with Art. 6 Para. 1 S. 1 lit. f) DSGVO (for documentation and discharge purposes) and delete it after 3 years.

Furthermore, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

No automated decision making including profiling takes place.

Important note:

However, we would like to point out once again that we only record a short video sequence as part of the biometric identification process and use a photo from this and delete both from our systems immediately after the identification process is complete. The above-mentioned rights can therefore generally not be implemented, if only because no more personal data is available from you.

Contact details controller (cctv responsible officer)

»CCTV Videoverantwortliche/r« der Flughafen München GmbH
Nordallee 25, 85356 München-Flughafen, Deutschland
E-Mail: cctv@munich-airport.de

Contact details data protection officer

For contact information, please refer to Controllers and data protection officers.

Description and scope of data processing

Flughafen München GmbH collects, stores and processes personal data in the context of video surveillance only to the extent required by law, for the necessary purposes or in the legitimate interest of the company (see 1.4).

Purpose and lawfulness of processing

Data processing is required because of:

• Legal obligation to which the controller is subject (in particular aviation security law / § 8 LuftSiG).
• Vital interests of the data subject or another natural person.
• Public interest or in the exercise of official authority vested in the controller.
• Legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.
• Corpus of legislation (General Data Protection Regulation »DSGVO«).

Purpose of data processing and legitimate interest of the controller:

• Aviation Security (e. g. protection of life and limb of persons, protection of protection, etc.)
• Execution of property rights
• Safety (e. g. firefighter control, safeguarding employees, guests and equipment, etc.)
• Operational processes related to airport and aviation procedures to ensure functioning infrastructure procedures (u. a. baggage handling, passenger flow control, apron monitoring
• Miscellaneous provision

Legitimate interests of the controller

• Exercise property rights and property protection
• Operational requirements and procedures
• Aviation security
• Enforcement of law and order

Duration of data storage and criteria for storage

Data is will take place in individual cases. Storage in general of the duration of data storage depend on the individual situation, camera location, surveillance purpose and user. Details regarding storage are defined in the controller’s CCTV user manual.

Recipients of data

Individuals or user groups with access rights in accordance with the CCTV Access Control process. User access in controlled by a detailed access control process, which grants access to live video footage or stored video data depending on the role of user. Users are public authorities, public agencies, affiliated companies and/or subsidiaries and airlines.

Data transfer to third countries

A transfer of personal data to third countries is not intended.

Possibilities for removal/revocation

You have the right to have your personal data removed and revoked in case of processing based on our legitimate interests according to Art. 6 para. 1 lit. f) DSGVO. In addition, you have the right to claim a complaint with the supervisory authority, specifically in the member state of your residence, your work place or the place of the alleged violation if you consider the processing of your personal data shall constitute a breach of the respective EU legislation General Data Protection Regulation.

Rights of data subjects / rights of affected / your rights

For more information on your rights to information, correction, deletion, restriction of processing, objection and data portability, please refer to Your rights.

4.20.1 Events and Lead Generation Campaigns

For the purpose of customer acquisition and network building, LabCampus conducts (promotional) events and lead generation campaigns. Contact data provided to LabCampus in this context will be processed by LabCampus as follows:

Categories of personal data

The following categories of personal data are processed:

• first name
• surname
• company name
• e-mail adress (if necessary)
• telephone- / mobile number (if necessary)
• position (if necessary)

Purpose of processing

Your Data will be processed for the purpose of arranging appointments, sending information about our products and services, news and event notices from LabCampus.

After providing your telephone/mobile number or if you ask us on the phone to send you information electronically by e-mail, we will also use this data with your consent to contact you individually and send you information. Without providing the required data, we cannot send you this information.

If, in the context of telemarketing campaigns, we receive personal data from publicly accessible sources or from information provided by your colleagues and process this data for the above-mentioned purposes, we will inform you of this within one month or at the latest at the time of the first contact.

For registration to our newsletter, we refer to section 4.3.2 of this privacy policy, which also applies to registration via business cards as part of promotional campaigns and events.

Legal basis

The legal basis for the processing of your personal data given to us is Art. 6 para. 1 sentence 1 letter f) GDPR (legitimate interest). The legal basis for the processing of personal data based on the handover of your business cards is Art. 6 para. sentence 1 letter a) GDPR (your consent by handing over the business card).

Storage period

We store your data for the purpose of contacting you until we receive your objection, but at the longest for a period of two years to the end of the year after the last communication, provided that no contractual relationship has been established.

Categories of recipients & transfer to third countries

Your data will be processed by LabCampus GmbH. A transfer to third countries is not intended. Recipients of the data are the responsible departments at LabCampus GmbH, as well as processors for marketing services and for the provision of IT services and those for the improvement, maintenance and support of these services.

Objection

You can object to the processing of your data at any time by sending an e-mail to: contact@labcampus.de. In the event of your revocation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of your objection, no further contact can be established by LabCampus.

Withdrawal of your given consent

If we process personal data on the basis of your consent, you can withdraw this at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent doesn´t affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. The lawfulness of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

4.20.2 LabCampus LinkedIn Lead Ads

This data protection information applies to the following LinkedIn profiles: https://www.linkedin.com/company/labcampus/

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn") is responsible for the processing of personal data entered by visitors while visiting our LinkedIn profile.

