Privacy policy

Introduction

Welcome to our website and thank you for your interest in privacy and data protection with regard to our services. We are pleased to provide you with information here on how your personal data are processed on our websites and in connection with the other services described in this Privacy Statement. 

Overview

1 Controllers and data protection officers 

2 Data processing
2.1 Data processing policy
2.2 Recipients
2.3 Duration of storage
2.4 Scope of the Privacy Statement

3 Generally applicable information on data processing in relation to online services
3.1 Log files
3.2 Cookies and pixels
3.3 Survey tools
3.4 Integrated maps (Google Maps)
3.5 Integrated videos (YouTube)
3.6 Social media

4 Specific processing activities
4.1 Websites
4.2 Contact form
4.3 Newsletter
4.4 Personalization and user profiles
4.5 WLAN/Wifi
4.6 Photography, video and sound recordings
4.7 Passngr app website
4.8 Parking reservations
4.9 Automatic number plate detection at parking entrances
4.10 Bookings/reservations
4.11 Contests, prize draws, and campaigns in general
4.12 Advent calendar contest
4.13 MuniCon conference center
4.14 Aircraft noise complaints
4.15 InnovationPilot
4.16 Applicant portal
4.17 Airport Collaboration Portal
4.18 FMG und Wohnen
4.19 Processing damage events and claims

5 External booking requirements
5.1 Package travel arrangements
5.2 Flight bookings
5.3 Car rentals

6 Your rights
6.1 Information
6.2 Rectification
6.3 Right to restriction / blocking of processing
6.4 Erasure
6.5 Objection
6.6 Withdrawal
6.7 Data portability
6.8 Right to lodge a complaint with a supervisory authority

7 Data protection inquiries, asserting data protection rights
7.1 Data controller for purposes of data protection laws
7.2 Categories of personal data
7.3 Purposes for processing personal data
7.4 Legal grounds for the processing of personal data and legitimate interests
7.5 Recipients
7.6 Transfers to third countries
7.7 Duration of storage
7.8 Obligation to provide personal data
7.9 Source of the data
7.10 No automated decision making, no profiling

8 Changes to the Privacy Statement

9 Status

1 Controllers and data protection officers

Unless another controller is expressly indicated for specific services, the controller for the purposes of all data processing covered in this Privacy Statement is:

Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
Tel. +49 89 975 00
Email: info@munich-airport.de

Contact details for Flughafen München GmbH, referred to below as "FMG" or "we" and their subsidiaries with data protection officers:

  • Flughafen München GmbH

    Contact data

    Nordallee 25
    85356 München
    Tel. +49 89 975 00
    Email: info@munich-airport.de

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Jost Lammers
    Thomas Weyer
    Andrea Gebbeken

    Head of IT

    Michael Zaddach

  • aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

    Contact data

    Terminal1, Modul D
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 212 00

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Eva Ranki

    Head of IT

    Michael Zaddach

  • AeroGround Flughafen München GmbH

    Contact Data

    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 210 01

    Data Protection Officer

    Wolf Janz
    AeroGround Flughafen München GmbH
    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 215 10
    Email: datenschutz@aeroground.de

    Managing Directors

    Wolfgang Müller
    Christian Stoschek

    Head of IT

    Michael Zaddach

  • Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH

    Contact data

    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: info.allresto@munich-airport.de

    Data Protection Officer

    -Data Protection-
    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH
    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: datenschutz.allresto@munich-airport.de

    Managing Directors

    Gerhard Halamoda
    Andreas Reichert

    Head of IT

    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH

  • CAP Flughafen München Sicherheits-GmbH

    Contact Data

    Postfach 24 11 37
    München-Flughafen
    Tel. +49 89 975 910 74

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Daniel Euteneuer

    Head of IT

    Michael Zaddach

  • Cargogate Flughafen München Gesellschaft für Luftverkehrsabfertigung mbH

    Contact Data

    Frachtgebäude Modul C
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 92 289

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Claudia Weidenbusch

    Head of IT

    Michael Zaddach

  • eurotrade Flughafen München Handels-GmbH

    Contact Data

    Terminalstraße Mitte 18
    85356 München
    Tel. +49 89 975 936 00

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Christian Wallner
    Sven Zahn

    Head of IT

    Andre Dlugos

  • EFM Gesellschaft für Enteisen und Flugzeugschleppen am Flughafen München

    Contact Data

    RGS 1, Vorfeld West 1
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 977 500 0

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Christoph Titze

    Head of IT

    Michael Springborn

  • InfoGate Information Systems GmbH

    Contact Data

    Südallee 1
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 825 00

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Manfred Zötl

    Head of IT

    Manfred Zötl

  • LabCampus GmbH

    Contact Data

    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 65701
    Email: contact@labcampus.de

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Dr. Marc Wagener

    Head of IT

    Michael Zaddach

  • MediCare Flughafen München Medizinisches Zentrum GmbH

    Contact Data

    MediCare Flughafen München
    Medizinisches Zentrum GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 633 28

    Data Protection Officer

    Lukas Mempel
    MediCare Flughafen München
    Medizinisches Zentrum GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 67 82 04 425
    Email: lukas.mempel@sana.de

    Managing Director

    Elmar Simon

    Head of IT

    Michael Zaddach

  • Munich Airport International GmbH

    Contact Data

    Munich Airport International GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 102 14

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Dr. Ralf Gaffal

    Head of IT

    Michael Zaddach

  • Flughafen München Realisierungsgesellschaft mbH

    Contact Data

    Visiting address:
    Terminalstraße Mitte 26
    Bürogebäude Nord N2
    85356 München-Flughafen

    Postal address:
    Postfach 231755
    85326 München-Flughafen
    Tel. +49 89 975 54500
    Email: mucreal@munich-airport.de

    Data Protection Officer

    N.N.
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter.mr@munich-airport.de

    Managing Director

    Michael Hiss

  • Terminal 2 Gesellschaft mbH & Co oHG

    Contact Data

    Terminalstraße Nord 1, Ebene Z4
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 887 01

    Data Protection Officer

    Claus Streifer
    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Maria Dahlhaus
    Stefan Landes

    Head of IT

    Uwe Winkler

2 Data processing

2.1 Data processing policy

We process your personal data in accordance with applicable data protection laws – in particular the provisions of the General Data Protection Regulation (GDPR), the German Data Protection Act (Bun-desdatenschutzgesetz) and other applicable laws.

We process personal data exclusively in accordance with the intended purposes. The main purpose is to operate Munich Airport including all ancillary business activities directly or indirectly supporting this purpose. The purposes related to specific services are concretely outlined in the corresponding descriptions.

We process your personal data only when this is permitted or required under legal regulations or with your consent.

You will find additional information on specific services in the descriptions below. Unless those descriptions specify another legal basis, the data processing is carried out in accordance with Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in operating Munich Airport, including all ancillary business activities directly or indirectly related to the purpose of business).

2.2 Recipients

Personal data can be transmitted to the following recipients or categories of recipients:

  • In-house recipients (e.g. specialist departments responsible for dedicated processing)
  • Companies of the Flughafen München Group (Our company profile offers a current overview of the group structure)
  • Cooperation partners with whom we perform our services.
  • External contractors in accordance with Art. 28 EU GDPR, if they are explicitly mentioned in the individual processing operations.
  • Business partners for whom we perform.
  • Courts, authorities or other government bodies in the event of legal obligations.

If there are other recipients, these will be mentioned separately in the individual processing activities.

2.3 Duration of storage

Personal data are stored only as long as necessary for achieving the specified purposes or in accordance with the storage and archiving periods required by law. After the relevant purpose no longer applies or the expiry of these periods, the corresponding data will be deleted routinely in accordance with the statutory regulations.

If possible, specific storage periods for the various services will be stated.

2.4 Scope of the Privacy Statement

This Privacy Statement applies to the websites of Flughafen München GmbH and the subsidiaries specified above and for other services described in this Privacy Statement.

3 Generally applicable information on data processing in relation to online services

  • 3.1 Log files

    Every time the contents of our websites are accessed, data are stored that may permit identification of data subjects.

    The following data are collected:

    • date and time of access
    • server traffic at time of access
    • IP address
    • page visited on our website
    • message indicating whether page retrieval was successful
    • transferred data volume
    • information on the device used (mobile device, desktop, etc.), operating system, browser type and versions

    The temporary storage of these data is necessary for processing the site visit in order to ensure that the website can be made available. Further data storage in log files takes place to ensure the functionality of the website and the security of the IT systems. These stored data are analyzed exclusively for purposes of analyzing technical malfunctions and possible attacks on our website. In addition, the data can by analyzed anonymously for statistical purposes.

