Privacy policy

Introduction

Welcome to our website and thank you for your interest in privacy and data protection with regard to our services. We are pleased to provide you with information here on how your personal data are processed on our websites and in connection with the other services described in this Privacy Statement. 

Overview

1 Controllers and data protection officers 

2 Data processing
2.1 Data processing policy
2.2 Recipients
2.3 Duration of storage
2.4 Scope of the Privacy Statement

3 Generally applicable information on data processing in relation to online services
3.1 Log files
3.2 Cookies and pixels
3.3 Participation in Surveys
3.4 Integrated maps (Google Maps)
3.5 Integrated videos (YouTube)
3.6 Social media
3.7 Eye-Able® assistance software

4 Specific processing activities
4.1 Websites
4.2 Contact form
4.3 Newsletter
4.4 Personalization and user profiles
4.5 WLAN/Wifi
4.6 Photography, video and sound recordings
4.7 Passngr app website
4.8 Parking reservations
4.9 Automatic number plate detection at parking entrances
4.10 Bookings/reservations
4.11 Contests, prize draws, and campaigns in general
4.12 municon conference center
4.13 Aircraft noise complaints
4.14 Applicant portal
4.15 Airport Collaboration Portal
4.16 FMG und Wohnen
4.17 Processing damage events and claims
4.18 Star Alliance Biometrics
4.19 Video surveillance at the airport and in parking facilities
4.20 Customer Acquisition of LabCampus
4.21 Training programmes / Airport Academy
4.22 Luggage handling
4.23 Internal reporting office for reporting persons
4.24 Community Platform LabCampus
4.25 Business-to-Business Portal (B2B)
4.26 Lost & found office
4.27 Service center
4.28 Telephone and video conferences via MS Teams
4.29 Applicant interviews with video via MS Teams
4.30 Contact Parking
4.31 Charging of electric vehicles during parking
4.32 Boarding pass check - access control to the airside part of Munich Airport
4.33 Optimization of punctuality during check-in and departure
4.34 Processing of customer contact data
4.35 Reviews on social media
4.36 Information on the processing of personal data in the context of the Advent calendar competition

5 External booking requirements
5.1 Package travel arrangements
5.2 Flight bookings
5.3 Car rentals

6 Your rights
6.1 Information
6.2 Rectification
6.3 Right to restriction / blocking of processing
6.4 Erasure
6.5 Objection
6.6 Withdrawal
6.7 Data portability
6.8 Right to lodge a complaint with a supervisory authority

7. Exercising the rights of affected persons

8 Changes to the Privacy Statement

9 Status

1 Controllers and data protection officers

Unless another controller is expressly indicated for specific services, the controller for the purposes of all data processing covered in this Privacy Statement is:

Flughafen München GmbH
Nordallee 25
85356 Munich
Germany
Tel. +49 89 975 00
Email: info@munich-airport.de

Contact details for Flughafen München GmbH, referred to below as "FMG" or "we" and their subsidiaries with data protection officers:

  • Flughafen München GmbH

    Contact data

    Nordallee 25
    85356 München
    Tel. +49 89 975 00
    Email: info@munich-airport.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Jost Lammers
    Nathalie Leroy
    Jan-Henrik Andersson

    Head of IT

    Florian Lesch

  • aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

    Contact data

    Terminal1, Modul D
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 212 00

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Eva Ranki

    Head of IT

    Florian Lesch

  • AeroGround Flughafen München GmbH

    Contact Data

    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 210 01

    Data Protection Officer

    Wolf Janz
    AeroGround Flughafen München GmbH
    Postfach 23 17 55
    85326 München
    Tel. +49 89 975 215 10
    Email: datenschutz@aeroground.de

    Managing Directors

    David Konradi

    Head of IT

    Florian Lesch

  • Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH

    Contact data

    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: info.allresto@munich-airport.de

    Data Protection Officer

    -Data Protection-
    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH
    Terminalstrasse Mitte 18
    85356 München-Flughafen
    Tel. +49 89 975 9 31 77
    Email: datenschutz.allresto@munich-airport.de

    Managing Directors

    Andreas Reichert

    Head of IT

    Allresto Flughafen München GmbH
    Hotel und Gaststätten GmbH

  • Cargogate Munich Airport GmbH

    Contact Data

    Frachtgebäude Modul C
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 92 289

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Claudia Weidenbusch

    Head of IT

    Florian Lesch

  • EFM Gesellschaft für Enteisen und Flugzeugschleppen am Flughafen München

    Contact Data

    RGS 1, Vorfeld West 1
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 977 500 0

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Jörg Abel

    Head of IT

    Michael Springborn

  • eurotrade Flughafen München Handels-GmbH

    Contact Data

    Terminalstraße Mitte 18
    85356 München
    Tel. +49 89 975 936 00

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Christian Wallner
    Sven Zahn

    Head of IT

    Andre Dlugos

  • FMSicherheit Flughafen München Sicherheit GmbH

    Contact Data

    Postfach 24 11 37
    München-Flughafen
    Tel. +49 89 975 910 74

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    Christian Huber

    Head of IT

    Florian Lesch

  • LabCampus GmbH

    Contact Data

    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 65701
    Email: contact@labcampus.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Director

    René Droese

    Head of IT

    Florian Lesch

  • Munich Airport International GmbH

    Contact Data

    Munich Airport International GmbH
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 102 14

    Data Protection Officer

    Petra Eul-Löh
    HEC Harald Eul Consulting GmbH
    Auf der Höhe 34
    50321 Brühl
    Datenschutzbeauftragter-MAI@he-c.de


    Managing Directors

    Dr. Lutz Weisser
    Lorenzo Di Loreto

    Head of IT

    Florian Lesch

  • Flughafen München Realisierungsgesellschaft mbH

    Contact Data

    Visiting address:
    Terminalstraße Mitte 26
    Bürogebäude Nord N2
    85356 München-Flughafen

    Postal address:
    Postfach 231755
    85326 München-Flughafen
    Tel. +49 89 975 54500
    Email: mucreal@munich-airport.de

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter.mr@munich-airport.de

    Managing Director

    Michael Hiss

  • Terminal 2 Gesellschaft mbH & Co oHG

    Contact Data

    Terminalstraße Nord 1, Ebene Z4
    Postfach 23 17 55
    85326 München-Flughafen
    Tel. +49 89 975 887 01

    Data Protection Officer

    Flughafen München GmbH
    Nordallee 25
    85356 München
    Email: datenschutzbeauftragter@munich-airport.de

    Managing Directors

    Ivonne Kuger
    Matthias Langbehn

    Head of Data Processing

    Julia Schmidt

2 Data processing

2.1 Data processing policy

We process your personal data in accordance with applicable data protection laws – in particular the provisions of the General Data Protection Regulation (GDPR), the German Data Protection Act (Bun-desdatenschutzgesetz) and other applicable laws.

We process personal data exclusively in accordance with the intended purposes. The main purpose is to operate Munich Airport including all ancillary business activities directly or indirectly supporting this purpose. The purposes related to specific services are concretely outlined in the corresponding descriptions.

We process your personal data only when this is permitted or required under legal regulations or with your consent.

You will find additional information on specific services in the descriptions below. Unless those descriptions specify another legal basis, the data processing is carried out in accordance with Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in operating Munich Airport, including all ancillary business activities directly or indirectly related to the purpose of business).

2.2 Recipients

Personal data can be transmitted to the following recipients or categories of recipients:

  • In-house recipients (e.g. specialist departments responsible for dedicated processing)
  • Companies of the Flughafen München Group (Our company profile offers a current overview of the group structure)
  • Cooperation partners with whom we perform our services.
  • External contractors in accordance with Art. 28 EU GDPR, if they are explicitly mentioned in the individual processing operations.
  • Business partners for whom we perform.
  • Courts, authorities or other government bodies in the event of legal obligations.

If there are other recipients, these will be mentioned separately in the individual processing activities.

2.3 Duration of storage

Personal data are stored only as long as necessary for achieving the specified purposes or in accordance with the storage and archiving periods required by law. After the relevant purpose no longer applies or the expiry of these periods, the corresponding data will be deleted routinely in accordance with the statutory regulations.

If possible, specific storage periods for the various services will be stated.

2.4 Scope of the Privacy Statement

This Privacy Statement applies to the websites of Flughafen München GmbH and the subsidiaries specified above and for other services described in this Privacy Statement.

3 Generally applicable information on data processing in relation to online services

  • 3.1 Log files

    Every time the contents of our websites are accessed, data are stored that may permit identification of data subjects.

    The following data are collected:

    • date and time of access
    • server traffic at time of access
    • IP address
    • page visited on our website
    • message indicating whether page retrieval was successful
    • transferred data volume
    • information on the device used (mobile device, desktop, etc.), operating system, browser type and versions

    The temporary storage of these data is necessary for processing the site visit in order to ensure that the website can be made available. Further data storage in log files takes place to ensure the functionality of the website and the security of the IT systems. These stored data are analyzed exclusively for purposes of analyzing technical malfunctions and possible attacks on our website. In addition, the data can by analyzed anonymously for statistical purposes.

    Categories of recipients
    Some websites are operated by external hosting services and/or through external agencies. They act on our behalf as external processors and process the data exclusively in accordance with our instructions.

    Duration of storage
    To be in a position to conduct proper investigations of technical malfunctions or possible attacks on our website and report as needed to regulatory bodies and security authorities, we delete or anonymize the log files within one month at the latest.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in maintaining the functionality of our website and performing statistical analysis of the use of our website). 

  • 3.2 Cookies and pixels

    3.2.1 General information on cookies

    Cookies are small files in which certain information is stored either in open or encrypted form. Cookies are sent from the server to your computer and stored there. They initially serve to identify the computer from which our website was accessed. If you log in to our website, cookies serve to notify the server of your login and check the authorizations to retrieve the page.

    Cookies can help to improve communications between our server and your computer and therefore make it easier to use our website. Cookies also make it possible to track the path of a user across various pages of the website and possibly across various websites. In addition, cookies can store information of any kind.

    Cookies can originate not only with the operator of the website but also with third-party providers. In your browser you can display a list of the cookies stored on your computer, delete some or all of these cookies, or select settings to deactivate or limit the storage of cookies. Please note that some functions (e.g. the login) will not work, or will not be fully functional, if you deactivate the storage of cookies.

    Every cookie has an expiry date when it is no longer valid and will be automatically deleted. Details on the expiry dates for certain cookies are described in the sections below.

    You can object to the use of cookies that permit the analysis of your user behavior: Tracking Preferences. Details are provided in the following sections. Please note: If you delete the cookies stored in your browser after objecting, you may have to click the links provided here again because the objection to the use of cookies containing personal data will also be documented in the form of anonymous (non-personal) cookies.

    Consent management tool 

    We have integrated the consent management tool "consentmanager" (www.consentmanager.net) from Jaohawi AB (Håltgelvågen 1b, 72348 Västerås, Sweden, info@consentmanager.net) on our website to obtain consent for data processing and use of cookies or comparable functions. With the help of "consentmanager" you have the possibility to give your consent for certain functionalities of our website, e.g. for the purpose of integrating external elements, integrating streaming content, statistical analysis, measurement and personalized advertising. With the help of “consentmanager” you can grant or reject your consent for all functions or give your consent for individual purposes or individual functions. The settings you have made can also be changed afterwards. The purpose of integrating “consentmanager” is to let the users of our website decide about the above-mentioned things and, as part of the further use of our website, to offer the option of changing settings that have already been made. By using “consentmanager”, personal data and information from the end devices used, such as the IP address, are processed.

    The legal basis for processing is Art. 6 Para. 1 S. 1 lit. c) in conjunction with Art. 6 para. 3 sentence 1 lit. a) in conjunction with Art. 7 para. 1 GDPR and, in the alternative, lit. f). By processing the data, we help our customers (according to GDPR this is the responsible party) to fulfill their legal obligations (e.g. obligation to provide evidence). Our legitimate interests in processing lie in the storage of user settings and preferences with regard to the use of cookies and other functionalities. "Consentmanager" stores your data as long as your user settings are active. The log data will be deleted after three years. It may happen that we ask you again for your consent. This query takes place after one year at the latest.

    You can object to the processing. You have the right to object to reasons arising from your particular situation. To object, please send an email to info@consentmanager.net.


    3.2.2 Analytical cookies used on our websites

    3.2.2.1 etracker

    On our website, we also use the service “etracker Analytics” from etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany (www.etracker.com). Since the privacy of our visitors is important to us, data that could potentially be linked with a specific individual such as IP addresses, log-in IDs or device IDs is anonymized or pseudonymized at the earliest possible point. It is not used in any other manner, aggregated with other data or shared with third parties.

    You can find further information on data protection at etracker.

    The etracker is used on our website by means of anonymous web analysis without the use of cookies (cookie-less). If you do not refuse anonymous web analysis, your user behavior on this website will be recorded exclusively without cookies (cookie-less). More detailed information on this can be found at etracker - Cookie-less-etracking.

    In this case, the data processing takes place on the basis of the statutory provisions under Art. 6(1) (f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our concerns within the meaning of the GDPR (legitimate interest) is the optimization of our online services and our web presence. You can object to the anonymous web analysis at any time:

    Recipients
    The recipient of the data is the processor and the responsible departments.

    Transmission to third countries
    The data generated with etracker is processed and stored by etracker exclusively in Germany on behalf of the provider of this website and is thus subject to strict German and European data protection laws and standards. No transmission to third countries takes place.

    You can object to the data processing described above at any time by clicking on the slider. The objection has no negative consequences. If no slider is displayed, data collection has already been prevented by other blocking measures.




    Further information on data protection at etracker can be found here.


    3.2.2.2 Matomo - LabCampus

    For the LabCampus website, we use Matomo (formerly Piwik), an open source software for statistical analysis of visitor access. Cookies are used, which are saved on your computer for up to 13 months and enable a statistical analysis of the use of the website.