We use LinkedIn Lead Ads to generate contacts and addresses. Lead Ads are an ad format that is displayed to registered LinkedIn users. They contain form functions that enable the simple and rapid generation of leads. After the user actively consents (opt-in), contact information the user has stored with LinkedIn is entered into forms:

• Name
• Email address
• Company

Once the data in the form has been sent successfully, the user is shown a thank-you page where we can integrate a call to action (e.g. a referral to the LC landing page). We do not send your personal data to third-party advertisers or advertising networks.

The processing of this data serves the purpose specified above and takes place on the basis of Art. 6 Par. 1 a) GDPR on the basis of your voluntary consent upon registering and logging in to LinkedIn. We store your data until your consent is revoked. You can revoke your consent with future effect at any time by sending an email to contact@labcampus.de

We do not know the full extent of data collection, i.e. which of a visitor's data is collected by LinkedIn overall and the purposes for which it is processed by LinkedIn. The necessary information has not been provided to us by LinkedIn. Please understand that we can only provide information to the extent allowed for by our knowledge of the data processing within our area of responsibility and our influence on this data processing.

We would also like to point out that your data may also be processed outside the European Union and the European Economic Area. This could result in risks, e.g. because it could complicate the enforcement of user rights. Further details can be found in the privacy policies of the individual providers.

The Data Protection Officer of LinkedIn can be contacted through the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

Further information on data processing by LinkedIn can be found at: https://privacy.linkedin.com/

4.21.1 Introduction/application

The data will be stored and processed confidential and only in accordance with the legal regulations or the data security and the data protection. You should know which data we store and how we process them.

The data protection information and declarations stated there are applicable to Internet pages of other providers that may be linked.

4.21.2 Categories of personal data

The following categories of personal data is processed:

1. The following personal data (data identified with a * are mandatory) are handled during the registration for presence and web-based trainings (via the “Online Learning Portal”, “Event Manager”, forms and by phone or email):

Contact data of the participant, such as,

• Salutation*
• Firstname*
• Lastname*
• Phone/ mobile number*
• Fax number
• Email*

The following data will be recorded additionally in the Online Learning Portal for certain courses and for the creation of a user account:

• Birthdate*
• Birthplace*

Address data of the participant

• Street*
• Zip code, City*
• Country*

Possibly contact data of the person who books, such as:

• Salutation
• Firstname
• Lastname
• Phone number
• Fax number
• Email*

Invoice data

• Invoice address*
• Order number
• Customer number

2. Storage in the event management system (e.g. for the administration of the completed trainings and advanced trainings as well as the traceability of the qualification)

This includes, among others, the following personal data:

Contact data of the participant, such as:

• Salutation*
• Firstname*
• Lastname*
• Phone/ mobile number*
• Fax number
• Email*
• Address data of the participant
• Street*
• Zip code, City*
• Country*

Possibly contact data of the person who books, such as:

• Salutation
• Firstname
• Lastname
• Phone number
• Fax number
• Email

In addition, the following data is stored and processed for certain courses (for example, legally mandated):

• Birthdate*
• Birthplace*

3. Storage in the accounting system (for example, for the settlement and invoicing of trainings and qualifications)

This includes, among others, the following personal data:

• Salutation*
• Firstname*
• Lastname*
• Phone/ mobile number
• Fax number
• Email

Address data of the invoiced person or the participant

• Street*
• Zip code, City*
• Country*

Possibly contact data of the person who books, such as:

• Salutation
• Firstname*
• Lastname*
• Phone number*
• Fax number
• Email*
• Invoice data
• Invoice address*
• Order number
• Customer number

4. Transfer to the central access control system (for the access authorization to the safety area)

This includes, among others, the following personal data:

The following data will be transfered:

• Salutation*
• Firstname*
• Lastname*
• Birthdate*
• Birthplace*
• Company name*
• Personal identification number (internal 6-digit number)
• Training result and training date*

5. Log data that is recorded to secure the operation - Online Learning Portal

Log data is recorded in the Online Learning Portal. The data is used to address failures and security incident (e.g. for the resolution of attack attempts). Log files whose further storage is required for evidence purposes are excluded from the deletion until the final clarification of the respective incident and can in individual cases be transfered to the investigative authorities.

4.21.3  Purposes of the processing of person related data

Your data is exclusively processed for the following purposes:

1. For the processing of registration, organization and administration of the trainings and advanced trainings
2. For proof of a seminar or WBT participation
3. For the obtainment and the proof of a certain qualification
4. For the transfer to the ID card office (aviation safety training - to obtain an airport ID or access right to the safety area)
5. For the provision of a certificate (for example, EASA proof)
6. For invoicing
7. To establish a contact or to answer questions
8. To maintain and defend our rights
   
   

4.21.4 Legal principles for the processing of personal data and justified interests

The processing of personal data is based on the following legal principle:

• Purpose 1, 2, 3, 4, 5, 6 - Requirement for the fulfillment of a contract whose contract party is the affected person [see art. 6 para. 1 p. 1 lit. b) 1st variant GDPR]
• Purpose 1, 3, 7 - Requirement for the execution of pre-contract actions that are performed on the request of the affected person [see art. 6 para. 1 p. 1 lit. b) 2nd variant GDPR]
• Purpose 2, 3, 4, 5, 6, 8 - Requirement for the fulfillment of a legal obligation, which the responsible person is subject to [see art. 6 para. 1 p. 1 lit. c) GDPR]. The legal obligation is based on the implementation regulation DVO(EU)2015/1998 (all trainings as per section 11) as well as the EASA requirements VO (EU) 139/2014 and VO (EU) 139/2014. This applies to all trainings in accordance with the rules ADR.OR.D.035 and ADR.OR.F.080 as well as section ADR.OR.D.017.
• Purpose 1, 2, 3, 4, 5, 6, 8 - Requirement for the protection of justified interest of the responsible person or a third party, assumed that the interests or basic rights and fundamental freedoms of the affected person are not higher ranking [see art. 6 para. 1 p. 1 lit. f) GDPR]. The justified interests include the information, sensitization and qualification for persons active on the airport facilities via an Online Learning Portal and presence seminars (e.g. sensitization for security subjects, occupational safety, etc.) and for the execution of trainings between FMG and the employer of the affected person.
  
  

4.21.5 Recipients

Personal data will be transfered to the following recipients or categories of recipients and the data will be processed there:

• Internal company recipients (e.g. departments responsible for purpose-based processing): Only employees of Flughafen München GmbH, whose contribution to the organization and administration of the trainings and advanced trainings as well as for answering inquiries is required, have access to your data. This includes, among others, employees of the AirportAcademy. In addition, a limited number of IT persons have access to the data due to their administrative activities. Your personal data - among others, for the aviation safety training, the “Flughafen Lieferungen” (airport delivery) training and the Safety Management training - will be transfered to the corporate safety department of Flughafen München GmbH. The access control system is hosted internally and has no connection to the outside. Your personal data will be transfered for invoicing to the account department of Flughafen München GmbH.
• Companies of the Flughafen München corporation, see Overview of the corporate structure of the Flughafen München Corporation
  
• External employees as per art 28 GDPR, these include currently: If required, trainers that are assigned to provide a training and an advanced training, as well as meeting hotels for the handling of workshops.
• Courts, public authorities or other government bodies in case of legal obligations such as reliability review to the Luftamt Süd (aviation authority south).
  
  

4.21.6 Transmission to third countries

Transmission to a third country outside of the European Union is not planned.

Some internal training courses include learning content in the form of videos, which may be hosted on servers in third countries. This content is included without tracking measures from the video host. The exclusion of identifiability is only guaranteed if you access the learning content from our internal network or through a VPN connection to our FMG network.

If you wish to attend an internal training without a VPN connection from your home network or using a mobile network, you must accept the potential transmission of your IP address to unsafe third countries. Please note that your IP address constitutes personal data and that the level of protection as well as your rights as a data subject in unsafe third countries, especially the United States of America, potentially do not match those of the European Union (see Court of Justice of the European Union C-311/18).

4.21.7 Duration of the storage

Personal data will only be stored as long as this is required to achieve the listed purposes or as long as it is required to satisfy the legal storage and record retention time periods. The respective data will be deleted as a matter of routine and in accordance with the legal regulations after the discontinuance of the respective purpose or after the above time periods expire.

The following storage deadlines specifically apply:

1. Online Learning Portal: The personal data will be deleted completely after the expiration of all certification validities and after a follow-up time of 6 months.
2. Event-Manager (registration forms): The personal data will be deleted after 6 years.
3. Event management system and accounting system: Personal data of persons that completed an aviation safety training will be deleted from the event management system 6 years after the end of the validity of the aviation training. The personal data of all other persons will be deleted 6 years after the last seminar participation. As per § 147 AO / § 257 HGB, invoices will be deleted 10 years after the end of the calendar year, while proposals will be deleted 6 years after the end of the calendar year.

Please note, that the entire data are removed after the deletion is completed and conclusions can no longer be made.

4.21.8 Obligation for the provision of personal data

• The provision of the personal data is legally mandated for the execution of trainings in accordance with section 11 of DVO(EU)2015/1998, among others, aviation safety training. A non-provision means that airport IDs or work permits for the activity at the Munich airport cannot be issued.
• The provision and storage of personal data as part of the relevant EASA trainings are regulated in the EASA requirements VO (EU) 139/2014 and VO (EU) 139/2014. The rules ADR.OR.D.035 and ADR.OR.F.080 as well as section ADR.OR.D.017 are applicable. A non-provision means that airport IDs or work permits for the activity at the Munich airport cannot be issued.
• The provision and storage of personal data as part of the hazardous product training are regulated in annex 18 of the Convention on International Civil Aviation including the “Technical Instructions for the Safe Transport of Dangerous Goods by Air” (ICAO T.I.) issued by the International Civil Aviation Organization (ICAO) Doc 9284-AN/905, as well as DOC 10147 whose application is, among others, specified:
  - in the regulation (EC) No 965/2012 of the Council dated October 05, 2012 for the specification of technical regulations and administrative processes with respect to the aviation in accordance with the regulation (EC) No 1139/2018 of the European Parliament and of the Council as well as
  -  in the regulation (EC) No 139/2014 of the Council dated February 12, 2014 for the specification of requirements and administrative processes with respect to the aviation in accordance with the regulation (EC) No 2018/1139 of the European Parliament and the Council.