    Categories of recipients
    Some websites are operated by external hosting services and/or through external agencies. They act on our behalf as external processors and process the data exclusively in accordance with our instructions.

    Duration of storage
    To be in a position to conduct proper investigations of technical malfunctions or possible attacks on our website and report as needed to regulatory bodies and security authorities, we delete or anonymize the log files within 14 days at the latest.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in maintaining the functionality of our website and performing statistical analysis of the use of our website). 

  • 3.2 Cookies and pixels

    3.2.1 General information on cookies

    Cookies are small files in which certain information is stored either in open or encrypted form. Cookies are sent from the server to your computer and stored there. They initially serve to identify the computer from which our website was accessed. If you log in to our website, cookies serve to notify the server of your login and check the authorizations to retrieve the page.

    Cookies can help to improve communications between our server and your computer and therefore make it easier to use our website. Cookies also make it possible to track the path of a user across various pages of the website and possibly across various websites. In addition, cookies can store information of any kind.

    Cookies can originate not only with the operator of the website but also with third-party providers. In your browser you can display a list of the cookies stored on your computer, delete some or all of these cookies, or select settings to deactivate or limit the storage of cookies. Please note that some functions (e.g. the login) will not work, or will not be fully functional, if you deactivate the storage of cookies.

    Every cookie has an expiry date when it is no longer valid and will be automatically deleted. Details on the expiry dates for certain cookies are described in the sections below.

    You can object to the use of cookies that permit the analysis of your user behavior: Tracking Preferences. Details are provided in the following sections. Please note: If you delete the cookies stored in your browser after objecting, you may have to click the links provided here again because the objection to the use of cookies containing personal data will also be documented in the form of anonymous (non-personal) cookies.

    Consent management tool 

    We have integrated the consent management tool "consentmanager" (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, info@consentmanager.net) on our website to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalized advertising. With the help of “consentmanager” you can grant or reject your consent for all functions or give your consent for individual purposes or individual functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned things and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from the end devices used, such as the IP address, are processed.

    The legal basis for processing is Art. 6 Para. 1 S. 1 lit. c) in conjunction with Art. 6 para. 3 sentence 1 lit. a) in conjunction with Art. 7 para. 1 GDPR and, in the alternative, lit. f). By processing the data, we help our customers (according to GDPR this is the responsible party) to fulfill their legal obligations (e.g. obligation to provide evidence). Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active. The log data will be deleted after three years. It may happen that we ask you again for your consent. This query takes place after one year at the latest.

    You can object to the processing. You have the right to object to reasons arising from your particular situation. To object, please send an email to info@consentmanager.net.


    3.2.2 Analytical cookies used on our websites

    3.2.2.1 Google Analytics

    This website uses Google Analytics, a web analysis service of Google LLC, 1600 Amphitheatre Parkway Moun-tain View, CA 94043, USA ("Google"). Google Analytics uses the cookies described above. They are stored on your computer for up to two years and enable us to analyze how you use our website. The information generated in this way through your use of this website is generally transferred to a Google server in the USA and stored there for up to 14 months. However, through the activation of IP anonymization on this website, your IP address will be truncated by Google within the EU member states and other signatory states of the Agreement on the European Economic Area. The full IP address will be transferred to a Google server in the USA and truncated there only in exceptional cases.

    At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. However, Google has made a commitment to comply with the Privacy Shield Framework between the EU and the USA as set forth by the US Department of Commerce on the collection, use and retention of personal data from EU member states. Further information is available on the Google support page.

    On our behalf, Google will use the information collected to evaluate your use of the website, to compile activity reports on the use of our website, and to provide other services related to website activity and internet use.

    Further information on the handling of user data by Google Analytics is available in the Google privacy statement.

    The legal basis for the data processing associated with our use of Google Analytics is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in continually adapting the design of the website in accordance with the interests and needs of our users).

    You can opt out of the retention of the data collected by Google Analytics related to your use of the website (including your IP address) by downloading and installing the browser plugin available here.

    Alternatively, you can opt out of the use of Google Analytics for this website only. Opting out in this way will not result in any disadvantages for you. To opt out, simply click the following link:

    Deactivate Google Analytics

    Google Analytics demographics and interests reporting

    In addition to the standard version of Google Analytics, we also use Google Analytics Demographics and In-terest Reporting. For this purpose, Google uses a DoubleClick cookie if one is stored on your computer. Through this service, we receive reports from Google with information on which visitor groups (interests, age groups) visit our website and what interests them there, for example. We use this information to better serve our target group. You are not personally identified in these reports.

    When using our website, you consent to this use of data in the context of Google Analytics (Demographics and Interests Reporting).

    You can prevent your visit from being included in our reports by opting out of Google Analytics tracking as described above.

    You can also find information on how Google uses data and how to disable or monitor the use of your data in the information on how Google uses information from sites or apps that use Google services.

    3.2.2.2 etracker

    On our website we also use the service "etracker Analytics" provided by etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany (www.etracker.com). This service uses cookies that are stored on your computer for up to two years. They permit statistical analysis of the use of this website and the display of usage-related content. etracker retains the data collected on our behalf for up to 12 months. For these purposes, etracker is independently audited and certified, and has been awarded the ePrivacyseal data protection seal of approval.

    The privacy of our users is very important to us. Consequently, the IP address is anonymized by etracker at the earliest possible stage and the login and device IDs are converted to a unique key. This cannot be associated with an individual person, however. The data are not used for any other purposes, merged with other data or forwarded to third parties.

    The legal basis for the data processing associated with our use of etracker services is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in continually adapting the design of the website in accordance with the interests and needs of our users).

    You can object to the data processing described above at any time to the extent that such processing involves personally identifiable data. Opting out in this way will not result in any disadvantages for you.

    Deactivate etracker

    You can find further information on data protection at etracker.

    3.2.2.3 Matomo

    For the InnovationPilot website we use Matomo (formerly known as Piwik), an open source software package for the statistical analysis of user activity. Matomo uses cookies that are stored on your computer for up to two years and enable us to perform statistical analysis of user activity on our website. 

    The privacy of our users is very important to us. Consequently, the user's IP address is anonymized by Matomo at the earliest possible stage. The data are not used for any other purposes, merged with other data or forwarded to third parties.

    The legal basis for the data processing associated with our use of Matomo services is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in continually adapting the design of the website in accordance with the interests and needs of our users)

    You can object to the data processing described above at any time to the extent that such processing involves personally identifiable data. Opting out in this way will not result in any disadvantages for you. Click on the button below to view the privacy statement of InnovationPilot, where you can deactivate Matomo:

    Deactivate Matomo


    3.2.3 Pixels and advertising cookies used on our websites

    3.2.3.1 Google Ads

    Our website uses Google conversion tracking. If you have reached our website via an advertisement placed by Google, Google Ads will set a cookie on your computer. The cookie for conversion tracking is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Every Google Ads customer receives a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers.

    The information obtained using the conversion cookie is used to create conversion statistics for ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, you will not receive any information that can be used to personally identify users.

    You can find more information on the handling of user data on Google Ads in Google's data protection declaration.

    3.2.3.2 Bing Ads

    On the website we use technologies from Bing Ads (bingads.microsoft.com), which are provided and operated by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft"). Microsoft places a cookie on your device if you click on a Microsoft Bing ad. Microsoft and we can see in this way that someone clicked on an ad, was redirected to our website and reached a predetermined landing page. These cookies are not used for personal identification, only the total number of users who clicked on a Bing ad and were then forwarded to the target page can be evaluated. The landing pages are typically booking or registration confirmation pages (e.g. when booking a parking space or an event ticket).

    You can prevent the collection of the data generated by the cookie and related to your use of the website as well as the processing of this data by Microsoft by using the following link http://choice.microsoft.com/de-DE/opt-out your Declare contradiction. Further information on data protection and the cookies used by Microsoft and Bing Ads can be found on the Microsoft website.

  • 3.3 Survey tools

    3.3.1 Informizely

    To learn more about our visitors' needs and expectations, we use the survey tool by Informizely B.V., WG-plein 425, 1054SH, Amsterdam, Netherlands on our website. This tool enables us to create surveys to request specific feedback from you at defined touch points and at selected times. Informizely B.V. processes the data for us as an external processor.