    In this context, usage information including the shortened IP address of the accessing computer is transmitted and stored for analysis purposes. By shortening the IP address, website users remain anonymous. Only a "session ID" (cookie) is carried and stored as the common key of a page visit. A "session" ends when the web browser is closed.

    The website access information used for usage analyses includes date, time, location (city), browser type, capabilities and language, operating system/device type, length of website visit, visits by server and local time, pages visited, usage history, search engine used and search terms used to access the LabCampus website, URL referencing the LabCampus website.

    By "turning off" the tracking, a so-called opt-out cookie is generated in the web browser. This causes Matomo to no longer collect the usage data of this website visit. Note: If this opt-out cookie is deleted by the user in the web browser settings, the collection of statistical data by Matomo is reactivated.

    The recipient of the data is the commissioned processor (Büro am Draht GmbH) as well as the responsible departments of LabCampus GmbH. The statistical data generated by the website visit is used exclusively by LabCampus GmbH to improve the online offer and the most targeted use of resources. No other use, combination with other data or transfer to third parties takes place.

    The legal basis for the placement of the Matomo cookie on your terminal device is §25 TDDDG (consent).

    The legal basis for the data processing associated with our use of Matomo is Art. 6 para. 1 p. 1 lit. f) DSGVO (balancing of interests, based on our legitimate interest in continuously adapting the design of the website to the interests and needs of users).

    If you do not consent to the placement of the Matomo cookie, no placement will be carried out. Once you have given your consent to the placement, you can revoke this at any time with effect for the future via the data protection settings of the Consent Manager.

    You can object to the described (downstream) data processing at any time, as far as it is person-related. Your opt-out will not have any adverse consequences for you. To do so, please contact: datenschutzbeauftragter@munich-airport.de.

    You can find more information about Matomo here.


    3.2.3 Pixels and advertising cookies used on our websites

    3.2.3.1 Google Ads

    Our website uses Google conversion tracking. If you have reached our website via an advertisement placed by Google, Google Ads will set a cookie on your computer. The cookie for conversion tracking is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Every Google Ads customer receives a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers.

    The information obtained using the conversion cookie is used to create conversion statistics for ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, you will not receive any information that can be used to personally identify users.

    You can find more information on the handling of user data on Google Ads in Google's data protection declaration.

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

    This data processing takes place on the basis of the statutory provisions under Art. 6(1) sentence 1 (a) (consent) of the General Data Protection Regulation (GDPR). You can revoke your consent to Google Ads via the data protection settings in the Consent Manager at any time.

    3.2.3.2 Bing Ads

    On the website we use technologies from Bing Ads (bingads.microsoft.com), which are provided and operated by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ("Microsoft"). Microsoft places a cookie on your device if you click on a Microsoft Bing ad. Microsoft and we can see in this way that someone clicked on an ad, was redirected to our website and reached a predetermined landing page. These cookies are not used for personal identification, only the total number of users who clicked on a Bing ad and were then forwarded to the target page can be evaluated. The landing pages are typically booking or registration confirmation pages (e.g. when booking a parking space or an event ticket).

    You can prevent the collection of the data generated by the cookie and related to your use of the website as well as the processing of this data by Microsoft by using the following link http://choice.microsoft.com/de-DE/opt-out your Declare contradiction. Further information on data protection and the cookies used by Microsoft and Bing Ads can be found on the Microsoft website.

    3.2.3.3 Marketingcookies LabCampus

    3.2.3.3.1 Google Ads - LabCampus

    The LabCampus website uses Google conversion tracking. If you have reached our website via an ad placed by Google, a cookie is set on your computer by Matomo and subsequently forwarded to Google Ads. The conversion tracking cookie is set when a user clicks on an ad placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognize that the user clicked on the ad and was redirected to this page. Each Google Ads customer (here: LabCampus GmbH) receives a different cookie. Cookies can therefore not be tracked beyond the websites of Ads customers.

    The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have opted in to conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive information that personally identifies users.

    Processor

    Büro am Draht
    Blücherstr. 22
    10961 Berlin

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Data collected

    • Information about the operating system
    • Web pages visited
    • Previous website from which you accessed our site
    • Data and contain times, from website or platform accesses from our site
    • Event information (e.g., irregular system crashes)
    • General location information (e.g., city)
    • Conversion tracking
    • IP address
    • Unique ID

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TDDDG para. 1 (consent).

    Place of processing

    Germany

    Retention period

    24 months

    Data recipient

    Google Ireland Limited
    Gordon House, Barrow Street
    Dublin 4, Ireland

    For more information on how Google Ads handles user data, see Google's privacy policy.

    Transfer to third countries

    We would like to point out in this context that the processed data is also sent to the Google Group in the USA as a result of the use of cookies. In terms of data protection law, the USA is an insecure third country in which there is no adequate level of data protection within the meaning of the GDPR. In order to nevertheless establish such a level, Google has concluded the so-called standard contractual clauses (SCC). Through the clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.

    3.2.3.3.2 Taboola - LabCampus

    Cookies from Taboola are used on our website. Using these cookies, we can target visitors to our website with advertising by displaying individualized ads for them. For this purpose, a small file with a sequence of numbers is stored in the browsers of the visitors. This number is used to record visitors to the website as well as anonymized data on the use of the website. Subsequently, you may be shown advertisements that are highly likely to take into account previously accessed product and information areas. In addition, we use the cookies to evaluate and support online marketing measures in order to record the effectiveness of the advertisements for statistical purposes. Thus, we can see how many website visitors have clicked on an ad and completed it. In both retargeting and completion conversion tracking, no personal data is stored. You can find more information here.

    Processor

    Taboola Germany GmbH
    Alt-Moabit 2
    10557 Berlin

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Collected data (source: Taboola)

    • Information about the operating system
    • Web pages visited
    • Previous website from which you arrived at our site
    • Data and contain times, from website or platform accesses from our site
    • Event information (e.g., irregular system crashes)
    • General location information (e.g., city)
    • Conversion tracking
    • IP address
    • Unique ID

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TDDDG para. 1 (consent).

    If you wish to object, you can do so at any time and without adverse consequences for you, here.

    Place of processing

    Germany

    Retention period

    13 months

    Data recipient

    Taboola

    Transfer to third countries

    Taboola also processes data in the USA, among other countries. We therefore point out that there is currently no adequate level of protection for the transfer of your data to the USA according to the ruling of the European Court of Justice and the opinion of the European Data Protection Board. This may entail various risks for the legality and security of data processing.

    Taboola uses the so-called standard contractual clause (Art. 46. para. 2 and 3 DSGVO) as the basis for processing data with recipients located in third countries or a data transfer there. Standard Contractual Clauses (SCC) are mandatory templates provided by the EU Commission to ensure that data complies with European data protection standards even if it is transferred to and stored in third countries (such as the USA).

    Taboola commits through the clauses to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here.

    For more information on the standard contractual clauses and on the data processed through the use of Taboola, please refer to the Privacy Policy at Privacy Policy | Taboola.com or at Taboola Privacy Addendum | Taboola.com.

    3.2.3.3.3 LinkedIn (Insight-Tag) - LabCampus

    For the website LabCampus, the so-called conversion tracking with LinkedIn Insights Tag is used. For this purpose, the LinkedIn Insight Tag is integrated on our pages and a cookie is set on your end device by LinkedIn. This informs LinkedIn that you have visited our web pages, whereby your IP address is also collected. In addition, timestamps and events such as page views are stored. This enables us to statistically evaluate the use of our website in order to constantly optimize it. In this way, we learn, for example, via which LinkedIn ad or interaction on LinkedIn you came to our website. LinkedIn does not share any personal data with the website owner, but only provides reports and notifications (in which you are not identified) about the website audience and ad performance. LinkedIn also provides retargeting for website visitors so that the website owner can use this data to display targeted ads outside of their website without identifying the member.

    Processor

    LinkedIn Ireland
    Wilton Plaza, Wilton Place
    Dublin 2, Irland

    Data processing purposes

    Playing out targeted advertising and measuring advertising effectiveness.

    Collected data (source: LinkedIn)

    • URL
    • Referrer URL
    • IP address
    • Device and browser properties (user agent)
    • Conversion tracking
    • Retargeting function
    • Timestamp

    Legal basis

    The following is the required legal basis for the processing of personal data: Art. 6 para. 1 s. 1 lit. a DSGVO (consent).

    The required legal basis for the use of cookies and similar technologies for this tool: Art. 25 TDDDG para. 1 (consent).

    Place of processing

    Germany

    Retention period

    90 days

    Data recipient

    LinkedIn

    Disclosure to third countries (source: LinkedIn)

    LinkedIn is aware of the July 16, 2020 decision of the European Court of Justice and the September 8, 2020 opinion of the Swiss Federal Data Protection and Information Commissioner (FDPIC) on the repeal of the EU-US Privacy Shield and the Switzerland-US Privacy Shield. LinkedIn follows the developments and guidelines of the European Commission, the FDPIC and the US government.

    The LinkedIn Services require that data be transferred from the European Union (EU), the European Economic Area (EEA) and Switzerland to the United States of America (USA) and back. To ensure that personal data from the European Union is protected when transferred outside the EU, the General Data Protection Regulation (GDPR) requires that such transfers be made using certain legal instruments, which are described on the European Commission's website.

    LinkedIn relies on standard contractual clauses approved by the European Commission as the legal instrument for data transfers from the European Union. These clauses are contractual obligations that require companies to protect privacy and data security when transferring personal data (e.g., between LinkedIn Ireland Unlimited Company or its customers and LinkedIn Corporation). LinkedIn companies follow standard contractual clauses to ensure that the data flows necessary to provide, maintain, and develop our services are legally secure.

    Note: LinkedIn data centers for storing member information are currently located in the United States.

    For more information on conversion tracking, please click here. Please note that the data may be stored and processed by LinkedIn so that a connection to the respective user profile is possible and LinkedIn may use the data for its own advertising purposes. For more information, please see LinkedIn's privacy policy at LinkedIn Privacy Policy. You can prevent the analysis of your usage behavior by LinkedIn as well as the display of interest-based recommendations here.

    LinkedIn members can control the use of their personal data for advertising purposes in their account settings.

  • 3.3 Participation in surveys

    In order to learn more about interests and demands, we use special tools for the efficient performance of surveys that allow us to ask you for your feedback at certain touchpoints and at specific times. The providers of these tools render their services for us as part of data processing and are thus bound by our instructions.

    We generally design our surveys so it is not possible to draw conclusions about individual persons during analysis and potential publication (de-facto anonymous data). This means that based on the information you provide and the supplementary knowledge that the party authorized to access it has, it is impossible to trace back to you with reasonable effort. The employees conducting the evaluation do not have access to data that would allow for personal attribution. Please make sure that the information you enter, e.g. in free text fields, does not contain any data that could allow conclusions to be drawn about you or third parties. Participation in user surveys is voluntary.

    3.3.1 Purpose of processing

    To collect feedback and evaluate the motives and interests of the participants in our surveys.

    During technical performance of anonymous surveys, the following data is processed via links to our website or printed QR codes:

    • Local storage data (e.g. language setting)
    • Information about the device used (type of device, including device name, manufacturer, and version), operating system, and browser (including the version of each)
    • Error logs
    • Answers (open and completed) to the questions asked in the survey

    While it is not possible to trace back to individual persons, this cannot be technically ruled out, especially in individual cases depending on the device used or based on the answers you provide in free text fields.

    Data may also be stored and retrieved on your devices as part of the technical performance of surveys. The following cookies are implemented during use:

    • Session cookie: this is used to recognize participation in an ongoing survey; to assign the correct questions, pages, and provided answers; and to attribute current participation. Cookies are deleted when the browser is closed.
    • CSRF token: this is used to protect the participant’s data from cross-site request forgeries. The token is deleted when the browser is closed.

    If we proactively e-mailed you about participating in surveys, the following data is also processed as part of such personally addressed surveys, polls, and interviews:

    • Name
    • E-mail address
    • Answers (open and completed) to the questions asked in the survey

    3.3.2 Legal basis

    For temporary processing of personal use data for the technical performance of surveys, we process your data as part of a balancing of interests pursuant to Article 6(1)(f) GDPR (based on our legitimate interest in asking visitors to our website about certain topics while balancing your interest in having performance designed with as little data as possible).

    The legal basis for the performance of personal surveys and e-mail contact is Article 6(1)(a) GDPR. To the extent that anonymous surveys are conducted on internal matters, the legal basis for contact and for technical performance of the survey is established in Article 6(1)(f) GDPR (based on our legitimate interest in learning more about possible wishes, requirements and suggestions directed at us while balancing your interest in having performance designed with as little data as possible).

    3.3.3 Categories of recipients:

    The surveys are performed by the specialist departments of Flughafen München GmbH that are assigned to do so. Personal data is not transmitted to third parties.

    Survey tools provided as part of data processing

    • Lamano GmbH & Co. KG, Prenzlauer Allee 36G, 10405 Berlin, Germany. Additional information on data protection at Lamapoll.
    • Informizely B.V., WG-plein 425, 1054SH, Amsterdam, Netherlands. Additional information on data protection at Informizely.

    3.3.4 Transmission to third countries


    Transmission of personal data to third countries is not intended.

    3.3.5 Duration of storage


    The data required for technical performance of the survey is not stored. All other personal data that was collected as part of personally addressed surveys, polls, or interviews is deleted or anonymized no later than at the end of the year following the conclusion of the survey.

    3.3.6 Options for removal or revocation


    We cannot trace data back to you as part of anonymous surveys. You can use the cancellation link at the bottom of our invitation e-mail or contact us at datenschutzanfrage@munich-airport.de to revoke your consent for your personal data to be processed as part of personalized requests for surveys or for data that we process in the context of non-anonymous polls and interviews.