• The provision and storage of personal data as part of the hazardous product trainings in Austria are regulated in the 303rd regulation of the Federal Minister for Science and Transport about the transport of hazardous materials (Dangerous Goods Transport Ordinance - GGBV)
• § 2, 11 and 14 of the Dangerous Goods Transport Law, BGBI. I No. 145/1998, in its BGBl version. I No. 108/1999, 5th section - “Training of persons involved in the transport of hazardous materials as part of the civil aviation”
• A non-provision results in the fact that a registration for required trainings cannot be made. Proofs and certificates for possibly required trainings can also not be issued.
• The provision of personal data is required for the planning, execution and administration (incl. settlement purposes) of trainings and qualifications and therefore for the execution of pre-contractual actions as well as for the execution of the contractually booked service. A non-provision results in the fact that a registration for required trainings cannot be made. Proofs and certificates for possibly required trainings can also not be issued.
• In addition, a legal or contractual obligation for the provision of personal data may exist.
  
  

4.21.9 Data source

If the personal data was not obtained from the affected person, then they are obtained from

1. Though self-delivery of the person that inquires or books
   
2. From the access control system, personal data such as:
   - Salutation
   - Lastname
   - Firstname
   - Birthdate/ birthplace
   - Residence address
   - Company name incl. invoice address
   - Personal identification number
   - Status of the reliability review
   
   

4.21.10 Automated decision making (also profiling) and impacts

As a matter of principle, an automated decision making does not take place. Only the issue of the certificate can depend on a variety of factors (e.g. participating in a certain part or the entire WBT, examination tests, etc.) depending on the type of the WebBasedTrainings (WBT). The existence of these factors is normally checked automated by the respective WBT program.

4.21.11 Explanations about special processing of personal data

Use of cookies

Online Learning Portal

1. Description and scope of the data processing

On the Online Learning Portal of the Airport Academy, we only use technically required cookies - they can be found under 2. (List and description of the cookies). These so-called function cookies are always activated because they are required for the basic functions of the website. The use of the applied cookies guarantees functions. This website cannot be used as intended without these cookies. The purposeful use of the Online Learning Portals of the Airport Academy is not possible without these cookies.

The path of a user across different pages of the website can be traced by using the applied cookies. It permits an effective navigation during the visit on the Online Learning Portal. Only the information required for the specific processing purpose will be stored in the cookies. These are neither personal nor do they provide information about the user. The Flughafen München GmbH is responsible for the applied cookies (= First Party Cookie). Third party cookies are not used.

The applied cookies are also used for the identification of the computer from which our website was contacted. If you login to our website, then the cookies are used to communicate the login to the server and to check the authorization for the call-up of the website. The cookie marks the logged-in user as a valid user and permits the call-up of secured data.

In addition, your safety is increased because the used cookies protect against Cross-Site-Request-Forgery.

2. Purposes, legal principles and duration of the storage

The specific purposes of the applied cookies, the associated legal principles as well as the information about the storage duration can be found in the following overview:

The use of the technically required (session) cookies is based on our justified interests as per art. 6 para. 1 lit. f DSG-VO. The integration of the technically required cookies is needed to guarantee a flawless use of the Online Learning Portal.

3. Option for removal

You have the right to object against the use of cookies. Using your browser, you have the option to get the cookies displayed that exist on your computer, to delete the existing cookies or to establish the configuration in such a way that not all or no cookies can be stored. Please note that some functions (for example the login) do no longer work or do not correctly work if you deactivate the cookies settings.

This information about the processing of your personal data is based on the processing of your personal data as part of the luggage handling and securing of a fast, accurate and correct flight dispatching by Flughafen München GmbH (FMG).

4.22.1 Description and scope of the specific data processing

Based on § 45 LuftVZO, FMG - as the airport operator - is responsible to provide and develop the infrastructure for the reliable execution of the air traffic.

This also includes the administration and the operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment - starting with the transport from the check-in counters of the airlines including the required sorting and ending with the transport on the destination conveyors as well as the transport of the pieces of luggage that are subject to control to and from the control points.

FMG receives the required personal data of the airlines to fulfill the tasks as the airport operator as part of the provision of the central infrastructure of the luggage system with luggage transport and sorting.

To fulfill the tasks, FMG additionally provides information about the status of the luggage based on a request by your airline.