    Your participation in these user surveys is optional.

    The following data are collected:

    • IP address (anonymized through partial deletion)
    • information on the device used (mobile device, desktop, etc.), operating system, browser type and versions
    • estimated geographical location (based on the IP address)
    • website from which our website is accessed
    • certain cookie information (if user is informed)
    • user behavior, i.e. data related to how a site visitor uses a survey (e.g. number of times a survey is displayed and whether the user completes it)
    • answers (open and closed) to survey questions

    These data are deleted or anonymized no later than one year after the completion of the survey.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 a) (consent) and f) GDPR (balancing of interests based on our legitimate interest in asking visitors to our website for feedback on certain topics).

    More information on data protection at Informizely

    3.3.2 Lamapoll

    To learn more about our visitors' needs and expectations, we also use the survey tool Lamapoll, provided by Lamano GmbH & Co. KG, Prenzlauer Allee 36G, 10405 Berlin, Germany, on our website. This tool enables us to create surveys to request specific feedback from you at defined touch points and at selected times. Lamano GmbH & Co. KG processes the data for us as an external processor.

    Your participation in these user surveys is optional.

    The following data are collected:

    • Email address
    • Answers (open and closed) to survey questions

    These data are deleted or anonymized no later than one year after the completion of the survey.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 a) (consent) and f) GDPR (balancing of interests based on our legitimate interest in asking visitors to our website for feedback on certain topics).

    More information on data protection at Lamapoll

  • 3.4 Integrated maps (Google Maps)

    Our website uses Google Maps to represent our location and generate directions. Google Maps is an online map service by the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website requiring a map, your browser will create a direct link to the Google servers and retrieve a map to display on your screen. To use Google Maps functions, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a Google server in the USA and processed there by Google. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. However, Google has made a commitment to comply with the Privacy Shield Framework between the EU and the USA as set forth by the US Department of Commerce on the collection, use and retention of personal data from EU member states. More information

    Further information on the handling of user data is available in the Google privacy statement.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in showing visitors to our website their current location and information on directions to the airport).

  • 3.5 Integrated videos (YouTube)

    We embed YouTube videos in our web pages. The operator of the correspondent plugins is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website containing an embedded video, your browser will create a direct link to the YouTube servers to retrieve and run the video content on your screen. To use this function, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a YouTube server in the USA and processed there by YouTube. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. However, YouTube (as a subsidiary of Google) has made a commitment to comply with the Privacy Shield Framework between the EU and the USA as set forth by the US Department of Commerce on the collection, use and retention of personal data from EU member states. Further information is available in the Privacy Shield Framework.

    Further information on data protection at YouTube is available in the Google privacy statement.

  • 3.6 Social media

    The social media channels used by us are described in detail in the sections below. We have a presence on the social media platforms of the following companies:

    • For our presence on this social media platform, we share responsibility with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

      The data protection officer of Facebook can be contacted via the following link: Facebook data protection officer.

      We have regulated joint responsibility in an agreement covering the respective obligations in accordance with the GDPR. The agreement stipulating the mutual obligations can be accessed via the following link: Facebook information on page insights.

      When you access our page on the Facebook platform, Facebook Ireland Ltd., as the operator of the platform in the EU, will process the user data (e.g. personal information, IP address, etc.). These user data serve in particular to create statistical information on the use of our company page on Facebook. Facebook Ireland Ltd. uses these data for market research and advertising purposes and to create user profiles. Using these profiles, Facebook Ireland Ltd. can direct targeted, interest-based advertising at the user both inside and outside Facebook.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. Facebook Inc. has agreed to comply with the EU-US Privacy Shield. As a result, it has agreed to adhere to the EU data protection requirements when processing data in the USA. Further information is available in the Privacy Shield Framework text.

      Further information on processing activities, how to block them and on the deletion of data processed by Facebook is available in the Facebook Privacy Policy.

    • We are jointly responsible for our presence on this social media platform with Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. In our relationship with Twitter, the user conditions and privacy policy of Twitter (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. Twitter has agreed to comply with the EU-US Privacy Shield. As a result, it has agreed to adhere to the EU data protection requirements when processing data in the USA. Further information is available in the Privacy Shield Framework text.

      Further information is available in the Twitter privacy policy.

    • We are jointly responsible for our presence on this social media platform with YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). In our relationship with YouTube, the user conditions and privacy policy of YouTube (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. However, YouTube (as a subsidiary of Google) has made a commitment to comply with the Privacy Shield Framework between the EU and USA as set forth by the US Department of Commerce on the collection, use and retention of personal data from EU member states. Further information is available in the Privacy Shield Framework text.

      Further information on data protection at YouTube is available in the YouTube Privacy Statement.

    • We are jointly responsible for our presence on this social media platform with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as the operator of Instagram. In our relationship with Facebook, the user conditions and privacy policy of Instagram (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. Facebook Inc. has agreed to comply with the EU-US Privacy Shield. As a result, it has agreed to adhere to the EU data protection requirements when processing data in the USA. Further information is available in the Privacy Shield Framework text.

      Further information on data protection at Instagram is available in the Instagram privacy statement.

    • We are jointly responsible for our presence on this social media platform with LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn"). In our relationship with LinkedIn, the user conditions and privacy policy of LinkedIn (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that the processing through LinkedIn Ireland Unlimited Company will also be carried out through LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 in the USA. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. LinkedIn Corporation has agreed to comply with the EU-US Privacy Shield. As a result, it has agreed to adhere to the EU data protection requirements when processing data in the USA. Further information is available in the Privacy Shield Framework text.

      Further information on data protection at LinkedIn is available in the LinkedIn privacy policy.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("XING"). In our relationship with XING, the user conditions and privacy policy of XING (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at XING is available in the XING privacy statement.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("kununu"). In our relationship with kununu, the user conditions and privacy policy of kununu (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at kununu is available in the kununu privacy statement.

    The purpose of these social media channels is to advertise our products and services and communicate with interested parties or customers.

    When you contact us through one of these social media channels, we process the personal data associated with your query in the course of processing the query itself. These data are deleted as soon as the query is fully answered and statutory retention or archiving obligations no longer apply (e.g. in case of subsequent settlement of a contract).

    The legal basis for the related data processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in presenting our products and services and communicating with interested parties or customers).

4 Specific processing activities

Specific processing activities by FMG and its subsidiaries are described in greater detail in the following chapters.

  • 4.1 Websites

    The main website of Flughafen München GmbH and its subsidiaries is www.munich-airport.de (in German) and www.munich-airport.com (in English).

    This Privacy Statement also applies to all other websites of Flughafen München GmbH and its subsidiaries that are linked to it, in particular the following websites:

    WebsiteDomainResponsible company
    Gut für Bayern, Gut für Michgutfuerbayern.deFlughafen München GmbH
    InnovationPilotinnovationpilot.deFlughafen München GmbH
    Traveller’s Insighttravellers-insight.comFlughafen München GmbH
    Munich Airport Collaboration Portalacp.munich-airport.deFlughafen München GmbH
    ISH – Information Security Hubish-muc.comFlughafen München GmbH
    Aircraft noise map
    travis-web01.munich-airport.de/data/travis.phpFlughafen München GmbH
    Book parkingparken.munich-airport.deFlughafen München GmbH
    Airport Academymunich-airport.de/academy
    Flughafen München GmbH
    Passngrpassngr.deInfoGate Information Systems GmbH
    LabCampuslabcampus.deLabCampus GmbH
    FMG & Wohnenmunich-airport.de/fmg-und-wohnenMUC Airport Betriebs GmbH
    AirportClinicmunich-airport.de/airportclinicMunich AirportClinic GmbH
    Municonmunicon.deAllresto Flughafen München - Hotel und Gaststätten GmbH
    AirBräumunich-airport.de/airbraeuAllresto Flughafen München - Hotel und Gaststätten GmbH
  • 4.2 Contact form

    We offer you the option of using a contact form to ask us for information or support on specific questions.

    Categories of personal data
    We collect your first and last names and email address in any case so that we and/or our system partners to which your query is addressed can contact you.

    When you submit the contact form, the current IP address of the sender is saved for security reasons. Your data will be processed and treated confidentially in compliance with the applicable data protection regulations.

    We will store and process your data only to the extent and as long as required for handling your message.