  • 3.4 Integrated maps (Google Maps)

    Our website uses Google Maps to represent our location and generate directions. Google Maps is an online map service by the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website requiring a map, your browser will create a direct link to the Google servers and retrieve a map to display on your screen. To use Google Maps functions, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a Google server in the USA and processed there by Google. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

    Further information on the handling of user data is available in the Google privacy statement.

    The legal basis for processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in showing visitors to our website their current location and information on directions to the airport).

  • 3.5 Integrated videos (YouTube)

    We embed YouTube videos in our web pages. The operator of the correspondent plugins is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

    When retrieving a page on our website containing an embedded video, your browser will create a direct link to the YouTube servers to retrieve and run the video content on your screen. To use this function, it is necessary to process your IP address and information on your possible use of the map. This information is transmitted by your browser to a YouTube server in the USA and processed there by YouTube. At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. 

    In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

    Further information on data protection at YouTube is available in the Google privacy statement.

  • 3.6 Social media

    The social media channels used by us are described in detail in the sections below. We have a presence on the social media platforms of the following companies:

    • For our presence on this social media platform, we share responsibility with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

      The data protection officer of Facebook can be contacted via the following link: Facebook data protection officer.

      We have regulated joint responsibility in an agreement covering the respective obligations in accordance with the GDPR. The agreement stipulating the mutual obligations can be accessed via the following link: Facebook information on page insights.

      When you access our page on the Facebook platform, Facebook Ireland Ltd., as the operator of the platform in the EU, will process the user data (e.g. personal information, IP address, etc.). These user data serve in particular to create statistical information on the use of our company page on Facebook. Facebook Ireland Ltd. uses these data for market research and advertising purposes and to create user profiles. Using these profiles, Facebook Ireland Ltd. can direct targeted, interest-based advertising at the user both inside and outside Facebook.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this Facebook has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on processing activities, how to block them and on the deletion of data processed by Facebook is available in the Facebook Privacy Policy.

    • We are jointly responsible for our presence on this social media platform with Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. In our relationship with Twitter, the user conditions and privacy policy of Twitter (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Twitter has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information is available in the Twitter privacy policy.

    • We are jointly responsible for our presence on this social media platform with YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"). YouTube is a subsidiary of the US company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). In our relationship with YouTube, the user conditions and privacy policy of YouTube (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      At present the EU Commission has not yet adopted an Adequacy Decision confirming that the USA generally offers an adequate level of data protection. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Google has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.  

      Further information on data protection at YouTube is available in the YouTube Privacy Statement.

    • We are jointly responsible for our presence on this social media platform with Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as the operator of Instagram. In our relationship with Facebook, the user conditions and privacy policy of Instagram (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that data will be processed either by Facebook Ireland Ltd. or Facebook Inc., 1601 Willow Road, Menlo Park, California 94025 in the USA. In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, Facebook has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on data protection at Instagram is available in the Instagram privacy statement.

    • We are jointly responsible for our presence on this social media platform with LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn"). In our relationship with LinkedIn, the user conditions and privacy policy of LinkedIn (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      It is possible that the processing through LinkedIn Ireland Unlimited Company will also be carried out through LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 in the USA.In this context, we would like to point out that the USA constitutes an insecure third country where an appropriate level of data protection as defined under the GDPR is not ensured. In order to ensure such a level of protection despite this fact, LinkedIn has accepted the “standard contract clauses”. Nevertheless, on the basis of legislation in effect in the USA, there exists a potential risk that your data will be required to be provided to security authorities without the opportunity to defend yourself in court.

      Further information on data protection at LinkedIn is available in the LinkedIn privacy policy.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("XING"). In our relationship with XING, the user conditions and privacy policy of XING (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at XING is available in the XING privacy statement.

    • We are jointly responsible for our presence on this social media platform with New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany ("kununu"). In our relationship with kununu, the user conditions and privacy policy of kununu (including the linked contents regarding other conditions, policies and pages) define which party will meet the obligations pursuant to the GDPR.

      Further information on data protection at kununu is available in the kununu privacy statement.

    The purpose of these social media channels is to advertise our products and services and communicate with interested parties or customers.

    When you contact us through one of these social media channels, we process the personal data associated with your query in the course of processing the query itself. These data are deleted as soon as the query is fully answered and statutory retention or archiving obligations no longer apply (e.g. in case of subsequent settlement of a contract).

    The legal basis for the related data processing is Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest in presenting our products and services and communicating with interested parties or customers).

  • 3.7 Eye-Able® assistance software

    3.7 Eye-Able® assistance software

    The Munich Airport website uses the software application “Eye-Able®” from Web Inclusion GmbH. This tool enables visitors to the website to use a button on the edge of the screen to adjust font sizes, contrasts, and filters and to save their personal settings. The files required for the application, such as JavaScript, style sheets and images, are loaded from an external server. When functions are activated, Eye-Able uses the browser’s local storage to save the settings. All settings are saved locally on your device and are not passed on.

    3.7.1 Purpose of processing

    With the support of the "Eye-Able®" tool, we want to give users easier access to our information online.

    3.7.2 Legal basis

    The legal basis for the technically required inclusion of the "Eye-Able®" service is our legitimate interest in ensuring equal participation of all people, which outweighs the data subjects’ interest in particularly data-minimized processing of their data when visiting our website in accordance with Art. 6 Par. 1 f) GDPR.

    3.7.3 Recipients

    The files required for the "Eye-Able®" software application, such as JavaScript, style sheets and images, are loaded from an external server. When functions are activated, "Eye-Able®" uses the browser’s local storage to save the settings as adjusted by the user. All settings are only saved locally on your device and are not passed on.

    In the context of order processing, the data is transmitted to Web Inclusion GmbH, Gartenstraße 12c, 97275 Margetshöchheim, Germany. 

    3.7.4 Transmission to third countries

    There is no transmission to third countries.

    3.7.5 Possibility for removal

    The locally saved files and settings can be removed by clearing the browser cache.

4 Specific processing activities

Specific processing activities by FMG and its subsidiaries are described in greater detail in the following chapters.

  • 4.1 Websites

    The main website of Flughafen München GmbH and its subsidiaries is www.munich-airport.de (in German) and www.munich-airport.com (in English).

    This Privacy Statement also applies to all other websites of Flughafen München GmbH and its subsidiaries that are linked to it, in particular the following websites:

    WebsiteDomainResponsible company
    Traveller’s Insighttravellers-insight.comFlughafen München GmbH
    Munich Airport Collaboration Portalacp.munich-airport.deFlughafen München GmbH
    ISH – Information Security Hubish-muc.comFlughafen München GmbH
    Aircraft noise map
    lx-travisrp01.munich-airport.de/data/travis.php
    Flughafen München GmbH
    Parking Reservationparken.munich-airport.deFlughafen München GmbH
    Airport Academymunich-airport.de/academy
    Flughafen München GmbH
    Passngrpassngr.deFlughafen München GmbH
    LabCampuslabcampus.deLabCampus GmbH
    FMG & Wohnenmunich-airport.de/fmg-und-wohnenMUC Airport Betriebs GmbH
    Municonmunicon.deAllresto Flughafen München - Hotel und Gaststätten GmbH
    AirBräumunich-airport.de/airbraeuAllresto Flughafen München - Hotel und Gaststätten GmbH
  • 4.2 Contact form

    We offer you the option of using a contact form to ask us for information or support on specific questions.

    Categories of personal data
    We collect your first and last names and email address in any case so that we and/or our system partners to which your query is addressed can contact you.

    When you submit the contact form, the current IP address of the sender is saved for security reasons. Your data will be processed and treated confidentially in compliance with the applicable data protection regulations.

    We will store and process your data only to the extent and as long as required for handling your message.

    In order to process your inquiry in a subject-specific manner and to forward it internally to the right contact person, Munich Airport International GmbH, a subsidiary of Flughafen München GmbH, collects the following additional data in addition to the personal data mentioned: company & position.

    Categories of recipients
    In some cases, it will be necessary to forward your data to system partners such as airlines, government authorities or other companies in the FMG group to respond to your feedback. In addition, your data can be transmitted to external service providers for website support.

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 f) GDPR (balancing of interests based on our legitimate interest: in answering queries from our customers and other interested parties).

    Google reCAPTCHA

    Our website uses Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (hereinafter: Google).

    Through certification according to the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active Google guarantees that it will follow the EU's data protection regulations when processing data in the United States.

    This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service.

    The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. Google offers detailed information at https://policies.google.com/privacy concerning the general handling of your user data.

  • 4.3 Newsletter

    4.3.1. Newsletter Flughafen München GmbH


    At various locations you can subscribe to one or more email newsletters. By doing so, you give us your consent to use your email address for advertising purposes. The sender of the emails is always Flughafen München GmbH. The emails will contain information and offers on the following topics related to Munich Airport:

    • Promotions & Raffles,
    • Airport facilities and services such as parking, lounge or WLAN,
    • Useful services at the airport, e.g. car repair,
    • Travel to and from the airport, e.g. bus, train, car rental or car sharing,
    • Gastronomy and shopping at the airport,
    • Public events and experiences at the airport,
    • Flights and journeys from Munich Airport,
    • Discount offers for shopping & gastronomy,
    • Helpful tips on service topics,
    • Useful information about flights & airlines,
    • Travel offers,
    • Invitations to events.

    4.3.1.1 Registration for newsletters

    For your registration to take effect, we need a valid email address. To check that the registration is in fact coming from the owner of the email address, we employ the double opt-in process. For that purpose, we log the newsletter order, the dispatch of the confirmation email and the receipt of the requested reply. To log these events, we record the exact time and the IP address of the end device.

    4.3.1.2. Basic newsletters and personalized newsletters

    If you select a basic newsletter, we will not personalize the contents to reflect your interests in detail. We therefore do not request data from you to personalize the newsletter and instead collect only the data necessary for directly providing the newsletter. Typically this means your email address and possibly your name.

    When sending corresponding e-mails to you, we may also consider the following additional information:

    • the information that you are booking or are registered for a specific offer at Munich Airport with your email address, with which you have already signed up for in the newsletter (or might have done so in the past); and
    • which consent(s) you have granted or not granted to Flughafen München GmbH.

    In addition, the newsletter content can be personalized by request to reflect your individual interests. For details on the personalization of newsletters, see personalization and user profiles.

    Subscribers may also be informed by email of circumstances relevant to the service or registration (e.g. changes in the newsletter offers or technical issues).

    4.3.1.3 Duration of storage

    Your data will be stored when you subscribe to the newsletter and retained until you unsubscribe. Your registration will be successfully completed when you click the appropriate link in the confirmation email addressed to you.

    If you do not confirm the subscription link in the email, we will store your data for two weeks. The link will then expire and it will no longer be possible to use it to confirm your subscription. After this two-week period expires, your data will be immediately deleted. Of course you can register again by repeating the subscription process.

    When you cancel your consent to one of our newsletters, the unsubscribe process will be completed within 24 hours. Your data will be anonymized one year after you unsubscribe and the transaction will be fully deleted three years after your data are anonymized.

    4.3.1.4 Unsubscribing from newsletters

    Your consent for us to save your data and to use that information to send you the newsletter can be with-drawn at any time. Every newsletter contains a link for that purpose. In addition, you can unsubscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. The withdrawal of your consent has no effect on the legality of the processing up to the time of withdrawal. Due to the lead times of the technical and organizational processes, in exceptional cases you may receive another newsletter after unsubscribing.

    Please note that a non-automated unsubscribe or data deletion request may take up to 14 days to implement depending on internal processes.

    4.3.1.5 Legal basis

    The legal basis for the data processing described in this subsection 4.3.1 is 

    • Art. 6 Para. 1 S. 1 Letter a) GDPR for the actual sending of the e-mails in conjunction with your respective statement of consent as well as
    • for the decision as to when we send which e-mail to which addressee, Art. 6 Para. 1 Clause 1 Letter f) GDPR in connection with our legitimate interest in sending as few irrelevant e-mails as possible to the recipients of our newsletter.


    4.3.2 Newsletter LabCampus GmbH

    At various points you can register for a LabCampus e-mail newsletter. By doing so, you give us permission to use your e-mail address for advertising purposes. The sender of the e-mails and controller of the processing is always LabCampus GmbH. 

    4.3.2.1 Registration for a newsletter, data, purposes, recipients

    For an effective registration we need a valid e-mail address. In order to verify that a registration is actually made by the owner of an e-mail address, we use the "double opt-in" procedure. For this purpose, we log the order of the newsletter, the sending of a confirmation e-mail and the receipt of the response requested therein. For the logging of the respective process, we record the exact time and the IP address of your end device.

    The following categories of personal data are processed: Gender (optional), title (optional), name, company name, e-mail address.

    The content of the emails is information and offers on the following topics related to LabCampus; your data will be processed exclusively for these purposes:

    • Information and updates about LabCampus
    • Event invitations
    • Interesting facts on the topics of innovation, collaboration, new work

    Your data will be transferred to the following recipients or categories of recipients:

    • Internal company recipients (e.g., departments responsible for processing for a specific purpose)
    • Cooperation partners with whom we provide our services
    • External contractors, such as online marketing service providers in accordance with Art. 28 EU-FGDPR
    • Courts, authorities or other state institutions in the event of legal obligations.

    A transfer to a third country outside the European Union is intended. Specifically, the following transfer is intended: Transfer of data to United Kingdom of England (safe third country according to the adequacy decision issued by the EU Commission pursuant to Article 45 (3) of the GDPR). 

    4.3.2.2 Legal basis

    The legal basis for the data processing described in this section 4.3 is Art. 6 para. 1 sentence 1 letter a) DSGVO in conjunction with your respective consent.

    4.3.2.3 Storage period

    Your data will be stored upon registration for the newsletter until revoked. Successful registration takes place when you click on the confirmation link in the e-mail addressed to you.