This includes the following data:

• Salutation, name (last and first)
• Flight data
• Location data about the piece of luggage in the transportation system
  
  

4.22.2 Purposes and legal principles

Purposes:

• Fulfilling the tasks as the airport operator to provide and develop the infrastructure for the reliable execution of the air traffic
• Administration and operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment
• Fulfilling the tasks as the airport operator to implement the required safety measures
• Defense against legal claims
• Fulfilling the requirements of public safety authorities

Legal principles:

• Fulfillment of legal obligations (art. 6 para. 1 lit. c GDPR a.o. i.c.w. § 45 LuftV-ZO, § 5 para. 3, § 8 and § 9 LuftSiG, VO EU 2015/1998)
• Protection of legitimate interests for an effective and efficient disposition of pieces of luggage, for the clarification of questions (a.o. public authorities, customs), for the delivery of contractual services to FMG customers (e.g. airlines) and for the clarification and defense against legal claims (art. 6 para. 1 lit. f GDPR)
  
  

4.22.3 Recipients of personal data

• FMG internal departments for the execution of the luggage sorting and luggage loading
• Airlines, ground handling services
• Public authorities, courts
  
  

4.22.4 Transfer to recipients in third countries

The a.m. personal data are transmitted via the SITA network to the airline with which you established a transport contract. If the airline has its seat in a third country outside the EU, then this can involve a data transfer to this third country.

Contracting partner of FMG for access to the SITA network is SITA Switzerland Sarl, 26 Chemin de Joinville, 1216 Cointrin, Schweiz. In accordance with Art. 45 GDPR, the EU Commission has decided that Switzerland offers an adequate level of data protection.

4.22.5 Storage duration

• 100 days in the operational system
• 15 months in the archive system
  
  

4.22.6 Source of the data

Data subject/airlines.

The Legal and Compliance (RCC) corporate unit of Flughafen München GmbH (“FMG” or “we”) offers employees and external parties the opportunity to report compliance violations to an internal reporting office. Employees and external parties such as providers, contractors, suppliers and customers can contact the internal reporting office and report violations of legal provisions within the scope of § 2 of the Whistleblower Protection Act (HinSchG), in particular in connection with corruption, fraud, theft, embezzlement, vandalism, property damage, competition offenses. Issues related to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the prevention and handling of sexual harassment, violations of the Code of Conduct and the guidelines of the FMG Corporation such as the “Gifts and Invitations Guideline” and other regulations applicable in the FMG can also be reported.

Name and contact data of the controller

FMG is controller for the internal reporting office under the data protection law. As part of the option provided in the Whistleblower Protection Act (HinSchG) of entrusting a third party with the tasks of an internal reporting office, FMG also assumes the tasks of an internal reporting office for the following corporate companies as joint controller in accordance with art. 26 GDPR:

• aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH
• AeroGround Flughafen München GmbH
• Allresto Flughafen München Hotel und Gaststätten GmbH
• Cargogate Munich Airport GmbH
• eurotrade Flughafen München Handels-GmbH
• FMSicherheit Flughafen München Sicherheit GmbH
• FMV - Flughafen München Versicherungsvermittlungsgesellschaft mbH
• LabCampus GmbH
• Flughafen München Realisierungsgesellschaft mbH
• Terminal 2 Gesellschaft mbH & Co oHG

In principle, the data subjects can contact the controller of the internal reporting office (FMG) as well as the controller of the corporate companies, which the FMG entrusted with the tasks of the internal reporting office. As part of the agreement about joint controllership, FMG and the above-mentioned corporate companies also agreed about close coordination when fulfilling requests from data subjects and notifications of data protection violations and possible communications to the data subjects in accordance with art. 34 GDPR. You can reach the internal reporting office of FMG using the following contact data:

Interne Meldestelle
RCC Flughafen München GmbH
Nordallee 25
85356 München
Germany
Phone. +49 89 975 40 340
Email: hinweise@munich-airport.de

The contact data of the entrusting corporate companies and the contact details of the respective data protection officers can be found under section 1 of this data protection declaration.

Contact data of the FMG data protection officer:

Datenschutzbeauftragter
Flughafen München GmbH
Nordallee 25 85356 München
Germany
Email: datenschutzbeauftragter@munich-airport.de

Categories of personal data

The submission of notices to the reporting office is voluntary, a report can also be made without us processing the data of the person providing the notice.

In particular, we use the online portal "Business Keeper Monitoring System" of the EQS Group AG, Karlstraße 47, 80333 Munich (hereinafter: BKMS® System). In this context, please note that anonymous tips should only be submitted from private devices outside the company network, as this is the only way to ensure the required confidentiality.

As part of the task completion, the following personal or person identifying data are regularly processed by the reporting office:

• Data of persons named as part of reports
• Data of persons processed as part of the exercise of tasks of a reporting office, especially in the area of the procedure and documentation
• Data of persons who are consulted by the reporting office for the exercise of tasks
• Data of persons providing notices that they voluntarily disclose to the reporting office
  
  

Purposes

FMG offers employees and business partners the opportunity to report compliance violations directly to the internal reporting office. This can be provided via various reporting channels, e.g. personal conversation, phone, letter, email or the BKMS® system.

The internal reporting office is responsible to maintain reliable principles of corporate management in day-to-day operations, the possibility of reporting violations via the BKMS® system is designed as an additional mechanism for employees and external parties to also anonymously submit notices and be available for questions.

Legal basis

For processing of notices as per HinSchG:

The reporting office processes the personal data of persons providing notices, persons involved in the proceedings and persons who may be accused due to legal obligations (art. 6 para. 1 lit. c GDPR). These obligations are applicable for HinSchG for:

• the establishment and design of the reporting office (§ 10 p. 1 i.c.w. §§ 16 HinSchG)
• the process for internal reports (§ 17 HinSchG)
• the execution of follow-up actions (§ 18 HinSchG)

If special categories of personal data are processed by the reporting office, then this is justified with the necessity for the fulfillment of the task (art. 9 para. 2 lit. g GDPR i.c.w. § 10 sentence 2 HinSchG).