    Categories of recipients
    In some cases, it will be necessary to forward your data to system partners such as airlines, government authorities or other companies in the FMG group to respond to your feedback.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest: in answering queries from our customers and other interested parties).


    Google reCAPTCHA

    Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter: Google).

    Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.

    This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.

    The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. Google offers detailed information at https://policies.google.com/privacy concerning the general handling of your user data.

  • 4.3 Newsletter

    At various locations you can subscribe to one or more email newsletters. By doing so, you give us your consent to use your email address for advertising purposes. The sender of the emails is always Flughafen München GmbH. The emails will contain information and offers on the following topics related to Munich Airport:

    • airport facilities and services such as parking, lounges and WLAN,
    • useful errands that can be completed at Munich Airport such as car repairs,
    • traveling to and from the airport, e.g. by bus, train, rental car and car sharing services,
    • dining and shopping at Munich Airport,
    • public events and experiences at the airport and
    • flights and travel options from Munich Airport.

    4.3.1 Registration for newsletters

    For your registration to take effect, we need a valid email address. To check that the registration is in fact coming from the owner of the email address, we employ the double opt-in process. For that purpose, we log the newsletter order, the dispatch of the confirmation email and the receipt of the requested reply. To log these events, we record the exact time and the IP address of the end device.

    4.3.2 Basic newsletters and personalized newsletters

    If you select a basic newsletter, we will not personalize the contents to reflect your interests. We therefore do not require data from you to personalize the newsletter and instead collect only the data necessary for directly providing the newsletter. Typically this means your email address and possibly your name.

    In addition, the newsletter content can be personalized to reflect your individual interests. For details on the personalization of newsletters, see personalization and user profiles.

    Subscribers may also be informed by email of circumstances relevant to the service or registration (e.g. changes in the newsletter offers or technical issues).

    4.3.3 Duration of storage

    Your data will be stored when you subscribe to the newsletter and retained until you unsubscribe. Your registration will be successfully completed when you click the appropriate link in the confirmation email addressed to you.

    If you do not confirm the subscription link in the email, we will store your data for two weeks. The link will then expire and it will no longer be possible to use it to confirm your subscription. After this two-week period expires, your data will be immediately deleted. Of course you can register again by repeating the subscription process.

    When you cancel your subscription to one of our newsletters, the unsubscribe process will be completed within 24 hours. Your data will be anonymized one year after you unsubscribe and the transaction will be fully deleted three years after your data are anonymized.

    Please note that a non-automated unsubscribe or data deletion request may take up to 14 days to implement depending on internal processes.

    4.3.4 Unsubscribing from newsletters

    Your consent for us to save your data and to use that information to send you the newsletter can be with-drawn at any time. Every newsletter contains a link for that purpose. In addition, you can unsubscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. The withdrawal of your consent has no effect on the legality of the processing up to the time of withdrawal. Due to the lead times of the technical and organizational processes, in exceptional cases you may receive another newsletter after unsubscribing.

    4.3.5 Legal basis

    The legal basis for the data processing described in this subsection 4.3 is Art. 6 Par. 1 sentence 1 a) GDPR in conjunction with the corresponding statement of consent.

  • 4.4 Personalization and user profiles

    If you primarily wish to receive contents relevant to you, then select personalized information.

    4.4.1 User profile

    To present content that is relevant to you, we need an optimal understanding of your interests. For this per-sonalized information, we therefore create a personalized user profile for you.

    In this personalized user profile, we save identifying characteristics such as your name and email address together with your contractual and usage data. This ensures that we can personalize our services for you. For example, in the newsletter you will only receive content provided on countries that are likely to interest you or special tips for business travelers – depending on the aspects that apply to you.

    4.4.2 Data sources

    In the user profiles, we collect data from various sources within the Munich Airport group of companies to arrive at the best possible overview of your interests. These sources are based on the declarations of consent submitted by you and may include the following data:

    • the airport website
    • the airport newsletter
    • the PASSNGR app
    • online parking reservations
    • WLAN registration at the airport
    • booking/reserving airport tours, lounges, events and other offers
    • input in contact and feedback forms
    • participation in contests offering prizes
    • bonus and customer loyalty programs
    • suggestions for improvements submitted through electronic channels

    4.4.3 Contractual and usage data for personalization

    • cookies, and in particular long-term cookies
    • start and end time of use
    • opening the newsletter, app or other services
    • functions and pages accessed over time
    • clicking on newsletter content
    • origin of use, e.g. whether a search engine was used first
    • duration of page views
    • salutation
    • first name
    • last name
    • address
    • Email address
    • consents, e.g. to receive a newsletter or for the use of mobile apps
    • date of birth
    • payment and transaction data
    • telephone number
    • other contractual data

    4.4.4 Withdrawal of user profile

    You can withdraw your consent for the storage of your personal data at any time. In addition, you can un-subscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. Revoking your consent has no effect on the legality of the processing up to the time of revocation. Due to the lead times of the technical and organizational processes, it is possible in exceptional cases that the personalization of content as described in this section will continue for up to 48 hours after your with-drawal of consent.

  • 4.5 WLAN/Wifi

    The free wifi at Munich Airport is a service offered by Flughafen München GmbH. The free wifi coverage at Munich Airport is provided by Telekom Deutschland GmbH. Consequently, the separate terms and conditions for the T-HotSpot and the privacy statement of Telekom Deutschland GmbH shall apply.

    Categories of personal data
    If you wish to use the free wifi, you must identify yourself as a user with your email address. In addition to your email address, we collect the following data:

    • the exact time of access,
    • your browser version,
    • IP address of your end device,
    • number of times free wifi is accessed and
    • your consent to our terms and conditions for free wifi

    We collect these data so that we can contact you if necessary for purposes of performing or processing the contract (e.g. in connection with a possible violation of the contractual terms and conditions of use).

    When you are transferred to the wifi access page of Telekom Deutschland GmbH, we also transfer the email address provided by you to that company.

    When you register to subscribe to our email newsletter, the data provided by you are also used for that purpose: privacy statement for the newsletter.

    We delete the data collected in connection with your access to wifi no later than six months after you use the wifi service. The indicated storage periods may be exceeded in exceptional cases if and to the extent that the data in question are needed for a longer period (e.g. for purposes of the required investigation and/or prose-cution of a possible violation of the terms and conditions of the contract for use of the service).

    Legal basis
    The legal basis for the data processing described above in connection with the free wifi service at Munich Airport is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate inter-est in being able to identify users of the free wifi service at Munich Airport if needed).

  • 4.6 Photography, video and sound recordings

    This privacy policy applies to photography, video and sound recordings (referred to below as "images and recordings") created by Flughafen München GmbH on various occasions (e.g. photo shoots, events). This privacy policy does not apply to data processing in connection with surveillance measures (e.g. video monitoring).

    The images or recordings may be made in connection with photo shoots or events, for example. For this purpose, we will either obtain your consent in advance or at least inform you in your personal invitation or on location (e.g. in case of public events without personal invitations) that such images or recordings will be made. We do not secretly produce images or recordings.

    Categories of personal data
    In addition to the photos, video and sound recordings, we may process other personal data that we collect from you (such as your name and email address) in connection with the recording.

    Flughafen München GmbH may use the images and recordings for print publications, in broadcasting or in electronic media for corporate communications (e.g. reports, flyers, posters, brochures, presentations, websites, intranet, press releases) and for documentation purposes (e.g. archives). The images and recordings may be shared with third parties (e.g. journalists) and disseminated in social media (e.g. Facebook, Twitter). The possible uses of the images or recordings includes all known and unknown uses as well as the editing and modification of the images or recordings. Flughafen München GmbH may grant the same utilization rights to its subsidiaries and participating interests. However, images and recordings will be utilized as de-scribed here only to the extent that this is covered by a basis for authorization (e.g. consent, contract, law).

    Duration of storage
    If you have granted us your consent or if we have entered into a contract with you, the data will be deleted with the expiry of the consent or contract. If we are processing the data on the basis of a legitimate interest pursuant to Art. 6 Par. 1 f) GDPR, the data will be deleted when the legitimate interest no longer applies.

    For FMG employees only: If the recordings are made for purposes of establishing and implementing an employment relationship, we will delete them when the corresponding purpose is fulfilled. If the processing is regulated in a works agreement, the storage periods may be stipulated in that agreement.

    Statutory archiving periods may require us to store the data for a longer period on the basis of Art. 6 Par. 1 c) GDPR.