    If you do not confirm the newsletter registration link in your e-mail, we will store your data for two weeks. After that, the link becomes invalid and registration via the link is no longer possible. Your data will then be deleted immediately after this two-week period has elapsed. A new registration is of course possible via a new registration.

    As soon as you cancel our newsletter, you will be completely unsubscribed from our newsletter with immediate effect. The complete deletion of your transaction and your data will also take place with immediate effect. Please note that a non-automated unsubscription or deletion may take up to 14 business days due to internal processes.

    4.3.2.4 Newsletter withdrawal

    You can withdraw your consent to the storage of your personal data and its use for the newsletter dispatch at any time. There is a corresponding link in each newsletter for this purpose. You can also unsubscribe at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. Due to technical and organizational process runtimes, it may happen in exceptional cases that you receive another newsletter after you have unsubscribed. The legality of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

  • 4.4 Personalization and user profiles

    If you primarily wish to receive contents relevant to you, then select personalized information.

    4.4.1 User profile

    To present content that is relevant to you, we need an optimal understanding of your interests. For this per-sonalized information, we therefore create a personalized user profile for you.

    In this personalized user profile, we save identifying characteristics such as your name and email address together with your contractual and usage data. This ensures that we can personalize our services for you. For example, in the newsletter you will only receive content provided on countries that are likely to interest you or special tips for business travelers – depending on the aspects that apply to you.

    4.4.2 Data sources

    In the user profiles, we collect data from various sources within the Munich Airport group of companies to arrive at the best possible overview of your interests. These sources are based on the declarations of consent submitted by you and may include the following data:

    • the airport website
    • the airport newsletter
    • the PASSNGR app
    • online parking reservations
    • WLAN registration at the airport
    • booking/reserving airport tours, lounges, events and other offers
    • input in contact and feedback forms
    • participation in contests offering prizes
    • bonus and customer loyalty programs
    • suggestions for improvements submitted through electronic channels

    4.4.3 Contractual and usage data for personalization

    • cookies, and in particular long-term cookies
    • start and end time of use
    • opening the newsletter, app or other services
    • functions and pages accessed over time
    • clicking on newsletter content
    • origin of use, e.g. whether a search engine was used first
    • duration of page views
    • salutation
    • first name
    • last name
    • address
    • Email address
    • consents, e.g. to receive a newsletter or for the use of mobile apps
    • date of birth
    • payment and transaction data
    • telephone number
    • other contractual data

    4.4.4 Withdrawal of user profile

    You can withdraw your consent for the storage of your personal data at any time. In addition, you can un-subscribe at any time using the following email address, for example: newsletter.abmeldung@munich-airport.de. Revoking your consent has no effect on the legality of the processing up to the time of revocation. Due to the lead times of the technical and organizational processes, it is possible in exceptional cases that the personalization of content as described in this section will continue for up to 48 hours after your with-drawal of consent.

  • 4.5 WLAN/Wifi

    The free wifi coverage at Munich Airport is provided by Telekom Deutschland GmbH. Consequently, the separate terms and conditions for the HotSpot and the privacy statement of Telekom Deutschland GmbH shall apply. Flughafen München GmbH grants access to the WLAN of Telekom Deutschland GmbH.)

    4.5.1 Scope of processing

    If you wish to use the free wifi, you must identify yourself as a user with your email address. In addition to your email address, we collect the following data:

    • the exact time of access,
    • your browser version,
    • IP address of your end device,
    • number of times free wifi is accessed and
    • your consent to our terms and conditions for free wifi

    We only use technically necessary cookies on the WLAN pages (wifi.munich-airport.de), which are required for the technically flawless provision of the site. In particular, these are the following functional cookies:

    • f5_cspm
    • f5avr2042896050aaaaaaaaaaaaaaaa
    • TS01*

    4.5.2 Purpose of processing

    We collect this data for the following purposes:

    • Contacting if necessary for the purpose of contract fulfilment (in accordance with the General Terms and Conditions (GT&C) for wifi) or processing (e.g. in connection with a possible violation of the contractual terms and conditions of use)
    • Provision of a free wifi for an additional passenger and visitor service
    • Ensuring the functionality of the website and the security of the IT systems by evaluat-ing log data to analyze technical malfunctions and possible attacks on our services

    When you register to subscribe to our email newsletter, the data provided by you are also used for that purpose: privacy statement for the newsletter

    4.5.3 Legal basis

    The following legal basis applies for the lawfulness of processing:

    • Necessity for the performance of a contract to which the data subject is a party [cf. Art. 6 para. 1 sentence 1 lit. b) alt. 1 GDPR] as part of our contractually agreed terms of use (GT&C)
    • Necessity for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [cf. Art. 6 para. 1 sentence 1 lit. f) GDPR]. The legitimate interests is provision of a free wifi for an additional passenger and visitor service and ensuring the functionality of the website and the security of the IT systems by evaluating log data to analyze technical malfunctions and possible attacks on our services.

    4.5.4 Categories of recipients

    Personal data is transmitted to the following recipients or categories of recipients:

    When you are transferred to the wifi access page of Telekom Deutschland GmbH, we also transfer the email address provided by you to that company.

    We may transmit data relating to you that we have stored to courts, authorities or other gov-ernmental bodies if this is necessary to prosecute statutory violations or if we are under the obligation to render information to the respective public body for other reasons.

    Apart from the foregoing, we do not transmit your data to third parties.

    4.5.5 Transfer to third countries

    A transfer to a third country outside the European Union respectively the European Economic Area is not intended.

    4.5.6 Duration of storage and criteria for determining the duration

    The data collected in connection with your access to wifi will be deleted no later than nine months after you use the wifi service.

    The indicated storage periods may be exceeded in exceptional cases if and to the extent that the data in question are needed for a longer period (e.g. for purposes of the required investiga-tion and/or prosecution of a possible violation of the terms and conditions of the contract for use of the service).

    The cookies are deleted after each session of the visitor.

    4.5.7 Necessity of the data and consequences of non-provision

    The provision of personal data is a contractual requirement [see (GT&C). If you do not enter your data, you may not be able to use the free WLAN.

    4.5.8 Possibility of removal or revocation

    You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation.

    Please send your objection to info@munich-airport.de. We reserve the right to examine your request individually before implementing a restriction or cessation of processing and deletion.

    4.5.9 Status of information

    Date: December 21, 2023

  • 4.6 Photography, video and sound recordings

    This privacy policy applies to photography, video and sound recordings (referred to below as "images and recordings") created by Flughafen München GmbH on various occasions (e.g. photo shoots, events). This privacy policy does not apply to data processing in connection with surveillance measures (e.g. video monitoring).

    The images or recordings may be made in connection with photo shoots or events, for example. For this purpose, we will either obtain your consent in advance or at least inform you in your personal invitation or on location (e.g. in case of public events without personal invitations) that such images or recordings will be made. We do not secretly produce images or recordings.

    Categories of personal data
    In addition to the photos, video and sound recordings, we may process other personal data that we collect from you (such as your name and email address) in connection with the recording.

    Flughafen München GmbH may use the images and recordings for print publications, in broadcasting or in electronic media for corporate communications (e.g. reports, flyers, posters, brochures, presentations, websites, intranet, press releases) and for documentation purposes (e.g. archives). The images and recordings may be shared with third parties (e.g. journalists) and disseminated in social media (e.g. Facebook, Twitter). The possible uses of the images or recordings includes all known and unknown uses as well as the editing and modification of the images or recordings. Flughafen München GmbH may grant the same utilization rights to its subsidiaries and participating interests. However, images and recordings will be utilized as de-scribed here only to the extent that this is covered by a basis for authorization (e.g. consent, contract, law).

    Duration of storage
    If you have granted us your consent or if we have entered into a contract with you, the data will be deleted with the expiry of the consent or contract. If we are processing the data on the basis of a legitimate interest pursuant to Art. 6 Par. 1 f) GDPR, the data will be deleted when the legitimate interest no longer applies.

    For FMG employees only: If the recordings are made for purposes of establishing and implementing an employment relationship, we will delete them when the corresponding purpose is fulfilled. If the processing is regulated in a works agreement, the storage periods may be stipulated in that agreement.

    Statutory archiving periods may require us to store the data for a longer period on the basis of Art. 6 Par. 1 c) GDPR.

    Categories of recipients
    If we have obtained the necessary utilization rights for the recordings, we will transfer the recordings to our subsidiaries and participating interests as required so that they can also use them. In all other respects, we will forward your data to our service providers only in compliance with the applicable data protection laws. Our service providers who may be granted access to the recordings and data include IT service providers, printers and advertising agencies.

    For our image database we use a solution provided by CELUM GmbH, Passaustrasse 26-28, 4030 Linz, Austria ("CELUM"). The image database is maintained on our servers. CELUM may access the images when providing support. We have entered into an external processing agreement with CELUM under which CELUM has undertaken to process personal data only in accordance with our instructions. Further information on data protection at CELUM is available at: https://www.celum.com/en/privacy-cookie-policy/.

    To the extent that we are permitted to use your recordings in social media channels, we cannot preclude the possibility that they will be transmitted into a country outside the EU. The US social media servers used by us are certified under the EU/US Privacy Shield Framework and are obliged to comply with the provisions of the GDPR.

    It is also conceivable that, as part of our international media relations and corporate communications, we will transfer some recordings or images in compliance with the applicable data protection regulations to media, press representatives or agencies outside the EU and the European Economic Area so that the recordings or images can be published there.

    Legal basis
    If you have granted us consent, the legal basis for processing is Art. 6 Par. 1 a) GDPR. If consent is granted by employees of FMG, the legal basis of processing under data protection laws in this case is Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 of the German Data Protection Act (BDSG).

    If we conclude a contract with you (e.g. for a photo shoot), then the use of the recordings and other personal data will serve the purposes of executing the contract and will take place in accordance with our contractually agreed utilization and exploitation rights. In that case, the legal basis for processing under data protection laws is Art. 6 Par. 1 b) GDPR.

    If the recordings are made for purposes of establishing and implementing an employment relationship with FMG, the primary legal basis for processing is Section 26 Par. 1 BDSG.

    We will produce photos, video or audio recordings at events etc. without your consent and without a contractual agreement only if a legitimate interest applies in accordance with Art. 6 Par. 1 f) GDPR. Such a legitimate interest may result from the provisions of Section 23 of the German Art Copyright Act (KUG). This is conceivable, for example, in case of:

    • images of historical interest in which you appear;
    • images in which you can be seen incidentally near a specific location or
    • images of gatherings or public events in which you participated.

    In addition to the original purpose for producing the recordings, we may also store recordings and the related data for documentation or archiving purposes unless this is prohibited under contractual or statutory regulations. In this case, our legitimate interest in accordance with Art. 6 Par. 1 f) GDPR is the use of the recordings for publications on our company's history.

    To the extent that we process data in accordance with Art. 6 Par. 1 f) GDPR, we always give due consideration to the question of whether you have overriding interests in the specific case at hand that outweigh our legitimate interests in using the data.

  • 4.7 Passngr app website

    Passngr is the app shared by a number of German airports. With this app, you always have all of your travel information on hand: your flight data, important information for finding your way in your departure and arrival airports, and the most convenient way of getting to and from the airport. The Passngr app is offered and operated by InfoGate Information Systems GmbH, a subsidiary of Flughafen München GmbH.

    For the Passngr app website (https://www.passngr.de), the general privacy information for websites provid-ed in this Privacy Statement applies. In addition, you can enter your mobile phone number on this website to ask for a link to be sent to the Passngr app on your phone. We will use your mobile phone number for this purpose only and will then delete it.

    The privacy policy for the Passngr app can be accessed directly from the app under "Settings" – "About the Passngr app".

  • 4.8 Parking reservations

    1. Description and scope of the specific data processing
    You can quickly and easily make advance parking reservations on our website at parken.munich-airport.de. The provider and contractual partner is Flughafen München GmbH.

    During the booking process for your parking space, the following data are collected:

    • company
    • salutation
    • first name
    • surname
    • address
    • e-mail address
    • telephone number
    • other contract data (planned and actual start of parking, planned and actual end of parking, product, parking area / parking garage, price, possible promotions or promotion codes)
    • time of booking
    • payment details
    • affiliate network

    If you register with us or book without a customer account, we will collect, save and process the above data to make the booking process easier for you. We use your data, among other things, to confirm and provide the booked services (including additional services), invoice processing, reimbursement in the event of cancellation, quality assurance, contact if necessary, e.g. in the case of rebooking, car park or product changes or air traffic restrictions. You can have your customer account deleted by sending an email to our Customer Service Center (info.parken@munich-airport.de). A deletion only takes place after the completion of any ongoing or future parking processes and the associated payment processing.

    In addition to booking your parking space, we offer you optional additional services during the booking process, so-called premium services such as a car wash, interior cleaning, etc. In addition to the data mentioned, we also collect the following data:

    • license plate
    • vehicle manufacturer
    • vehicle model
    • vehicle color

    The additional services are carried out and carried out by our service provider. If the additional services are booked, a copy of the booking confirmation will be sent to the service provider's scheduling department. The service provider can thus plan the corresponding resources for the implementation of the service more efficiently and better allocate the vehicle for the implementation of the service. This also facilitates customer communication, especially when booking additional services.

    2. Purposes of processing
    1) Booking of parking spaces
    2) Booking of additional services such as car wash and interior cleaning

    3. Legal bases
    The legal basis for the appropriate data processing are

    • article 6 Par. 1 sentence b) GDPR, fulfillment of the contract for the online booking of parking spaces and the booking of any additional services including online booking conditions, airport usage regulations
    • article 6 Par. 1 sentence c) GDPR: fulfillment of the legal obligation to comply with statutory retention periods with regard to the storage of invoices for the services provided

    4. Storage period
    After your booking, the data will be stored until the respective statutory retention period of ten years has expired. Data that you have additionally provided for booking an optional additional service will be stored for two years.