If the HinSchG requires consent as a prerequisite for certain actions by the reporting office (e.g. for the transfer of personal data of the person giving the notices or phone recordings or word logs in case of phone reports), then such consent will be obtained. In these cases, the processing is carried out with art. 6 para. 1 lit. a GDPR.

If the legitimate interests of the controller or a third party require further processing and do not outweigh the interests or fundamental rights and freedoms of the data subjects, processing can also be carried out on the basis of art. 6, para. 1 lit. f GDPR for example to protect against accusations of reprisals.

For the processing of notices outside the application area of HinSchG:

For reports that are assigned to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the legal basis for the processing is based on art. 6 para. 1 lit. c GDPR in conjunction with § 8 LkSG (enabling of and procedural rules for the complaints procedure, confirmation of receipt of notices, discussion of the facts). Data processing when taking remedial measures is based on art. 6 (1) (c) GDPR i.c.w. § 7 LkSG.

The processing of personal data in the context of processing notices that contain violations of regulations outside the scope of the HinSchG is justified with the protection of legitimate interests (art. 6 para. 1 lit. f) GDPR). The legitimate interest lies in uncovering and preventing grievances and thus in averting damage to the FMG corporation, employees and customers. The processing of notices serves primarily to uncover and check abuses and violations of the law, and is embedded in our compliance management system. Based on this regulation and liability scope, the personal data required for processing the notices must also be processed. The interest of data subjects in not processing the data takes second place, since reports can be made voluntarily and anonymously and an appropriate level of protection is guaranteed for the confidentiality and integrity of the data of the whistleblower and any third parties involved through technical and organizational measures.

Type and scope of the data use

The personal data is processed exclusively for the purpose of processing notices and strictly under the stipulation that access to the data is only granted to certain persons and only to the extent that is absolutely necessary for the processing of the notice. Of course, all persons who have access to data are obligated to confidentiality.

Recipients

1. Internal use and possible transfer of that data within the corporation

The specific recipients of data depend on the content of the notice. Incoming notices are received by a small group of expressly authorized and specially trained employees of the compliance organization at FMG (employees of the reporting office) and the notices are always treated confidentially.

The reporting office checks whether an in-depth investigation is required and which internal bodies must be involved in clarifying the facts of a case. The reporting office also regularly informs top management about the content of the notices received, since the resolution of reported violations is one of their areas of responsibility. In addition, the auditing, corporate safety, legal and human resources departments are often called in to process notices or additional contact persons, which are required to execute the follow-up actions, are identified.

If reports for subsidiaries are received by the reporting office within the context of the entrusting relationship, or if notices addressed to the parent company also affect corporate companies, then the management of the subsidiaries and, if necessary, the responsible offices or departments of the corporate companies will be informed and consulted to process the notice, because the respectively affected corporate companies have the original responsibility to resolve and pursue an identified violation.

We ask that you only send the notices to the reporting office that relate to the reporting categories listed in paragraph 1 of this data protection information. We will not forward your request for reasons of confidentiality, but ask you to contact a suitable office if your notice is outside the area of responsibility of the reporting office.

2. Disclosing data to controllers outside the FMG corporation

Investigations may require the involvement of other FMG employees or employees of corporate companies and possibly also external parties such as specialized law firms, auditors or forensic experts. Of course, all internal and external parties involved in the process are obligated to the confidential treatment of disclosed information.

3. Disclosure to government agencies

If necessary, FMG may be legally obligated to provide information on compliance violations to government agencies (e.g. investigating authorities or courts). In case of such obligations, as well as seizures, we are unable to withhold the information you have submitted.

4. Whistleblower system service provider

The BKMS® system is provided by Business Keeper GmbH (member of the EQS Group), Bayreuther Str. 35, 10789 Berlin in Germany as processing on behalf of FMG.

Personal data and information entered into the whistleblower system is stored in the BKMS® system in a high-security computer center. Only FMG can review the data; the processor and third parties have no access to the data. This is ensured in a certified process through comprehensive technical and organizational measures.

Disclosure of data to third countries

As a matter of principle, personal data is not transferred to third countries outside the EU/EEA as part of the fulfillment of the duties of the reporting office.

Depending on the content of the notice, it may be necessary in individual cases to also pass on the data to recipients in third countries. In third countries, the rights of data subjects and the confidential treatment of personal data may not be legally guaranteed to the same extent as in the EU.

If you, as the reporting person, do not want us to transfer your personal data to countries outside the EU, please let us know in your report and we will check whether a transfer is not necessary to protect our legitimate interests. Please note that it may not be possible to fully process your report without passing on your data.

Duration of the storage

After the plausibility check has been carried out, the reporting office will check whether storage is required.

Irrespective of the storage periods listed below, after the notice has been checked and the notice procedure has been completed, measures are taken to make the process documentation as data-efficient as possible, e.g. by means of blacking out or pseudonyms.