    Categories of recipients
    If we have obtained the necessary utilization rights for the recordings, we will transfer the recordings to our subsidiaries and participating interests as required so that they can also use them. In all other respects, we will forward your data to our service providers only in compliance with the applicable data protection laws. Our service providers who may be granted access to the recordings and data include IT service providers, printers and advertising agencies.

    For our image database we use a solution provided by CELUM GmbH, Passaustrasse 26-28, 4030 Linz, Austria ("CELUM"). The image database is maintained on our servers. CELUM may access the images when providing support. We have entered into an external processing agreement with CELUM under which CELUM has undertaken to process personal data only in accordance with our instructions. Further information on data protection at CELUM is available at: https://www.celum.com/en/privacy-cookie-policy/.

    To the extent that we are permitted to use your recordings in social media channels, we cannot preclude the possibility that they will be transmitted into a country outside the EU. The US social media servers used by us are certified under the EU/US Privacy Shield Framework and are obliged to comply with the provisions of the GDPR.

    It is also conceivable that, as part of our international media relations and corporate communications, we will transfer some recordings or images in compliance with the applicable data protection regulations to media, press representatives or agencies outside the EU and the European Economic Area so that the recordings or images can be published there.

    Legal basis
    If you have granted us consent, the legal basis for processing is Art. 6 Par. 1 a) GDPR. If consent is granted by employees of FMG, the legal basis of processing under data protection laws in this case is Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 of the German Data Protection Act (BDSG).

    If we conclude a contract with you (e.g. for a photo shoot), then the use of the recordings and other personal data will serve the purposes of executing the contract and will take place in accordance with our contractually agreed utilization and exploitation rights. In that case, the legal basis for processing under data protection laws is Art. 6 Par. 1 b) GDPR.

    If the recordings are made for purposes of establishing and implementing an employment relationship with FMG, the primary legal basis for processing is Section 26 Par. 1 BDSG.

    We will produce photos, video or audio recordings at events etc. without your consent and without a contractual agreement only if a legitimate interest applies in accordance with Art. 6 Par. 1 f) GDPR. Such a legitimate interest may result from the provisions of Section 23 of the German Art Copyright Act (KUG). This is conceivable, for example, in case of:

    • images of historical interest in which you appear;
    • images in which you can be seen incidentally near a specific location or
    • images of gatherings or public events in which you participated.

    In addition to the original purpose for producing the recordings, we may also store recordings and the related data for documentation or archiving purposes unless this is prohibited under contractual or statutory regulations. In this case, our legitimate interest in accordance with Art. 6 Par. 1 f) GDPR is the use of the recordings for publications on our company's history.

    To the extent that we process data in accordance with Art. 6 Par. 1 f) GDPR, we always give due consideration to the question of whether you have overriding interests in the specific case at hand that outweigh our legitimate interests in using the data.

  • 4.7 Passngr app website

    Passngr is the app shared by a number of German airports. With this app, you always have all of your travel information on hand: your flight data, important information for finding your way in your departure and arrival airports, and the most convenient way of getting to and from the airport. The Passngr app is offered and operated by InfoGate Information Systems GmbH, a subsidiary of Flughafen München GmbH.

    For the Passngr app website (https://www.passngr.de), the general privacy information for websites provid-ed in this Privacy Statement applies. In addition, you can enter your mobile phone number on this website to ask for a link to be sent to the Passngr app on your phone. We will use your mobile phone number for this purpose only and will then delete it.

    The privacy policy for the Passngr app can be accessed directly from the app under "Settings" – "About the Passngr app".

  • 4.8 Parking reservations

    You can quickly and easily make advance parking reservations on our website at parken.munich-airport.de. The provider and contractual partner is Flughafen München GmbH.

    Categories of personal data
    The following data are collected when you reserve a parking space:

    • company
    • salutation
    • first name
    • last name
    • address
    • email address
    • telephone number
    • other contractual data (planned and actual arrival at parking space, planned and actual departure from parking space, product, parking area / parking garage, price, any applicable promotions or promotion codes)
    • booking time
    • payment data
    • affiliate network

    When you register on the website, we will collect, store and process the above-mentioned data in your cus-tomer account to facilitate the reservation process. You can delete your customer account at any time.

    The personal data provided by you will be collected, stored and processed by us, our system provider ADVAM (UK Ltd.), acting as an external processor, and by the credit card acquirer or payment services provider in-volved in the processing of your booking and the parking and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention period of 10 years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance or steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

  • 4.9 Automatic number plate detection at parking entrances

    The number plate of your vehicle is read by an infrared camera when entering the parking area of Flughafen München GmbH. After successful entry, the parking system stores the identified number plate in abbreviated form (with the first three characters stored in clear text format and the remaining characters masked with asterisks (*)) along with the entry time and the entry post.

    The number plate is also stored in the system for parking facility management purposes until the vehicle has exited the facility. The data are used exclusively to process the parking transaction. They are not shared with third parties or used for any other purpose.

    Personal data are processed for the following purposes:

    1) Processing the parking transaction
    2) Improved traffic flow
    3) Opening barriers
    4) Proof of parking times in case of improper reimbursement claims
    5) Issuing receipts at a later date
    6) Avoiding and prosecuting criminal offenses and property damage
    7) Identifying and taking action against violations of parking facility regulations
    8) Blocking number plates in the system

    Categories of personal data
    In the automatic capture of number plates and the related processing of parking transactions, the following personal data are processed:

    • The captured infrared image of the vehicle number plate in clear text, the parking facility used, the entry and exit device, the entry and exit times (date, time), the card number on the ticket or the medium used for long-term parking access.
    • In case of short-term parking tickets and online reservations, the parking charge In this case the plate number is also shown on the issued parking ticket.
    • In case of long-term parking tickets, the data of the contractual partner (last name, first name, company).
    • In case of online reservations, the email and postal address.

    Duration of storage
    The number plate images are deleted from the parking system one day after the successful exit from the parking facility and the completion of the parking transaction. In the system that manages the parking facilities and stores the relevant data records, the record is deleted after 92 days.

    Legal basis for data processing
    The legal grounds for the data processing are as follows:

    • For the purposes stated in 1, 2, 3, 4, 5, 7: Art. 6 (1)(b) GDPR: Performance of contracts, e.g. contract for parking space rental / terms of use agreement, terms and conditions for parking, special terms and conditions for online bookings, Airport Rules and Regulations.
    • For purposes 6 and 8: Art. 6 (1)(f) GDPR: Safeguarding our legitimate interests (e.g. damage claims, controlling access to our premises, preventing the fraudulent evasion of parking charges).

    Legitimate interests
    The purposes listed under 6 and 8 enable us to pursue our legitimate interests in preventing the fraudulent evasion of parking charges, pursuing possible claims to damages and asserting our right to control access to our premises. The processing is also necessary and appropriate for fulfilling those purposes.

    Right to object / right to erasure
    To the extent that the legal basis for processing your personal data is based on Art. 6 (1)(b) or (c) GDPR, this processing is required in order to enter into or fulfill a contractual relationship with Flughafen München GmbH in connection with your parking transaction. Consequently, there is no right to object in that regard.

    For all processing activities carried out by us on the basis of our legitimate interests, you have the right, on grounds related to your particular situation, to object to such processing at any time pursuant to Art. 21 (1) GDPR.

  • 4.10 Bookings/reservations

    4.10.1 Airport tours

    On our website at munich-airport.de/airport-tours you can find a selection of seasonal and year-round tours for adults and children where you can obtain in-depth insights into Munich Airport's operations.

    The provider of the products and services is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when tours are booked:

    • first name
    • last name
    • email address
    • telephone number
    • tour data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, Regiondo GmbH, and by the credit card acquirer or payment services provider involved in the processing of your booking and the tour and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.2 Lounge bookings

    You can find a list of lounges available at the airport on our website at munich-airport.de/lounges. For some of these lounges you can book tickets or vouchers through our website. The provider of the lounges that can be booked is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the lounge use and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sen-tence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.3 Events

    On our website at munich-airport-camarketing.regiondo.de and allresto.regiondo.de you can find events hosted by Flughafen München GmbH and Allresto Flughafen München Hotel und Gaststätten GmbH. For some of these events you can book tickets or vouchers through our website. The event providers are Flughafen München GmbH and/or Allresto Flughafen München Hotel und Gaststätten GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data may be collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data
    • recipients

    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the event and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

  • 4.11 Contests, prize draws, and campaigns in general

    The section of the Privacy Statement applies to our processing of personal data of participants in contests, prize draws or campaigns run by Flughafen München GmbH. If you subscribe to a newsletter when taking part in a contest, please note the privacy information regarding newsletters.