    5. Recipient
    The personal data you provide will be collected, stored and processed by us, our system provider as contract processors and the credit card acquirers or payment service providers involved to process your booking and the parking and payment process. In the event that additional services are booked, these will be transmitted to our service provider, who will save and process them.

    6. Transmission to third countries
    There is a transfer to the United Kingdom (processor location).

    7. Options for elimination / revocation
    Your processed personal data are, if they are based on the lawfulness of the processing according to Art. 6 Par. 1 sentence b) or c) GDPR, necessary in order to conclude / carry out the contract with Flughafen München GmbH as part of your parking process or the additional service you have booked guarantee. There is consequently no possibility of objection in this regard.

  • 4.9 Automated license plate recognition at gated entrances and exits to parking garages or parking spaces

    4.9.1 Description and scope of data processing

    The number plate of your vehicle is read by an infrared camera when entering the parking areas. After successful entry, the recognized license plate number is stored in the parking system together with the time of entry and the entry column.

    When the vehicle exits the parking space, the license plate number is recorded again and compared with the data stored when the vehicle entered.

    The following personal data is processed as part of automated license plate recognition and the associated processing of parking procedures:

    • Scanned infrared image of the license plate, vehicle license plate number in plain text, parking garage used, entry and exit device, entry and exit times (date, time), card number of the ticket or long-term parking medium.
    • For short-term parking tickets and online reservations, the parking fee paid, information as to whether a receipt was issued, invoice number.
    • For long-term parking tickets, the data of the contractual partner (surname, first name, company).
    • For online reservations, the e-mail and postal address.


    4.9.2 Purposes of the data processing

    Personal data are processed for the following purposes

    1. Handling of the parking process (e.g. entry, parking, exit, charging/payment processes for electric vehicles)
    2. Improvement of the traffic flow
    3. Barrier openings
    4. Proof of parking duration in the event of unlawful reclaims
    5. Subsequent Issuing of receipts
    6. Prevention and prosecution of criminal offenses, administrative offenses and damage to property
    7. Detection and punishment of violations of the parking regulations and the airport usage regulations
    8. Blocking of license plates

    4.9.3 Legal basis for data processing

    The legal bases for data processing are:

    • For purposes 1, 2, 3, 4, 5, 7: Art. 6 para. 1 lit. b GDPR
      Contract fulfillment, e.g. parking space rental agreement / permit agreement, general parking conditions, terms and conditions of use for online parking space bookings, airport usage regulations

    • For purposes 6, 7 and 8: Art. 6 para. 1 lit. f GDPR
      Safeguarding our legitimate interests (Assertion, exercise or defense of legal claims)

    • For purpose 1: Art. 6 para. 1 lit. a GDPR
      Employees can optionally register for the license plate recognition system. 


    4.9.4 Recipients/categories of recipients 


    Personal data is transmitted to the following recipients or categories of recipients:
    • Manufacturer of license plate recognition software for operation, maintenance and support, based in Germany

    • Operator of an external booking platform for online bookings, based in the UK.

    4.9.5 Transfer to third countries

    Transfer to third countries is generally not intended. However, there may be third-country transfers to the United Kingdom in the context of online bookings. This is based on the adequacy decision of the EU Commission of June 28, 2021.

    4.9.6 Legitimate interests

    The pursuit of the purposes mentioned under 6, 7 and 8 serves to achieve our legitimate interests, in particular to prevent the fraudulent provision of services, to assert, exercise or defend possible legal claims and to be able to enforce our domiciliary rights. The processing is necessary and suitable for the achievement.


    4.9.7 Duration of storage

    Ten days after the successful exit and the completed parking process, the license plate images are deleted from the parking system.
    In the system for controlling the parking facilities and storing the relevant data records, the data record is deleted 92 days after a successful exit.

    4.9.8 Right to object / right to erasure

    To the extent that the legal basis for processing your personal data is based on Art. 6 (1)(b) or (c) GDPR, this processing is required in order to enter into or fulfill a contractual relationship with Flughafen München GmbH in connection with your parking transaction. Consequently, there is no right to object in that regard.

    For all processing activities carried out by us on the basis of our legitimate interests, you have the right, on grounds related to your particular situation, to object to such processing at any time pursuant to Art. 21 (1) GDPR.  

  • 4.10 Bookings/reservations

    4.10.1 Airport tours

    On our website at munich-airport.de/airport-tours you can find a selection of seasonal and year-round tours for adults and children where you can obtain in-depth insights into Munich Airport's operations.

    The provider of the products and services is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when tours are booked:

    • first name
    • last name
    • email address
    • telephone number
    • tour data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, Regiondo GmbH, and by the credit card acquirer or payment services provider involved in the processing of your booking and the tour and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.2 Lounge bookings

    You can find a list of lounges available at the airport on our website at munich-airport.de/lounges. For some of these lounges you can book tickets or vouchers through our website. The provider of the lounges that can be booked is Flughafen München GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data are collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data

    Recipients
    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the lounge use and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sen-tence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).

    4.10.3 Events

    On our website at munich-airport-camarketing.regiondo.de and allresto.regiondo.de you can find events hosted by Flughafen München GmbH and Allresto Flughafen München Hotel und Gaststätten GmbH. For some of these events you can book tickets or vouchers through our website. The event providers are Flughafen München GmbH and/or Allresto Flughafen München Hotel und Gaststätten GmbH. The bookings and payment transactions are implemented by Regiondo GmbH with headquarters in Munich, Germany.

    Categories of personal data
    The following data may be collected when bookings are made:

    • first name
    • last name
    • email address
    • telephone number
    • booking details
    • payment data
    • recipients

    The personal data provided by you will be collected, stored and processed by us, by Regiondo GmbH and by the credit card acquirer or payment services provider involved in the processing of your booking and the event and payment transaction.

    Duration of storage
    After your booking, the data collected will be stored until the end of the applicable statutory retention periods of six and/or ten years.

    Legal basis
    The legal basis for the processing of your data described in this section is Art. 6 Par. 1 sentence 1 b) GDPR (contract performance and steps prior to entering into a contract) and Art. 6 Par. 1 sentence 1 c) GDPR (compliance with legal obligation to comply with statutory retention periods).


    4.10.4 Events LabCampus

    On our website labcampus.de you will find events organized by LabCampus GmbH. You can register online for some of these events via our website. The provider of the events and the person responsible under data protection law is LabCampus GmbH.

    Contact the data protection officer: datenschutzbeauftragter@munich-airport.de.

    Categories of personal data

    The following data will be collected during registration:

    • First name
    • Surname
    • Company
    • Position (optional)
    • E-mail address

    Purpose of processing

    Your data will be processed for event invitation, implementation and communication based on relevant legitimate interests. Without providing the required data, you will not be able to participate in the event. Following the event, we will send you a one-time email, together with a note on our services, with the most important information at the event.

    Legal basis

    The legal basis of the corresponding processing of your data is Art. 6 para. 1 lit. f DSGVO (legitimate interest of the responsible party).

    Duration of storage

    Your data that we process as part of the event will be deleted by LabCampus GmbH after the event has been held and the follow-up has been completed.

    Categories of recipients & transfer to third countries

    Your data will only be processed by LabCampus GmbH. A transfer to third parties or third countries is not intended.

    Revocation/removal options

    In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of an objection, participation in an event may not be possible. To exercise your rights of access, rectification, erasure, restriction of or objection to the processing and transfer of personal data, to lodge a complaint with the supervisory authority and for further information, please contact: LabCampus GmbH, P.O. Box 23 17 55, 85326 Munich Airport or by e-mail: events@labcampus.de,

  • 4.11 Contests, prize draws, and campaigns in general

    The section of the Privacy Statement applies to our processing of personal data of participants in contests, prize draws or campaigns run by Flughafen München GmbH. If you subscribe to a newsletter when taking part in a contest, please note the privacy information regarding newsletters.

    4.11.1 Implementation

    For purposes of implementing the prize draw, we process the personal data of the participants – in particular the email address and, at the appropriate time, the address of the winner – which we need for recording the participants' details, notifying the winner and presenting the prize.

    For purposes of implementing the prize draw, we store the participants' personal data until the draw is completed and the winner is notified and for a further period in case the winner does not reply when notified so that a new winner must be drawn.

    In addition, we store the winner's personal data – including the address obtained when the winner is notified – to complete the necessary steps for awarding the prize and, if applicable, for the duration of any additional statutory retention periods.

    Contest participants are not required by law or contractual provisions to provide the above-mentioned personal data. However, for purposes of entering into the contract, i.e. participation in the prize draw, it is necessary to provide the data in our registration form marked as mandatory (as opposed to optional input). The address of the winner obtained after the draw is necessary for sending the prize.

    4.11.2 Forwarding data to other recipients

    Unless otherwise indicated elsewhere in this Privacy Statement, we transfer your personal data to the following additional recipients or categories of recipients:

    • Newsletter mailing and customer relationship management service providers
    • Cooperation partners used by us to deliver our services


    4.11.3 Legal basis

    Legal basis for the data processing described in the section "Contests, prize draws, campaigns":

    • consent of the data subject (Art. 6 Par. 1 sentence 1 a) GDPR
    • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 Par. 1 sentence 1 b) GDPR).
    • legitimate interests (Art. 6 Par. 1 sentence 1 f) GDPR) Defense of legal claims
  • 4.12 MuniCon conference center

    The municon conference center is operated by Allresto Flughafen München GmbH - Hotel und Gaststätten GmbH. The municon conference center is located at the heart of Munich Airport in the north building of the Munich Airport Center, thus providing a professional setting for meetings, training seminars, presentations or major events.

    The website of the municon conference center offers the opportunity to complete a contact form to submit a callback request. Further information is available under Contact form.

    Categories of personal data
    The following data are collected when the request is submitted:

    • salutation
    • first name
    • last name
    • telephone number
    • email address

    Recipients
    The data will be used exclusively to make the requested call and, if applicable, to book a conference room. The data will not be shared with third parties.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

  • 4.13 Aircraft noise complaints

    We offer you the possibility of using a contact form to contact us directly regarding aircraft noise. Relevant data collected in this case can be found under Contact form.

    Categories of personal data

    • name and contact data (e.g. telephone number, email address and postal address)
    • location data to concretely specify the cause of the complaint and the underlying event

    Special categories of personal data will be noted only to the extent that complainants provide such infor-mation on their own initiative. As they are not needed for the processing of complaints, no further processing will take place. Your data will be processed solely for the following purposes: Processing aircraft noise complaints, including reporting on the number and geographical distribution of aircraft noise complaints at the meetings of the Aircraft Noise Commission and in the Integrated Report of FMG (only the number of com-plaints).

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • recipients within the FMG Group (e.g. departments with a role in the processing of noise complaints)
    • aircraft Noise Commission of Munich Airport (only information on the number and geographical distribution of noise complaints)
    • interested members of the public through the Integrated Report (only the number of aircraft noise complaints)
    • airport associations (only information on the number and geographical distribution of noise complaints)
    • courts, public authorities or other government bodies in case legal obligations apply

    Legal basis
    Legal basis for the processing of personal data: Necessity to safeguard the legitimate interests of the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (see Art. 6 Par. 1 sentence 1 f) GDPR). FMG has a legitimate interest in limiting the impact of airport operations on the surrounding residents in the interests of good relations with its neighbors and maintaining transparency with regard to environmental issues. In addition, legitimate interests result from the responsibilities of the Aircraft Noise Commission (Section 32b of the Aviation Act (LuftVG), Rules of Procedure of the Aircraft Noise Commission). The Aircraft Noise Commission is formed to engage in consultations with the approval authority, the Federal Supervisory Authority for Air Navigation Services (BAF) and the air traffic management organization. It is notified of measures taken to reduce aircraft noise to protect residents, but can also propose measures on its own initiative. To be able to discharge this responsibility, it is necessary to have knowledge of certain personal data, in particular geographical data and the related geographical distribution and number of aircraft noise complaints.

    In case of inquiries under the Environmental Information Act (UIG) regarding the number and geographical distribution of complaints and the reason for the complaint, a special legal basis applies: the UIG.

  • 4.14 Applicant portal

    We are pleased to provide you with the following information on how your personal data will be processed if you apply with Flughafen München GmbH and its subsidiaries, and what rights you have under data protection law. You can apply online through the applicant portal, by email or by regular mail. Your data will then be entered in the applicant portal and processed by the appropriate entity. The company within the Flughafen München Group that is responsible for your application and the processing of your personal applicant data is the company advertising the position or receiving your unsolicited application. Your application documents will be passed on to other companies within the Group or stored in the applicant pool only with your direct consent.

    If you consent to your application being shared within the Group, your data may be passed on to the companies listed under section 1, "Controllers and data protection officers". This will increase your visibility and the possibility of being considered for a position.

    If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies listed under section 1 once you have given your consent. That means you give us permission to store your application for a specified period of time and consider it for vacancies where applicable.


    Applying through HeyJobs

    You can also apply for jobs with us through our social media recruiting partner’s platform and your personal account on this platform. The platform provider is responsible for processing data on the platform and within your personal account. Information on data processing can be found here:

    https://hire.heyjobs.co/en-us/privacy-policy/

    If you decide to apply to us from your personal account on the platform after seeing a vacancy, we process the following data in our account on the platform:

    • First name and surname
    • Cover letter for the specific position
    • Telephone number
    • E-mail address
    • Other data that may also be requested depending on the job profile (e.g. qualifications, work experience)

    When you send your application, these data are stored on the platform, e-mailed to the employees in the HR department responsible for recruitment and (manually) sent to our applicant portal so that we can continue to process your application. The further information on the subsequent flow of data and how your data is handled is the same as when data is processed directly via the applicant portal. Please see the explanations below for related information on the purpose, legal basis, recipient, duration of storage etc.