The procedural documents are generally deleted after the individual case has been examined 3 years after the conclusion of the notice procedure. The documentation may be kept longer to meet the requirements of the Whistleblower Protection Act or other legislation, as long as this is necessary and proportionate.

Rights of the data subject

As a person providing notices, a person involved in the process and possibly an accused person, you are entitled to the following rights of a data subject based on the GDPR:

• Right to information
• Right to correction or deletion
• Right to the restriction of the processing
• Right to object to processing
• Right to data transferability

To exercise your rights and to revoke your consent, please contact the controller at the contact address given above. Alternatively, you can also assert your data protection rights via the BKMS® system or at the following email address: datenschutzanfrage@munich-airport.de

Please note that the reporting office must also protect the rights of third parties and can therefore only provide information in abridged form or blackened out if this would seriously impair the achievement of the processing goals (art. 14 para. 5 lit. b GDPR) or would disclose information which by its very nature should be kept secret (§ 29 para.1 BDSG).

Right for a complaint to the supervisory authority

You have the right to file a complaint with the supervisory authority if you believe that the processing of your personal data is unlawful. The contact data for the supervisory office responsible for us are: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Post office box 1349, 91504 Ansbach, Germany, Phone: +49 (0) 981 / 53 1228, poststelle@lda.bayern.de, www.lda.bayern.de.

Change in the data protection information

We reserve the right to change our safety and data protection measures if this is required due to legal or technical developments. In these cases, we will also adapt our data protection notices accordingly. Therefore, please note the current version of our data protection information.

Miscellaneous

The communication between your terminal and the BKMS® system takes place via an encrypted connection (SSL). The IP address of your computer will not be saved while using the whistleblower portal. To maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (so-called null cookie). The cookie is only valid until the end of your session and becomes invalid when the browser is closed. As the person providing the notice, you have the option of setting up a protected mailbox in the BKMS® system with a pseudonym/user name and password of your choice. Therefore, you can communicate securely with the reporting office using your name or anonymously.

Version: June 23, 2023

See below for information on why and for how long we process your personal data, the legal basis for this, and your rights with regard to data processing if you use our LabCampus community platform.

Websites of providers to which we link here are subject to the privacy notices or policies published on those sites.

Please take time to read our privacy policy, as it contains important information about how we use your personal data.

4.24.1 Content of this policy

When we use the term “data” in this text, we are referring exclusively to personal data as defined by the GDPR.

4.24.2 Description and extent of data processing

Our platform offers you a wide range of services. For example, you can learn about the latest innovations at LabCampus and about various catering options. You can utilize services via the platform, e.g. contacting LabCampus Community and Facility Management. The community platform also has a forum for exchanging information. The forum is intended to promote interdisciplinary cooperation and thus innovation.

The LabCampus community platform can only be accessed by registered users. For this reason, we provide you with the option of creating a community account and thus registering to use our platform. To do so, enter your details and submit them to us via the form provided here. We store the data transmitted to us and do not disclose them to third parties.

4.24.2.1 Creation of a community account

To create your account, we process your work e-mail address and the password chosen by you. The password must fulfill the minimum criteria described in the terms of use. We process it only as a hash value and cannot read your password in plain text but can recognize whether a correct or incorrect password is used for further log-in attempts.

4.24.2.2 Completion of registration

Once you have registered, we first check whether your e-mail domain, i.e. the part of the address that comes after the @ symbol, is enabled for use of our platform. If this check comes back positive, your account is created and we send you a link with a request to confirm your e-mail address as part of a double opt-in procedure. In this way, we make certain that you have access to the e-mail account indicated and that you entered your e-mail address correctly. Otherwise, you receive an error message and are informed that your e-mail address has not been validated for use of the platform.

Your community account is only activated once you click on the verification link, and only then can you log in to the community platform and complete your registration. To do so, you must enter your position at the company and a nickname, which must comprise at least two letters. In addition to the information provided, we save the date and time at which you created your community account in order to log your registration with the portal and as proof of your e-mail verification if necessary. We also save the date and time of your most recent login.

Provision of the data requested is essential for the creation of your community account. Without these data, we cannot create a community account. We use the data to provide your community platform account. The data are saved in your personal central account, where you can view them at any time and change your password.

When your account is created, your traffic data as described under “3.1 Log files" above are also processed.

4.24.2.3 Communication within the platform

A contact form is provided for communication within our platform. The entries made in the form are forwarded to the e-mail account of the LabCampus team responsible for the particular inquiry. Further communication takes place by e-mail. When the information is forwarded, the text of the message and the following data are processed: the e-mail address connected to your account as the sender of the message, the date and time at which the message was sent, the information that the message came from the platform as the subject of the message, the language setting you have chosen for the platform, and the identification number assigned by the system to your account.

4.24.2.4 Interaction within the platform

You can like posts that we publish in the community. These likes, like views, are anonymous, which means that neither we nor the community members can see which posts you have viewed and which you have liked.

4.24.2.5 Videos and web analysis services integrated into the platform

When we embed videos on our platform, these are saved on YouTube. YouTube is a platform provided by YouTube LLC, with its registered office at 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube is a subsidiary of Google. We embed our videos via YouTube because local hosting is not sufficiently powerful for the presentation of the videos. For more information, see "3.5 Integrated videos (YouTube)."