    4.11.1 Implementation

    For purposes of implementing the prize draw, we process the personal data of the participants – in particular the email address and, at the appropriate time, the address of the winner – which we need for recording the participants' details, notifying the winner and presenting the prize.

    For purposes of implementing the prize draw, we store the participants' personal data until the draw is completed and the winner is notified and for a further period in case the winner does not reply when notified so that a new winner must be drawn.

    In addition, we store the winner's personal data – including the address obtained when the winner is notified – to complete the necessary steps for awarding the prize and, if applicable, for the duration of any additional statutory retention periods.

    Contest participants are not required by law or contractual provisions to provide the above-mentioned personal data. However, for purposes of entering into the contract, i.e. participation in the prize draw, it is necessary to provide the data in our registration form marked as mandatory (as opposed to optional input). The address of the winner obtained after the draw is necessary for sending the prize.

    4.11.2 Forwarding data to other recipients

    Unless otherwise indicated elsewhere in this Privacy Statement, we transfer your personal data to the following additional recipients or categories of recipients:

    • Newsletter mailing and customer relationship management service providers
    • Cooperation partners used by us to deliver our services


    4.11.3 Legal basis

    Legal basis for the data processing described in the section "Contests, prize draws, campaigns":

    • consent of the data subject (Art. 6 Par. 1 sentence 1 a) GDPR
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
    • legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) Defense of legal claims
  • 4.12 Advent calendar contest

    From December 1st to 24th, FMG conducts a daily prize draw for trips in its Online Advent Calendar. Participants who correctly answer the daily question behind the doors in the calendar have a chance to win trips to various destinations along with other prizes.

    Categories of personal data
    To select the winning entries, the following data are collected:

    • salutation
    • first name
    • last name
    • password
    • email address
    • street
    • house number
    • postal code
    • location

    We store and use the personal data collected when you register for the draw – such as your first and last name, email address, postal address, etc. – exclusively for purposes of the contest. These purposes include:

    • selection and notification of winners after successful completion of a knowledge test
    • communication with participants
    • on request, mailings of information on airport services and offers
    • for legal defense purposes in case of litigation

    Any storage, processing, utilization and/or transmission of such data for advertising purposes will take place exclusively in case separate consent is provided and only within the terms of such consent.

    Recipients

    • internal recipients: Employees of specialized department
    • external recipients: An agency that supports us in implementing the contest If you subscribe to the email newsletters of airlines, we will forward your salutation, name and email address to them as well so that they can send you the newsletter in question.

    Duration of storage
    The data will be stored for up to three years after the end of the contest.

    Legal basis

    • consent of the data subject, to the extent that you grant us your consent (Art. 6 Par. 1 sentence 1 a) GDPR)
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
    • legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) in case the data are needed for legal defense purposes.
  • 4.13 MuniCon conference center

    The municon conference center is operated by Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH. The municon conference center is located at the heart of Munich Airport in the north building of the Munich Airport Center, thus providing a professional setting for meetings, training seminars, presentations or major events.

    The website of the municon conference center offers the opportunity to complete a contact form to submit a callback request. Further information is available under Contact form.

    Categories of personal data
    The following data are collected when the request is submitted:

    • salutation
    • first name
    • last name
    • telephone number
    • email address

    Recipients
    The data will be used exclusively to make the requested call and, if applicable, to book a conference room. The data will not be shared with third parties.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

  • 4.14 Aircraft noise complaints

    We offer you the possibility of using a contact form to contact us directly regarding aircraft noise. Relevant data collected in this case can be found under Contact form.

    Categories of personal data

    • name and contact data (e.g. telephone number, email address and postal address)
    • location data to concretely specify the cause of the complaint and the underlying event

    Special categories of personal data will be noted only to the extent that complainants provide such infor-mation on their own initiative. As they are not needed for the processing of complaints, no further processing will take place. Your data will be processed solely for the following purposes: Processing aircraft noise complaints, including reporting on the number and geographical distribution of aircraft noise complaints at the meetings of the Aircraft Noise Commission and in the Integrated Report of FMG (only the number of com-plaints).

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • recipients within the FMG Group (e.g. departments with a role in the processing of noise complaints)
    • aircraft Noise Commission of Munich Airport (only information on the number and geographical distribution of noise complaints)
    • interested members of the public through the Integrated Report (only the number of aircraft noise complaints)
    • airport associations (only information on the number and geographical distribution of noise complaints)
    • courts, public authorities or other government bodies in case legal obligations apply

    Legal basis
    Legal basis for the processing of personal data: Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (see Art. 6 Par. 1 sentence 1 f) GDPR). FMG has a legitimate interest in limiting the impact of airport operations on the surrounding residents in the interests of good relations with its neighbors and maintaining transparency with regard to environmental issues. In addition, legitimate interests result from the responsibilities of the Aircraft Noise Commission (Section 32b of the Aviation Act (LuftVG), Rules of Procedure of the Aircraft Noise Commission). The Aircraft Noise Commission is formed to engage in consultations with the approval authority, the Federal Supervisory Authority for Air Navigation Services (BAF) and the air traffic management organization. It is notified of measures taken to reduce aircraft noise to protect residents, but can also propose measures on its own initiative. To be able to discharge this responsibility, it is necessary to have knowledge of certain personal data, in particular geographical data and the related geographical distribution and number of aircraft noise complaints.

    In case of inquiries under the Environmental Information Act (UIG) regarding the number and geographical distribution of complaints and the reason for the complaint, a special legal basis applies: the UIG.

  • 4.15 InnovationPilot

    The ideas platform operated by Flughafen München GmbH and the services provided there serve to facilitate communications between the platform users and/or the platform operator, innosabi GmbH, to generate ideas for new products and services and use them to jointly develop new products and services.

    Moreover, we collect and process your personal data in order to provide, operate and administer the InnovationPilot platform in accordance with its terms and conditions of use and to grant you access to the services made available there. In principle, this involves the following personal data and processing scenarios, with the specific purposes indicated.

    4.15.1 Registration and user account

    Before using the services on the platform it is necessary to set up a user account. When registering a user account we collect your first name, last name and email address. In your user account you can also upload a profile photo and edit your notification settings for platform news, the project blog and updates on suggestions.

    The legal basis for processing your data is the need to perform steps requested by you prior to entering into a contract and/or the contract itself as specified in Art. 6 Par. 1 sentence 1 b) GDPR.

    When registering you can also provide us with the following optional information:

    • frequency of air travel
    • reason for visit to Munich Airport
    • interest in subject areas
    • interest in taking part in workshops
    • age bracket
    • postal code area (first two digits)
    • feedback request

    (The legal basis for processing the data is your consent). The optional input is used for invitations to idea campaigns based on your specific interests. You can revoke your consent to this form of processing at any time and access your user profile to edit your communication preferences and opt out of notifications.

    Facebook Connect
    On our InnovationPilot website, we offer the option of registering for our service with Facebook Connect. An additional registration is not required.

    Facebook Connect is a service provided by Facebook, which is described above. To register you will be redirected to the Facebook website where you can sign in with your Facebook user data. This will link your Facebook profile to our service. When your profile is linked, Facebook will transfer the following information to us: Facebook ID, email address, first and last name This information is mandatory for us when entering into the contract so that we can identify you. If you do not wish to use Facebook Connect, you can use these data (without a Facebook ID) to create a customer account directly on the InnovationPilot website and then log in to that account.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

    For further information on Facebook Connect and the privacy settings, see the Facebook Data Statement and Terms of Service.

    4.15.2 Interaction on the platform

    The platform and the services provided there serve to facilitate communications between the platform users and/or the platform operator, Flughafen München GmbH, to generate ideas for new products and services and use them to jointly develop new products and services. For that purpose, you can make any content you wish available using the functionality provided on the platform (e.g. in the form of texts, feedback, photos and documents, etc.), in particular by:

    • writing texts and posting them on the platform,
    • uploading images and other documents to the platform,
    • commenting on your own or other users' posts, rating posts with hearts, marking your favorite ideas with stars, and taking part in surveys.

    We process your personal data and the content you provide in the relevant context in order to facilitate, implement and process the communications described above and the exchange of information between users and the platform operator. Please bear in mind that for this purpose it is necessary for your user profile and the contents you provide on the site to be visible to all other users of the platform.