    Recipients of your data may include the human resources department and the platform partner’s IT administrator. Applicant information stored in the account at our social media recruiting partner is automatically deleted no more than six months after it is received. Applicant information sent by e-mail is also deleted after no more than six months.


    Applying via WhatsApp

    Scope of processing

    The following data are processed when you use this application channel:

    • Personal master data (e.g. title, surname, first name, postal code)
    • Communication data (e.g. telephone, e-mail)
    • Data that may also be requested depending on the job profile (e.g. driver’s license, work permit)
    • Applicant information provided by users in messages, free text fields or files such as CV or qualifications
    • Technical log data (e.g. login, IP, time stamp)

    Opening the link or scanning the QR code on the job advertisement directs you to an information page from the provider PitchYou. This provides information on the application process and asks you to consent to the processing of your data in the application process and to the use of WhatsApp to send your application. Clicking on “apply now via WhatsApp” on a mobile device automatically opens the WhatsApp app. Selecting this option on the website produces a QR code that opens the WhatsApp app on your cell phone when it is scanned.

    You start the WhatsApp dialog by sending a start message. You can cancel the dialog at any time during the interview by way of a simple “/stop” command and confirming this by clicking on yes. All data collected are immediately deleted. If you do not continue your interview, it will be assumed 24 hours after the last message that you do not wish to continue the interview. Your data will then be deleted.

    Once the WhatsApp dialog is completed, your data will be sent to our applicant portal and processed there. For more information on the applicant portal (including on deletion periods), please see the information under “Applying through applicant portal/website”.

    Legal basis

    If you send us your application via WhatsApp, WhatsApp is used on the basis of your explicit consent in accordance with Art. 6 Par. 1 sentence 1 a) GDPR in conjunction with Art. 49 GDPR. This consent is requested prior to the WhatsApp dialog for the application.

    Right to revoke consent

    You can revoke your consent at any time with effect for the future without giving the reasons for doing so. This does not result in any disadvantages for you. You can also apply through our website (https://www.munich-airport.com/careers).

    Recipients and transfer to third countries

    Applications sent via WhatsApp use the provider PitchYou GmbH, Campusallee 9, D-51379 Leverkusen, e-mail: info@pitchyou.de, which receives your data as the processor.

    Please note that if you use this channel your personal data may be transferred to third countries, in particular the US. This third country transfer is based on standard contractual clauses. WhatsApp LLC is also certified under the Data Privacy Framework.


    Applying through applicant portal/website

    4.14.1 Purposes of data processing

    We and the service providers acting on our behalf process personal data for the following purposes:

    1. Filling posted positions and vacancies
    2. Filling future vacancies (unsolicited applications)
    3. Sharing within the Group
    4. Reviewing or identifying further applications within the Group (multiple applications by the same candidate)
    5. Protecting children (applicants under 16 years of age)
    6. Ensuring the consent of legal guardians (applicants under 16 years of age)
      Without the declarations of consent from the legal guardians, applications from applicants under 16 years of age cannot be accepted or can only be partially processed. This also applies when consent is revoked.
    7. Safeguarding and protecting our rights

      Changes in purpose:
    8. In case you are hired, some of your personal data will also be used for purposes related to your employment relationship (e.g. to prepare your contract). The processing is carried out on the basis of the following legal provisions: Art. 6 Par. 1 b) GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 Par. 1 of the German Data Protection Act (BDSG).
    9. If you consent to the inclusion of your data in the applicant pool, we reserve the right to consider your application for other current or future vacancies and (if you consent to "sharing within the Group") forward your application to the companies specified in section 1 as needed. For information on the storage and deletion of data, refer to the section "Duration of storage and possibilities to have data erased" below.


    4.14.2 Legal basis

    • Purpose 3 and 9: Your consent (Art. 6 Par. 1 a) GDPR in conjunction with Section 26 Par. 2 BDSG)
    • Purpose 5 and 6: Consent of your parents for the processing of your application data (Art. 6 Par. 1 a) GDPR in conjunction with Art. 8 GDPR in conjunction with Art. 88 GDPR in conjunction with Section 26 BDSG)
    • Purpose 1, 2 and 4: Taking steps prior to entering into a contract in response to your inquiry for potentially establishing an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG) If there is a multiple application within the Group, the transfer will only be made with regard to the title, time and status of your application to the other Group company on the basis of our legitimate interest (Art. 6 Para. 1 lit. f DSGVO) for internal administrative purposes in order to simplify the application process.
    • Purpose 8: Decision on the establishment of an employment relationship (Art. 88 GDPR in conjunction with Section 26 Par. 1 BDSG)
    • Purpose 7: Safeguarding our legitimate interests (Art. 6 Par. 1 f) GDPR): Legitimate interests on our part relate to the assertion and protection of our rights.

    Please note that more than one of the above legal grounds for processing may apply.

    4.14.3 Categories of personal data

    The following categories of personal data are processed:

    1) Applicant data that you enter in the application form. This generally involves the following data:

    • Salutation*
    • Title
    • First name*
    • Last name*
    • Date of birth
    • Country*
    • E-mail address*
    • Telephone*
    • Highest level of education completed / currently being pursued*
    • Native language
    • Foreign language

    Fields marked with an asterisk (*) are required

    In addition, depending on the specific job posting and target group, personal data may be required and processed in other input fields.

    In case of applicants under 16 years of age (in particular for high school students' internships, other internships, vocational training and, in exceptional cases, also for other positions), the following additional data:

    • Name and signature of the legal guardians
    • Declarations of consent from the legal guardians

    2) Applicant data which you provide by attaching documents (application documents, application photo, etc).

    If you use the "Upload CV" function, the selected documents will be automatically extracted and analyzed. This is done by a subcontractor of the applicant portal operator.

    3) Applicant data from other platforms (Xing, LinkedIn, Dropbox, etc.) that you allow to be transferred and processed by granting a release. This is done through automated extraction/analysis by the subcontractor of the applicant portal provider. Depending on the platform, a CV may be generated from the available profile data and attached to your application in addition to having your data imported into the application form. You may remove this attachment where appropriate.

    That information includes – among other items – the following personal data if entered in the profile or document:

    • Name and address data (title, salutation, last name, first name, street, postal code, city, country, etc.)
    • Contact data (e-mail address, telephone number, etc.)
    • Profile photo
    • Current position
    • Date of birth
    • If applicable, other data categories contained in the document or displayed before obtaining your permission to access them.

    4) Log data collected by the applicant portal provider to ensure proper system operation, error correction and defense against attacks.

    This includes the following personal data, which is erased after 180 days:

    • User name
    • Applicant name (first and last name)
    • IP address

    5) We reserve the right to record applicant information (see 1) and documents in the system manually. For this purpose, a subcontractor of the applicant portal provider can use the “parsing” function. This automatically extracts/analyzes the selected documents.

    4.14.4 Categories of recipients

    1) Use / sharing of data within the Group

    Your data can be accessed only by employees of Flughafen München GmbH and the Group companies for which the vacancy is being filled. If you consented to having your application shared within the Group, your data may also be shared with the companies specified under section 1, "Controllers and data protection officers".

    If we find your application compelling but do not currently have a vacancy for you, we will be happy to include you in an applicant pool for the companies specified under section 1. In this case, you will receive an e-mail from us requesting your permission to include you in the applicant pool. Please see section 14.6.5 for the retention period.

    2) Applicant portal service provider

    Your personal data will be transferred by the applicant portal provider to an external data center (a subcontractor of the applicant portal provider) for processing. A contract has been signed with the applicant portal provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

    In the event of applications for the subsidiary MAI (Munich Airport International GmbH), we forward the data to an external personnel service provider. A data processing agreement has been entered into with this service provider as well that requires the service provider, in particular, to comply with all requirements of data protection law and to act solely as instructed by Flughafen München GmbH.

    3) Online test service provider (for vocational training positions)

    Your personal data will be processed and stored by the provider of an online test. The online test is used only in the late selection stages for vocational training positions and cooperative degree programs offered by Flughafen München GmbH. To take the online test, you will receive an email with further information. A contract has been signed with the online test provider under which the provider is required, without limitation, to comply with all the requirements of data protection laws and to act solely as instructed by us.

    4) Service providers (general)

    We engage external service providers to perform tasks such as programming or data hosting. We have selected these service providers with care and monitor them regularly, particularly with regard to their careful handling and protection of the data that they process. We require all service providers to sign a contract to maintain confidentiality and comply with the data protection requirements of the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG).

    5) Platforms

    The platforms of the following providers can be used to complete the application form quickly and easily during the application process:

    • Dropbox International Unlimited Company (One Park Place - Floor 5 - Upper Hatch Street - Dublin 2 – Ireland)
    • XING AG (Gänsemarkt 43 - 20354 Hamburg - Germany)
    • LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

    Please note that these providers and/or their servers may operate at locations outside the EU or the EEA (e.g. in the USA). When an applicant uses a platform, information – which may include personal data – may be sent to and possibly utilized by the platform provider. Please refer to the data protection statement of each platform provider for information on which specific data is stored by the provider in such cases and how it is used.

    The applicant portal does not use platform providers' social plugins; these are only links to the platforms. Nor do we use the platforms to capture any personal data or how it is used.

    After clicking on the button, you will be transferred to the platform provider's login screen. After logging in and releasing the data, the data will be automatically extracted and analyzed by the subcontractor for the applicant portal.

    If you wish to ensure that no data of any kind is processed by the platform providers, enter your data manually in the application form and refrain from using the platforms.

    6) Other third parties

    We will transfer your personal data to other parties only to the extent that this is required to take steps prior to entering into a contract, if we or another party have a legitimate interest in the data transfer, or if you grant us your permission. In addition, data can be transferred to other parties if we are required to do so by law or under an administrative or court order. Your data will not be used for advertising purposes.

    4.14.5 Duration of data storage and possibility of erasure

    Applicant data

    1) Your data will generally be deleted six months after your hiring date, your notification that your application was unsuccessful, or your decision to turn down an offer of employment.

    The criterion for the storage period is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

    a) Explanation of the legitimate interests

    The application documents are stored for a period of six months for the purpose of asserting, exercising or defending legal claims. The six-month period is determined taking into account the deadlines of the General Equal Treatment Act (AGG) and corresponding publications of the Bavarian data protection supervisory authorities.

    b) Necessity of the data processing

    In the opinion of the supervisory authorities, the necessity of storing data for six months results from the overall view of the time limits applicable in the context of any claims under the AGG and the associated possibilities for legal action.

    In case of an application for a vocational training position or a cooperative degree program, all your data will be stored for six months after your application is rejected, you refuse an offer, or your are invited to your first day of work. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

    In case of an application for a high school student's internship, all your data will be stored for six months after your application is rejected, you refuse an offer, or the internship has ended. In case of a rejection on our part or your refusal of an offer, the data will be stored on the basis of legitimate interests (legal concerns).

    2) If you have consented to be included in our applicant pool, you will receive a notification about your continued inclusion in the pool after five months. If you consent to remain included in the pool, you will be notified again after a further five-month period. If you do not contact us after this notification, all your data will be erased within three months.

    3) If you wish to have your data erased early or withdraw one of your permissions, please send an e-mail with your name, the e-mail address you provided when applying, the job title and company and, for unambiguous identification, your date of birth to jobs@munich-airport.de or contact the person in charge of the advertisement.

    4) Please note that when the data is erased, all data associated with the application in question will be removed, making it impossible to obtain information on the application.

    Log data

    Log data – collected by the applicant portal provider – is erased after 180 days. Log data that has to remain on file for evidentiary purposes will not be erased until the final disposition of the matter and may, in specific cases, be forwarded to the investigating authorities.

    Use of cookies

    The applicant management system provider only uses temporary (session) cookies. These cookies are automatically deleted as soon as the user closes the browser.

    CookiePurposeStored dataDuration of storage
    JSESSIONIDThe purpose of this cookie is to identify your computer during your visit to the application portal pages.Session IDSession
    dvinciSessionIdThe purpose of this cookie is to identify your computer during your visit across all products.Session  IDSession

    The use of technically necessary (session) cookies is based on our legitimate interests under Art. 6 Par. 1 f) GDPR. Technically necessary cookies must be included to ensure that the applicant management system works correctly.

    4.14.6 Transfer to third countries

    Data is not transmitted to third countries as defined by data protection law.

    4.14.7 Objection to processing

    See chapter 6.5 of the privacy policy on how to object to the processing of your personal data on the basis of our legitimate interests (Art. 6 Par. 1 f) GDPR).

    You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point Art. 6 Par. 1 f) GDPR. In this case, we will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is done for the establishment, exercise or defense of legal claims.

  • 4.15 Airport Collaboration Portal

    The Airport Collaboration Portal (ACP) serves as the entry point for several applications that fall under various areas of responsibilities and serve various purposes. The portal is operated by Flughafen München GmbH.

    Purpose of data processing
    Your data will be processed solely for the following purposes:

    • registration in the ACP system and
    • granting user privileges for applications
    • registration enables the user to be granted access to applications within the ACP. These include: AIS Airport Information System, Delaycodeclearing, night flight requests, LGS-Baggage.

    Categories of personal data
    Participation in the Airport Collaboration Portal (ACP) is a quasi-contractual legal relationship; the data not marked as optional must be submitted for user management purposes.

    The following categories of personal data are collected:

    • first name
    • name
    • organization
    • company
    • department
    • email address
    • telephone number
    • airport ID number

    Recipients
    The specialized department has access to the personal data.

    Duration of storage
    Access data (login) are deleted when the individual leaves the company or when the access privileges are revoked.

    Legal basis
    The legal basis for the data processing described in this paragraph is Art. 6 Par. 1 sentence 1 b) GDPR (contractual performance and steps prior to entering into a contract).