If you have given us consent to place cookies for the statistical analysis of visitor access, i.e. reach measurement, via the consent management tool from "consentmanager" integrated into our website, we use these cookies to improve the quality of our platform and its content. These cookies tell us how the platform is used by the community, enabling us to continuously optimize our offering and our posts. For more information, see "3.2 Cookies and pixels." Information on the consent management tool is provided under "3.2.1 General information on cookies" and on reach measurement under "3.2.2.2 Matomo – LabCampus."

4.24.3 Purpose/legal basis

Your data are processed in order to make it possible to register on and login to our community platform as well as to communicate with you.

Registration on the platform is voluntary and based on your consent in accordance with Art. 6 Para. 1 (a), Art. 4 (11) in conjunction with Art. 7 Para. 4 GDPR.

In connection with the use of the platform, your data are processed in accordance with the applicable terms of use. The legal basis for this is Art. 6 Para. 1 (b) GDPR.

We process the e-mail address provided for the purpose of efficient and effective communication. This purpose also constitutes our legitimate interest. The legal basis for this is Art. 6 Para. 1 (f) GDPR.

4.24.4 Recipients/transmission to third countries

Our community platform is maintained and operated by our partner, Das Büro am Draht Software-Entwicklung GmbH, located at Blücherstrasse 22, 10961 Berlin (hereinafter "BaD"). It is hosted by our partner Hetzner Online GmbH, located at Industriestrasse 25, 91710 Gunzenhausen (hereinafter Hetzner). We use AWS Cognito for control of access and AWS Secret Manager for account management. AWS Cognito and AWS Secret Manager are offerings of Amazon Web Services EMEA SARL, located at 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter AWS). Likewise, we use AWS for the forwarding of inquiries submitted via the contact form.

BaD, Hetzner and AWS all process your data, unless we have explicitly stated otherwise here, on our behalf and according to our instructions within the European Union (EU). This means that BaD, Hetzner and AWS do not and are not permitted to use your data for themselves, particularly not for their own purposes or their own promotions.

Please note that AWS complies with the data protection code of conduct for cloud infrastructure services providers (CISPE), i.e. the code of conduct ratified by the European Data Protection Board (EDPB) and adopted by the French data protection authority CNIL in accordance with Article 40 GDPR, and therefore undertakes to comply with the EU’s data protection standards, even when data are transmitted outside of the EU, so that your personal data are adequately protected under data protection law.

4.24.5 Retention/deletion

You can delete your own account via the platform at any time by clicking "Delete account" in your account settings and telling us your reason for doing so. Your data will then be deleted. You can also send an e-mail to community@labcampus.de or request deletion via the contact form available here. Your account will then also be deleted.

Status: September 2023

The Business-to-Business (B2B) portal is available to airport users, airlines, airline associations, representatives of the licensing authority or service providers operating at the Munich site to gain access to personalised information of various kinds. To ensure that the information published on the portal is only accessible to authorised persons, you must create a personalised user profile. The portal is also used to register for newsletters, events or expedited parking or to order publications and make specific enquiries.

4.25.1 Purpose of processing

Your data will only be processed for the following purposes:

• Provide personalised information to users
• Prevent abuse of benefits (expedient parking)
• Indicator to subscribe to newsletters
• Registration/deregistration for events
• Allocation of event topics
• Avoidance of no-shows

Categories of personal data

Profile data depending on use case.

• Salutation, title, first name, last name, e-mail, company, function, street, postcode, city, country, identification documents
• Parking start, parking end, flight number departure, flight number arrival

IT usage data (system-related)

• IP address, website visited, and functions used, timestamp
• Information about the device used (mobile device, desktop, etc.), operating system, browser type and versions used
  
  

4.25.2 Legal basis

• For sending the newsletter or for passing on contact data to the Bavarian Ministry of Housing, Construction and Transport (responsible authority), consent is required (Art. 6 Para. 1 Sentence 1 Letter a GDPR).
• For contacts with business and system partners, as well as for the security of the information technology systems (log data), legitimate interest applies (Art. 6 para. 1 sentence 1 letter f GDPR).
• For event management (invitation, implementation, follow-up) of mandatory annual consultations with airport users as well as for the implementation of the approval process in the event of a fee adjustment (legal basis: Art. 6 para. 1 lit. c GDPR in conjunction with § 19b LuftVG).
  
  

4.25.3 Categories of recipients

Depending on the intended use of the portal:

• The respective competent department
• Parking control center
• Company that develops the system further (order processing contract)
• Authorities, but only if consent has been given
  
  

4.25.4 Transfer to third countries

Personal data is not transferred to third countries.

4.25.5 Duration of storage

• Deletion of the indicator that a data subject is invited to events if there is a corresponding number of no-shows.
• The deletion of the stored personal data for travel agencies takes place in rotation no later than 5 years after no further contact has taken place.
• Deletion by users themselves
  
  

4.25.6 Possibility of removal or revocation

In order to exercise his or her rights concerning the B2B portal, the person concerned may contact the B2B portal, preferably by e-mail, at the following address:

datenschutzanfrage@munich-airport.de

Status: 6.9.2023