    If the user has already uploaded a post before the user's registration is cancelled or summarily terminated, the post will not be deleted with the termination of membership. Instead it may remain on the platform in anonymized form.

    We will also process your email address in order to send you up-to-date information on events on the platform. This includes:

    • invitations to and/or information on new projects,
    • feedback on your posts from the platform operator or other users,
    • information on using the platform, any changes to the platform and the progress of current and/or completed projects on the platform.

    When users submit content to our website such as suggestions or comments, the time when the content is created is stored along with the content. In addition, the content is linked to the registered user. This is for our protection, as we can be held legally responsible for illegal contents on our website even if they are created by users. The legal basis for the processing is the legitimate interests pursued by the controller or a third party as specified in Art. 6 Par. 1 sentence 1 f) GDPR).

    4.15.3 Rewards

    If you take part in projects and receive a special thank you reward, we will collect your name, address, mailing address (if different) and, if needed, your telephone number. We will process your personal data exclusively for sending the reward.

    4.15.4 Contact form

    If you contact us with questions of any kind by email or using a contact form, you have the option of granting us your consent to contact you. For that purpose, a valid email address is required. This is used to match the question with the subsequent answer. Any other input is optional. The information you provide is stored for purposes of processing your inquiry and for possible follow-up questions. After your inquiry is dealt with, your personal data will be automatically deleted. The legal basis for the processing is the legitimate interests pursued by the controller or a third party as specified in Art. 6 Par. 1 sentence 1 f) GDPR).

    4.15.5 Recipients

    Personal data are sent to the following recipients or categories of recipients:

    • Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
    • Cooperation partners used by us to deliver our services
    • External processors in accordance with Art. 28 EU GDPR; currently these are: innosabi GmbH, Möhlstr. 2, 81675 Munich
  • 4.16 Applicant portal

    If you apply for a job, your personal data are transferred via an applicant management system (d.vinci) operated by the provider d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg, to an external data center (subcontractor of d.vinci) and stored there. Munich Airport has entered into a contract with the provider of the applicant management system under which the provider is required in particular to meet all obliga-tions under data protection law and to act in accordance with the instructions of Flughafen München GmbH at all times. Additional data protection regulations can be found in the Privacy statement for the applicant portal.

  • 4.17 Airport Collaboration Portal

    The Airport Collaboration Portal (ACP) serves as the entry point for several applications that fall under various areas of responsibilities and serve various purposes. The portal is operated by Flughafen München GmbH.

    Purpose of data processing
    Your data will be processed solely for the following purposes:

    • registration in the ACP system and
    • granting user privileges for applications
    • registration enables the user to be granted access to applications within the ACP. These include: AIS Airport Information System, Delaycodeclearing, night flight requests, LGS-Baggage.

    Categories of personal data
    Participation in the Airport Collaboration Portal (ACP) is a quasi-contractual legal relationship; the data not marked as optional must be submitted for user management purposes.

    The following categories of personal data are collected:

    • first name
    • name
    • organization
    • company
    • department
    • email address
    • telephone number
    • airport ID number

    Recipients
    The specialized department has access to the personal data.

    Duration of storage
    Access data (login) are deleted when the individual leaves the company or when the access privileges are revoked.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

    Data protection inquiries
    To exercise rights pertaining to the Airport Collaboration Portal (ACP), the data subject can contact us, preferably by email, at: acp@munich-airport.de.

  • 4.18 FMG und Wohnen

    To offer accommodation to our future employees, existing staff, and partners in the vicinity of the airport, we cooperate with MUC Airport Betriebs GmbH.

    Housing inquiries can be submitted to Flughafen München GmbH at: munich-airport.de/fmg-und-wohnen. After an initial review, inquiries are forwarded to MUC Airport Betriebs GmbH via that company's booking software. The data transmitted in this online form are exported in an email that is transferred only within the protected airport network to a special email account that can be accessed only by the responsible employees.

    Purpose of processing
    We process your personal data solely for purposes of processing and handling your booking inquiry, checking your authorization to access the "FMG und Wohnen" service, entering into a contract, executing a contract, processing your booking and to communicate with you to offer and deliver the "FMG und Wohnen" service. A further purpose is to execute and defend our rights.

    Categories of personal data

    • salutation
    • first name
    • last name
    • address
    • telephone number
    • email address
    • airport company
    • personnel number (if available)
    • booking date

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 f) GDPR (balancing of interests based on our legitimate interest in checking access authorizations, asserting and defending our rights and forwarding inquiries from our customers).

    Recipients
    We collect, store and process the personal data provided by you exclusively for the purposes stated above (in particular the processing of your booking). For this purpose, however, we must forward the data. As a result, the data are forwarded to the booking tool apaleo GmbH operated by MUC Airport Betriebs GmbH.

    The required transfer of personal data to MUC Airport Betriebs GmbH takes place as required to achieve the stated purposes. After the transfer of the data, the hotel is the sole controller responsible for the processing carried out there under data protection laws. Consequently, Flughafen München GmbH assumes no responsibility for data processing in the hotel operations.

    Duration of storage
    Your personal data will be stored for a maximum of 12 months after the contract is fully executed. The data will be deleted after that period ends. Please note that statutory retention periods, for example under the German Fiscal Code (AO) or the German Commercial Code (HGB), as legitimate purpose limitations, represent an exception and are handled according to the applicable requirements.

  • 4.19 Processing damage events and claims 

    The following text contains information on the processing of your personal data in connection with damages of all kinds, including insurance claims and other ways of settling damages.

    Purpose of processing
    The purpose of the data processing is the comprehensive handling of the damage event, which is not possible without processing your personal data. We process your data in accordance with the relevant data protection regulations, in particular the Insurance Policy Act (Versicherungsvertragsgesetz – VVG) and all other applicable laws.

    Categories of personal data
    To process the damage event, we store and process the personal data of the concerned parties (e.g. first name, last name, date of birth, address, telephone number) as well as data regarding the events (e.g. the damage event) and material facts (e.g. vehicle identification data) that may relate to natural persons.

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
    • Companies in the FMG Group
    • Cooperation partners used by us to deliver our services
    • External contractors as defined in Section 28 of the EU-GDPR; at present, these are: FMV – Flughafen München Versicherungsvermittlungsgesellschaft mbH / Marsh GmbH
    • Insurance companies involved in the handling of the damage event

    Duration of storage
    We process and store your personal data as long as necessary to meet our legal obligations. The damage reports and files are retained in accordance with the statutory retention periods.

    Legal basis
    The legal basis for the processing of personal data is as follows:

    • Consent [see Art. 6 Par. 1 sentence 1 a) GDPR] (in cases where we request consent)
    • Necessity for the performance of a contract to which the data subject is a party [see Art. 6 Par. 1 sentence 1 b) GDPR, first option] or to complete steps prior to entering into a contract.
    • In addition, we process your personal data to meet legal obligations. The need to comply with a legal obligation to which the data controller is subject [see Art. 6 Par. 1 sentence 1 c) GDPR].
      • Insurance Policy Act and other relevant laws
      • Fulfillment of obligations to our insurer.
    • We also process your data to safeguard legitimate interests pursued by us or third parties (Art. 6 Par. 1 f) GDPR), i.e. where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. [see Art. 6 Par. 1 sentence 1 f) GDPR].
      • Asserting our own damage claims
      • Fulfillment of obligations to our insurer
      • Defending damage claims pursued against our company
      • Defense and cooperation in case of criminal and administrative proceedings

    In exceptional cases, special categories of personal data are processed (e.g. health-related data). In such cases, the data are generally processed on the basis of Art. 9 GDPR e.g. Art. 9 Par. 2 e) GDPR if these data are manifestly made public by you.

    Source of the data
    If the personal data are not obtained directly from the data subject, they are obtained from

    • Vehicle inquiries, e.g. the "Green Card Office" in Hamburg
    • Witnesses, persons involved in an accident and other third parties
    • Generally accessible sources

5 External booking requirements

On our website you will be redirected to the external booking platforms described below. The bookings are processed independently of Flughafen München GmbH. The privacy policy of the provider in question will apply.

5.1 Package travel arrangements

The booking process "Package holidays" is operated by travianet GmbH, a company in the FTI Group, with headquarters in Deggendorf, Germany. The process is subject to the privacy policy of travianet GmbH.