    Data protection inquiries
    To exercise rights pertaining to the Airport Collaboration Portal (ACP), the data subject can contact us, preferably by email, at: acp@munich-airport.de.

  • 4.16 FMG und Wohnen

    To offer accommodation to our future employees, existing staff, and partners in the vicinity of the airport, we cooperate with MUC Airport Betriebs GmbH.

    Housing inquiries can be submitted to Flughafen München GmbH at: munich-airport.de/fmg-und-wohnen. After an initial review, inquiries are forwarded to MUC Airport Betriebs GmbH via that company's booking software. The data transmitted in this online form are exported in an email that is transferred only within the protected airport network to a special email account that can be accessed only by the responsible employees.

    Purpose of processing
    We process your personal data solely for purposes of processing and handling your booking inquiry, checking your authorization to access the "FMG und Wohnen" service, entering into a contract, executing a contract, processing your booking and to communicate with you to offer and deliver the "FMG und Wohnen" service. A further purpose is to execute and defend our rights.

    Categories of personal data

    • salutation
    • first name
    • last name
    • address
    • telephone number
    • email address
    • airport company
    • personnel number (if available)
    • booking date

    Legal basis
    The legal basis for the related processing of your data is Art. 6 Par. 1 sentence 1 b) GDPR (performance of a contract and steps prior to entering into a contract) and Art. 6 Par. 1 f) GDPR (balancing of interests based on our legitimate interest in checking access authorizations, asserting and defending our rights and forwarding inquiries from our customers).

    Recipients
    We collect, store and process the personal data provided by you exclusively for the purposes stated above (in particular the processing of your booking). For this purpose, however, we must forward the data. As a result, the data are forwarded to the booking tool apaleo GmbH operated by MUC Airport Betriebs GmbH.

    The required transfer of personal data to MUC Airport Betriebs GmbH takes place as required to achieve the stated purposes. After the transfer of the data, the hotel is the sole controller responsible for the processing carried out there under data protection laws. Consequently, Flughafen München GmbH assumes no responsibility for data processing in the hotel operations.

    Duration of storage
    Your personal data will be stored for a maximum of 12 months after the contract is fully executed. The data will be deleted after that period ends. Please note that statutory retention periods, for example under the German Fiscal Code (AO) or the German Commercial Code (HGB), as legitimate purpose limitations, represent an exception and are handled according to the applicable requirements.

  • 4.17 Processing damage events and claims 

    The following text contains information on the processing of your personal data in connection with damages of all kinds, including insurance claims and other ways of settling damages.

    Purpose of processing
    The purpose of the data processing is the comprehensive handling of the damage event, which is not possible without processing your personal data. We process your data in accordance with the relevant data protection regulations, in particular the Insurance Policy Act (Versicherungsvertragsgesetz – VVG) and all other applicable laws.

    Categories of personal data
    To process the damage event, we store and process the personal data of the concerned parties (e.g. first name, last name, date of birth, address, telephone number) as well as data regarding the events (e.g. the damage event) and material facts (e.g. vehicle identification data) that may relate to natural persons.

    Recipients
    Personal data are sent to the following recipients or categories of recipients:

    • Recipients within the FMG Group (e.g. departments responsible for the relevant processing of the data)
    • Companies in the FMG Group
    • Cooperation partners used by us to deliver our services
    • External contractors as defined in Section 28 of the EU-GDPR; at present, these are: FMV – Flughafen München Versicherungsvermittlungsgesellschaft mbH / Marsh GmbH
    • Insurance companies involved in the handling of the damage event

    Duration of storage
    We process and store your personal data as long as necessary to meet our legal obligations. The damage reports and files are retained in accordance with the statutory retention periods.

    Legal basis
    The legal basis for the processing of personal data is as follows:

    • Consent [see Art. 6 Par. 1 sentence 1 a) GDPR] (in cases where we request consent)
    • Necessity for the performance of a contract to which the data subject is a party [see Art. 6 Par. 1 sentence 1 b) GDPR, first option] or to complete steps prior to entering into a contract.
    • In addition, we process your personal data to meet legal obligations. The need to comply with a legal obligation to which the data controller is subject [see Art. 6 Par. 1 sentence 1 c) GDPR].
      • Insurance Policy Act and other relevant laws
      • Fulfillment of obligations to our insurer.
    • We also process your data to safeguard legitimate interests pursued by us or third parties (Art. 6 Par. 1 f) GDPR), i.e. where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. [see Art. 6 Par. 1 sentence 1 f) GDPR].
      • Asserting our own damage claims
      • Fulfillment of obligations to our insurer
      • Defending damage claims pursued against our company
      • Defense and cooperation in case of criminal and administrative proceedings

    In exceptional cases, special categories of personal data are processed (e.g. health-related data). In such cases, the data are generally processed on the basis of Art. 9 GDPR e.g. Art. 9 Par. 2 e) GDPR if these data are manifestly made public by you.

    Source of the data
    If the personal data are not obtained directly from the data subject, they are obtained from

    • Vehicle inquiries, e.g. the "Green Card Office" in Hamburg
    • Witnesses, persons involved in an accident and other third parties
    • Generally accessible sources
  • 4.18 Star Alliance Biometrics

    Star Alliance Biometrics is a product of Star Alliance Service GmbH (hereinafter referred to as "Star Alliance") and enables the voluntary biometric identification (facial recognition) of passengers at the airport. Terminal 2 Gesellschaft mbH & Co oHG (hereinafter referred to as "Terminal 2 Gesellschaft" respectively “we”) currently supports the use of the biometric identification service offered by Star Alliance Biometrics at the following access points: boarding pass control.

    At the airport access points managed by Terminal 2 Gesellschaft, which have integrated the Star Alliance Biometrics’ identification service, a short video sequence will be recorded of you if you wish to use the biometric identification service. A photo is extracted from the video sequence and sent to Star Alliance for biometric matching with your biometric profile stored in Star Alliance Biometrics.

    Scope of application

    This data protection notice refers exclusively to the recording of the short video sequence/photo of your face by the camera at the access point in the Terminal 2 Gesellschaft's area of responsibility.

    For the subsequent data processing in connection with the biometric matching in the area of responsibility of Star Alliance as well as for the enrolment for Star Alliance Biometrics and the use of the corresponding Star Alliance Navigator App, the Star Alliance Privacy Notice applies.

    Data controller

    Controller for data processing within the scope of this data protection notice is

    Terminal 2 Gesellschaft mbH & Co oHG
    Terminal Street North 1, Level Z4
    P.O. Box 23 17 55
    85326 Munich-Airport

    You can reach our data protection officer at datenschutzbeauftragter@munich-airport.de.

    Processed personal data

    A short video sequence and an extracted photo of your face are processed.

    Purpose and legal basis of the data processing

    Processing is necessary to enable the use of the biometric identification service at the boarding pass control, i.e. for Star Alliance to biometrically match the photo taken with your biometric profile stored in Star Alliance Biometrics.

    The legal basis for this processing is your consent given in Star Alliance Biometrics to be identified at Munich Airport via the Star Alliance Biometrics’ identification service (Art. 6 para. 1 p. 1 lit. a) DSGVO).

    You can withdraw your consent at any time in the profile management of the Star Alliance Navigator App. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 

    Please note:

    Unless you have given your consent or withdrawn it, you are neither permitted nor able to (successfully) use the biometric identification service. Alternative means of boarding pass control (e.g. boarding pass scan) are available to you. You are neither contractually nor legally obliged to use the biometric identification service.

    Should you - contrary to the express notice at the access point - attempt to use the biometric identification service without being enrolled for Star Alliance Biometrics or without having given your consent to be identified at Munich Airport, a video sequence/photo will nevertheless be taken of you and sent to Star Alliance for biometric matching. However, the identification will then fail and the identification process will be completed with an error message.  

    Storage period

    Your personal data will be deleted as soon as the identification process at the boarding pass control is completed.

    Categories of recipients

    Your personal data will be transmitted to the following (categories of) recipients:

    • The Star Alliance to perform the biometric matching and
    • IT service providers who provide the system(s) / software used and who have been contractually committed as processors in accordance with the GDPR.


    Your rights of data subjects

    You have the following rights:

    • Right of access, Art. 15 GDPR
    • Right of rectification, Art. 16 GDPR
    • Right to erasure ("right to be forgotten"), Art. 17 GDPR
    • Right to restrict processing, Art. 18 GDPR
    • Right to data portability, Art. 20 GDPR
    • Right to object, Art. 21 GDPR

    To exercise your rights, you can contact us by e-mail at datenschutzanfrage@munich-airport.de.

    In order to be able to process your request, we would like to point out that we process your personal data collected within the scope of the data protection request in accordance with Art. 6 Para. 1 S. 1 lit. f) DSGVO (for documentation and discharge purposes) and delete it after 3 years.

    Furthermore, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

    No automated decision making including profiling takes place.

    Important note:

    However, we would like to point out once again that we only record a short video sequence as part of the biometric identification process and use a photo from this and delete both from our systems immediately after the identification process is complete. The above-mentioned rights can therefore generally not be implemented, if only because no more personal data is available from you.

  • 4.19 Video surveillance/CCTV at the airport and in in parking facilities

    4.19.1  Video surveillance/CCTV at the airport

    Responsible for video surveillance

    "CCTV Videoverantwortliche/r" der Flughafen München GmbH
    Nordallee 25, 85356 München-Flughafen, Deutschland
    E-Mail: cctv@munich-airport.de

    Contact the data protection officer

    Information on the data protection officer of Flughafen München GmbH can be found under Controllers and data protection officer.

    Description and scope of the specific data processing

    Flughafen München GmbH collects, stores and processes personal data in the context of video surveillance only to the extent required by law, to fulfill the specified, clear purposes or to fulfill the specified, clear purposes or to fulfill our legitimate interest.

    Purposes of data processing and legal basis

    The data is processed for the following purposes and the resulting legitimate interests:

    • Aviation security (including protection of life and limb of persons, protection against attacks on air traffic, etc.)
    • General security (including property protection, domiciliary rights, airport user regulations, AEB parking, etc.)
    • Safety (e.g. fire department operation control, securing employees in the vicinity of systems, etc.)
    • Operational processes (including assistance at terminals, rectification of faults, passenger flow management and general monitoring to ensure a functioning airport infrastructure)
    • Assertion, exercise or defense of legal claims.

    Legitimate interest in data processing exists in the following context:

    • Property protection and domiciliary rights
    • Proper operational procedures
    • Operational interests
    • Establishment of aviation security
    • Ensuring safety and order

    Data processing is carried out on the basis of the following legal bases:

    • Purpose 1: Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation to which FMG is subject (in particular § 8 LuftSiG)
    • Purposes 1 and 3: Art. 6 para. 1 lit. d GDPR (to protect the vital interests of the data subject or another natural person)
    • Purpose 1: Art. 6 para. 1 lit. e GDPR: for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
    • Purposes 1, 2, 4 and 5: Art. 6 para. 1 lit. f GDPR Protection of our legitimate interests
    • Insofar as special categories of personal data are processed, this is done based on Art. 9 para. 2 lit. f GDPR.

    Storage duration

    Data is stored in individual cases depending on the camera, purpose, situation, user and usage in accordance with the role and usage concept. The storage period is graded accordingly. The data is deleted when the purpose of storage no longer applies. The deletion concept and the deletion periods are based on the legal requirements and the purposes of storage.

    Recipients

    All authorized groups of persons in accordance with the role and usage concept with differentiated access to images and video images and/or video recordings (authorities, public bodies, subsidiaries and associated companies, airlines).

    Transfer to third countries

    A transfer of personal data to third countries is not intended.

    Options for removal/revocation

    In the case of processing based on our legitimate interests pursuant to Art. 6 para. 1 lit. f

    GDPR, you have the right to erasure and withdrawal of your personal data. In addition, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the General Data Protection Regulation (GDPR).

    Exercising the rights of data subjects

    Further information on your rights to information, rectification, erasure, restriction of processing, objection and data portability can be found at Your rights.

    4.19.2 Video surveillance in parking facilities

    Description and scope of the specific data processing

    Video surveillance in the parking facilities at Munich Airport is carried out to maintain the functionality and operational safety of the facilities and to ensure trouble-free use of the parking areas and facilities.
    Video surveillance in these areas also serves to ensure airport security in accordance with the requirements of the European Commission (Regulation (EU) 2015/1998 of the Commission) and to protect property in structural and technical facilities. Areas that need to be protected in particular include, for example, the parking ticket machines or the electric charging infrastructure.
    The video surveillance is identified on site by camera symbols and information on data protection.

    Purposes of data processing

    The processing of personal data is carried out for the following purposes:

    1. Ensuring airport security in the parking areas and terminal driveways accessible to the public
    2. Ensuring the operational safety of the technical parking facilities (barrier systems, parking ticket machines, e-charging stations)
    3. Ensuring trouble-free and safe operations (e.g. intervening in the event of congestion at access roads, monitoring the traffic situation, assistance in the event of problems and technical malfunctions at restricted entrances and exits as well as at parking ticket machines)
    4. Asserting, exercising or defending legal claims (prosecution of violations of the applicable General Terms and Conditions of Parking at the Airport and the Airport User Regulations, prosecution of damage to property).

    Legal basis for data processing:

    The legal basis for data processing is:

    • Purpose 1: Art. 6 para. 1 lit. f GDPR in conjunction with No. 1.5.1. Annex to European Commission Implementing Regulation (EU) 2015/1998.

      Our legitimate interests lie in FMG's business interest in maintaining safety and order on the entire airport site (including parking facilities). In addition, we pursue a legal interest in using video surveillance to comply with the obligations pursuant to Section 1.5.1 of the Annex to Regulation (EU) 2015/1998 for the surveillance of publicly accessible areas belonging to the airport, including parking lots and access roads.