5.2 Flight bookings

The booking process "Flights" is operated by fly GmbH, a company in the FTI Group, with headquarters in Munich, Germany. The process is subject to the privacy policy of fly GmbH.

5.3 Car rentals

The booking process "Car rentals" is operated by TravelJigsaw Limited with headquarters in London, UK. The trade name of the rental car booking platform is Rentalcars.com. The process is subject to the terms of the privacy policy of Rentalcars.com.

6 Your rights

Under data protection laws, data subjects have various rights with regard to their personal data, in particular a right to information on the personal data in question, the rectification and erasure of data, the restriction of processing, objection to processing, data portability and the right to withdraw consent at any time. Unless otherwise indicated in the various processing steps, you can exercise your rights by contacting datenschutzanfrage@munich-airport.de. Further information on the processing of your personal data when asserting your rights or other data protection inquiries can be found in Individual processing activities in the appropriate section.

6.1 Information

The data subject has the right pursuant to Art. 15 GDPR to obtain information from the controller on the processing of his/her personal data by the controller. Please note that this right may be restricted under certain circumstances in accordance with statutory regulations (in particular Section 34 of the German Data Protection Act (BDSG)).

6.2 Rectification

The data subject has the right pursuant to Art. 16 GDPR to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Depending on the purposes of the pro-cessing, the data subject has the right to have incomplete personal data completed.

6.3 Right to restriction / blocking of processing

The data subject has the right pursuant to Art. 18 GDPR to obtain from the controller restriction of processing of personal data pertaining to him/her.

By way of clarification, please note: To ensure that a data block can be complied with at all times, it is generally necessary to keep certain personal data of the data subject in a restricted data file.

6.4 Erasure

The data subject has the right, pursuant to the criteria set out in Art. 17 GDPR, to obtain from the controller the erasure of personal data pertaining to him/her.

6.5 Objection

The data subject has the right, pursuant to the criteria set out in Art. 21 GDPR, to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds warranting protection for the processing which override your interests, rights and freedoms or which serve to establish, exercise or defend against legal claims.

6.6 Withdrawal

The data subject has the right to withdraw his/her consent with future effect at any time. The withdrawal of consent shall not affect the lawfulness of processing of personal data based on consent granted prior to the withdrawal.

6.7 Data portability

The data subject has the right, pursuant to Art. 20 GDPR, to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit the data to another controller or to have the data transmitted directly from one controller to another.

6.8 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they believe that the processing of personal data relating to them violates the law. The supervisory authority in the state of Bavaria responsible for the non-public area of the airport is the Bavarian State Office for Data Protection Supervision, Ansbach.

7 Data protection inquiries, asserting data protection rights

If you contact us with a data protection inquiry, assert rights to information or other rights of data subjects under data protection laws with regard to the Munich Airport Group or submit other comments or notifications with regard to data protection, it is necessary to process your personal data.

  • 7.1 Data controller for purposes of data protection laws

    The responsible data controller is Flughafen München GmbH or the subsidiary to which the data protection inquiry refers or to which you address your inquiry.

  • 7.2 Categories of personal data

    The following categories of personal data are processed:

    • identification/address data of the party submitting the inquiry,
    • declarations of consent,
    • data to explain and clarify the inquiry (e.g. relationship to the airport; events pertaining to the inquiry; connection to individual companies, etc.)

    to the extent that such data are necessary or are provided for purposes of data investigations.

    • In addition, the categories of personal data addressed by the inquiry are processed as part of the processing activities needed to handle the inquiry.

    The processing activities do not cover any particular categories of personal data by default. In specific cases, however, this is possible to the extent necessary for processing the inquiry at hand.

  • 7.3 Purposes for processing personal data

    Your data will be processed solely for the following purposes:

    • Coordination, processing and replying to data protection inquiries, in particular data protection inquiries to assert the rights of data subjects
    • Investigating the processing of the personal data of the party submitting the inquiry.
    • Meeting the legal obligations under the GDPR, specifically, but not limited to, those related to the rights of data subjects; if applicable, implementing asserted rights.
    • Avoiding time for the processing of follow-up inquiries, and especially unnecessary follow-up inquiries; handling excessive or frivolous inquiries
    • Legal interests (in particular: defense against claims)
    • Documentation (in particular: for supervisory authorities)
  • 7.4 Legal grounds for the processing of personal data and legitimate interests

    The legal basis for the processing of personal data is as follows:

    1. Consent (see Art. 6 Par. 1 sentence 1 a) GDPR)

    2. The need to fulfill legal obligations applicable to the data controller (see Art. 6 Par. 1 sentence 1 c) GDPR). The legal obligations result from the GDPR, in particular Art. 12 et. seq. GDPR and

    • Right to information: Art. 15 GDPR
    • Right to rectification: Art. 16 GDPR
    • Right to erasure: Art. 17 GDPR
    • Right to restrict processing: Art. 18 GDPR
    • Right to data portability Art. 20 GDPR
    • Right to object Art. 21 GDPR
    • Accountability: Art. 5 Par. 2 GDPR in conjunction with Par. 1 and other data protection obligations set out in detail in the GDPR and other laws.

    3. Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.[see Art. 6 Par. 1 sentence 1 f) GDPR]. The legitimate interests consist of:

    • avoiding time for the processing of follow-up inquiries, and especially unnecessary follow-up inquiries; handling excessive or frivolous inquiries
    • legal interests (in particular: defense against claims)
    • documentation (in particular: for supervisory authorities)

    The legal basis for the processing of special categories of personal data is as follows:

    • Art. 12 et. seq. GDPR: Depending on the legal basis for the processing activities needed to process the inquiry at hand.
    • Art. 9 GDPR: Consent [see Art. 9 Par. 2 a) GDPR]
  • 7.5 Recipients

    Personal data are sent to the following recipients or categories of recipients:

    • recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
    • the Group Compliance Unit (RCC), which is part of Flughafen München GmbH (FMG), is regularly involved in the coordination of data protection inquiries in the Munich Airport Group. In addition, any unit to which the inquiry relates or through which personal data addressed in the specific inquiry are (possibly) stored can be recipients.
    • companies in the Munich Airport Group. A current summary of the group structure is provided here.
    • companies in the Munich Airport Group may be considered recipients if an inquiry refers to them or if they hold personal data to which the inquiry refers.
    • cooperation partners used by us to deliver our services
    • external contractors as defined in Section 28 of the EU GDPR.
    • courts, public authorities or other government bodies in case legal obligations apply
  • 7.6 Transfers to third countries
    • it is not intended in principle to transmit data to any third country outside the European Union.
    • transmissions of data to a third country outside the European Union may be considered in exceptional cases. That is the case, for example, if the inquiry relates to companies or data located in a third country. A transmission is certainly justified under data protection laws because in such cases the criteria of Art. 44 et. seq. GDPR are met.
  • 7.7 Duration of storage

    The following specific storage periods apply:

    • data are generally stored for a one-year period following the completion of the data collection process.
    • in addition, we reserve the right to store data for a longer period on the basis of legal and documentation interests (generally until the end of the limitation period for asserting any possible claims or until the necessity of a defense against fines or criminal proceedings can be ruled out or until specific litigation is concluded).
  • 7.8 Obligation to provide personal data
    • the controller is obliged pursuant to Art. 12 et. seq. GDPR to provide personal data under the conditions set out there.
    • it is not necessary to provide personal data to enter into a contract.
    • the data subject is not obliged to provide personal data in the process for safeguarding rights to information and the rights of data subjects pursuant to the GDPR (data protection inquiry). However, a failure to provide data may have the following consequences:

    The data protection inquiry cannot be processed or cannot be processed in full. This may be the case, for example, if

    • the party submitting the inquiry cannot be identified with certainty.
    • the data cannot be securely transmitted to the party submitting the inquiry.
    • the information provided is not sufficient to identify the stored data and confidently match them with the party submitting the inquiry.
  • 7.9 Source of the data

    In general, the data come directly from the party submitting the inquiry as part of the inquiry itself. In addition, data related to inquiries are researched in the units or companies to which the inquiry applies.

  • 7.10 No automated decision making, no profiling

    No automated decision making is carried out.

8 Changes to the Privacy Statement

We reserve the right to amend this Privacy Statement to ensure that it is always in compliance with the current legal requirements or to implement changes in our services in the Privacy Statement, e.g. when introducing new services. For your next visit to our website the new Privacy Statement will then apply.

9 Status

March 2020