    • Purposes 2, 3 and 4: Art. 6 para. 1 lit. f GDPR

      The pursuit of the purposes mentioned in points 2, 3 and 4 serves to achieve our legitimate interests, in particular to ensure the provision of a functioning infrastructure, to ensure trouble-free operation and to be able to assert, exercise or defend possible legal claims as well as to exercise our domiciliary rights. The processing is necessary and suitable for the achievement.

    Recipients/categories of recipients

    Personal data is transmitted to the following recipients or categories of recipients:

    • The video images can be viewed live on site by the authorized employees of the parking control center and other responsible technical departments of Flughafen München GmbH.
    • In the context of the assertion, exercise or defense of legal claims of the airport, video recordings may be passed on to insurance companies, authorities, law firms, etc.
    • In addition, video data will be released to investigative and prosecution authorities upon request and with formal orders.

    Transfer to third countries

    In principle, the transfer to third countries is not intended.

    Storage duration

    Video recordings are stored for a period of 10 days and then automatically deleted unless they are needed as evidence in criminal proceedings or to clarify legal claims.

    Objection and removal option

    For all processing activities that we base on our legitimate interests, you have the right to object to the processing at any time on grounds relating to your particular situation, in accordance with Art. 21 (1) GDPR.

    Please address the objection to kontakt.parken@munich-airport.de. We reserve the right to carry out an individual examination of your request before implementing a restriction or discontinuing processing and deletion. 

  • 4.20 Customer Acquisition of LabCampus

    4.20.1 Events and Lead Generation Campaigns

    For the purpose of customer acquisition and network building, LabCampus conducts (promotional) events and lead generation campaigns. Contact data provided to LabCampus in this context will be processed by LabCampus as follows:

    Categories of personal data

    The following categories of personal data are processed:

    • first name
    • surname
    • company name
    • e-mail adress (if necessary)
    • telephone- / mobile number (if necessary)
    • position (if necessary)

    Purpose of processing

    Your Data will be processed for the purpose of arranging appointments, sending information about our products and services, news and event notices from LabCampus.

    After providing your telephone/mobile number or if you ask us on the phone to send you information electronically by e-mail, we will also use this data with your consent to contact you individually and send you information. Without providing the required data, we cannot send you this information.

    If, in the context of telemarketing campaigns, we receive personal data from publicly accessible sources or from information provided by your colleagues and process this data for the above-mentioned purposes, we will inform you of this within one month or at the latest at the time of the first contact.

    For registration to our newsletter, we refer to section 4.3.2 of this privacy policy, which also applies to registration via business cards as part of promotional campaigns and events.

    Legal basis

    The legal basis for the processing of your personal data given to us is Art. 6 para. 1 sentence 1 letter f) GDPR (legitimate interest). The legal basis for the processing of personal data based on the handover of your business cards is Art. 6 para. sentence 1 letter a) GDPR (your consent by handing over the business card).

    Storage period

    We store your data for the purpose of contacting you until we receive your objection, but at the longest for a period of two years to the end of the year after the last communication, provided that no contractual relationship has been established.

    Categories of recipients & transfer to third countries

    Your data will be processed by LabCampus GmbH. A transfer to third countries is not intended. Recipients of the data are the responsible departments at LabCampus GmbH, as well as processors for marketing services and for the provision of IT services and those for the improvement, maintenance and support of these services.

    Objection

    You can object to the processing of your data at any time by sending an e-mail to: contact@labcampus.de. In the event of your revocation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. We would like to point out that in the event of your objection, no further contact can be established by LabCampus.

    Withdrawal of your given consent

    If we process personal data on the basis of your consent, you can withdraw this at any time via the following e-mail address: contact@labcampus.de. The withdrawal of your consent doesn´t affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. The lawfulness of the data processing operations carried out until the withdrawal remains unaffected by the withdrawal.

    4.20.2 LabCampus LinkedIn Lead Ads

    This data protection information applies to the following LinkedIn profiles: https://www.linkedin.com/company/labcampus/

    LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn") is responsible for the processing of personal data entered by visitors while visiting our LinkedIn profile.

    We use LinkedIn Lead Ads to generate contacts and addresses. Lead Ads are an ad format that is displayed to registered LinkedIn users. They contain form functions that enable the simple and rapid generation of leads. After the user actively consents (opt-in), contact information the user has stored with LinkedIn is entered into forms:

    • Name
    • Email address
    • Company

    Once the data in the form has been sent successfully, the user is shown a thank-you page where we can integrate a call to action (e.g. a referral to the LC landing page). We do not send your personal data to third-party advertisers or advertising networks.

    The processing of this data serves the purpose specified above and takes place on the basis of Art. 6 Par. 1 a) GDPR on the basis of your voluntary consent upon registering and logging in to LinkedIn. We store your data until your consent is revoked. You can revoke your consent with future effect at any time by sending an email to contact@labcampus.de

    We do not know the full extent of data collection, i.e. which of a visitor's data is collected by LinkedIn overall and the purposes for which it is processed by LinkedIn. The necessary information has not been provided to us by LinkedIn. Please understand that we can only provide information to the extent allowed for by our knowledge of the data processing within our area of responsibility and our influence on this data processing.

    We would also like to point out that your data may also be processed outside the European Union and the European Economic Area. This could result in risks, e.g. because it could complicate the enforcement of user rights. Further details can be found in the privacy policies of the individual providers.

    The Data Protection Officer of LinkedIn can be contacted through the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO

    Further information on data processing by LinkedIn can be found at: https://privacy.linkedin.com/

  • 4.21 Training programmes / Airport Academy

    4.21.1 Introduction/scope


    This privacy policy contains information on the processing of personal data in connection with training and further education offered by the Airport Academy, in particular via the training platform. Enquiries and registrations can be made via our Online Learning Portal, by telephone, email or other forms and are submitted by the training participants themselves or through user accounts managed by your respective organisation.

    4.21.2 Categories of personal data

    The following categories of personal data are processed:

    The following categories of data are processed for participation in training courses:

    • Identification/address details of the participant and, if applicable, of the person handling the registration
    • Contact details of the participant and, if applicable, the person handling the registration
    • Information on participation in events incl. results and evaluations as well as comments made by the participants
    • Payment and contract data
    • Log data / log files – see above 

    In addition, we also process information on the participant's date and place of birth if this is required by law or official regulations.

    4.21.3  Purposes of the processing of person related data

    Your data is exclusively processed for the following purposes:

    1. Processing for registration, organisation and administration of training and further education
    2. Proof of participation in a seminar or WBT
    3. Proof of a specific qualification
    4. Transfer to the ID centre (aviation security training - to obtain an airport ID card or right of access to the security area)
    5. Provision of a certificate (e.g. EASA certificate)
    6. Invoicing
    7. Customer support and responding to questions
    8. Safeguarding and defending our rights
    9. Organisational assurance of the requirement for training authorisation
    10. Secure operation of the online learning portal and associated systems
    11. Technical assurance of the requirements for access authorisations

    4.21.4 Legal basis for processing personal data

    Personal data is processed on the following legal basis:

    • Purposes 1, 2, 3, 4, 5, 6 – Necessity in the context of pre-contractual measures and/or the performance of a contract to which the data subject is a party (Art. 6 para. 1 sentence 1 lit. b GDPR)
    • Purposes 2, 3, 4, 5, 6, 9 – Necessity for compliance with a legal obligation to which the controller is subject (Art. 6 para. 1 sentence 1 lit. c GDPR). Legal obligations arise, for example, from the Implementing Regulation (EU) 2015/1998, from EASA requirements Regulation (EU) 139/2014 and Regulation (EU) 139/2014.
    • Purposes 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, – Necessity to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence (Art. 6 para. 1 sentence 1 lit. f GDPR) The legitimate interests are the provision of information to, awareness-raising and qualification of persons working on the airport premises.

    4.21.5 Recipients

    Personal data is transmitted to and processed by the following recipients or categories of recipients:

    • Recipients within the company who carry out the processing activities for a specific purpose, e.g. in the area of training administration, IT and corporate security where security is relevant
    • Managers and organisers of the registering companies, if applicable
    • Your personal data will be transmitted to the invoicing centre of Flughafen München GmbH for invoicing purposes.
    • Companies of the Munich Airport Group Overview of the group structure
    • External contractors and processors currently include: if necessary, instructors who are hired to carry out training and further education and, if applicable, conference hotels when organising workshops. We use payment service providers for certain payment transactions.
    • Courts, authorities or other state institutions in the event of legal obligations, such as for background checks at the Luftamt Süd aviation agency.

    4.21.6 Transmission to third countries

    A transfer to a third country outside the European Union is not intended.

    Some internal training courses include learning content in the form of videos, which may be hosted on servers in third countries. This content is integrated without tracking measures by the video hoster. Personal identification can be ruled out only given if you access the learning content from our internal network or via a VPN connection to our FMG network.

    If you wish to participate in an internal training course without a VPN connection from your home network or via a mobile phone network, you must accept the possible transmission of your IP address to insecure third countries. Please note that your IP address constitutes personal data and that the level of protection and your rights as a data subject in third countries with a lower security standard, in particular the United States of America, may not correspond to that of the European Union (see ECJ case C-311/18).

    4.21.7 Retention period

    Personal data is stored only for as long as is necessary to fulfil the stated purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted in accordance with the statutory provisions.

    Specifically, the following retention periods apply:

    a. Online Learning Portal: The personal data will be completely deleted after the expiry of all certificates and a follow-up period of six months.

    b. Event manager (registration forms): The personal data will be deleted after six years under existing EASA regulations.

    c. Event management system and billing system: Personal data of persons who have aviation security training will be deleted from the event management system six years after the end of the effective period of the aviation security training. For all other persons, personal data will be deleted six years after the last seminar attendance. Invoices are deleted ten years after the end of the calendar year in accordance with Section 147 AO (German Fiscal Code) / Section 257 HGB (German Commercial Code); other documents, such as offers, are deleted six years after the end of the calendar year in accordance with Section 147 AO / Section 257 HGB.

    4.21.8 Retention period

    • The provision of personal data is required by law in order to carry out training in accordance with Chapter 11 of Regulation (EU) 2015/1998, including aviation security training. Failure to do so will mean that no Airport ID Card or work authorisation for work at Munich Airport can be issued.
    • The provision and storage of personal data in the context of EASA-relevant training is regulated in the EASA requirements Regulation (EU) 139/2014 and Regulation (EU) 139/2014. The following apply: The ADR.OR.D.035 and ADR.OR.F.080 and the ADR chapter.OR.D.017. Failure to do so will mean that no Airport ID Card or work authorisation for work at Munich Airport can be issued.
    • The provision and storage of personal data in the context of dangerous goods training is regulated in Annex 18 of the Convention on International Civil Aviation, including the "Technical Instructions for the Safe Transport of Dangerous Goods by Air" (ICAO T.I.) issued by the International Civil Aviation Organization (ICAO) Doc 9284-AN/905, as well as DOC 10147 whose application is laid down, inter alia:
      - in Commission Regulation (EU) No 965/2012 of 5 October 2012 laying down technical requirements and administrative procedures related to air operations pursuant to Regulation (EC) No 1139/2018 of the European Parliament and of the Council and
      - in Commission Regulation (EU) No 139/2014 of 12 February 2014 laying down requirements and administrative procedures related to aerodromes pursuant to Regulation (EC) No 2018/1139 of the European Parliament and of the Council.


    Failure to provide this information will mean that participants will not be able to register for the required training courses. Proof and certificates for any necessary training courses cannot be issued either.

    • The provision and storage of personal data in the context of dangerous goods training in Austria are regulated by the 303rd Ordinance of the Federal Minister of Science and Transport on the Transport of Dangerous Goods (Gefahrgutbeförderungsverordnung - GGBV)

    Sections 2, 11 and 14 of the Dangerous Goods Transport Act, BGBl. I No. 145/1998, as amended by BGBl. I No. 108/1999, 5th Section - "Training of persons involved in the carriage of dangerous goods by civil aviation"

    Failure to provide this information will mean that participants will not be able to register for the required training courses. Proof and certificates for any necessary training courses cannot be issued either.

    • The provision of personal data is necessary for the planning, implementation and administration (incl. billing purposes) of training and qualifications and thus for the implementation of pre-contractual measures as well as for the implementation of the contractually booked service. Proof and certificates for any necessary training courses cannot be issued either.

    4.21.9 Source of the data

    If the personal data are not collected directly from the person concerned, they come from the data entered by the person making the registration.

    4.21.10 Automated decision-making (including profiling) and effects

    Automated decision-making is not used. Depending on the type of web-based training (WBT), the issue of the certificate may depend on various factors (e.g. completion of a specific part or the entire WBT, assessment tests, etc.). Compliance with these factors is usually checked automatically by the respective WBT programme.

    4.21.11 Cookies training platform

    a. Description and scope of data processing

    We only use technically necessary cookies on the Airport Academy training platform; details can be found in section b. The cookies used are always activated, as they are necessary for the provision of the training platform. The cookies used guarantee functions without which the training platform cannot be used as intended.

    Flughafen München GmbH is responsible for the cookies used; the platform provider acts as a processor. Cookies from third parties are not used.

    b. Purposes, legal bases and retention period

    The specific purposes of the cookies used and information on the retention period can be found in the following overview:


    Cookie nameTypeDescription

    cscx

    session

    Provides our 24x7 global performance monitoring system with regional statistics to ensure our pages (react and legacy pages) load quickly and consistently. Contains the name of the portal logged into and the numeric system identifier of the logged in user.

    csodlaunch

    session

    This cookie is used during course playing and should identify if the current launch attempt belongs to an existing attempt or a new one. Contains the Corp Name and the User Id.

    multiVPoll

    session

    This cookie is used during course playing and should identify if the current launch attempt belongs to an existing attempt or a new one. Contains the Corp Name and the User Id.

    sco

    session

    This cookie is used for course launch functionality in the Online Course Player for Scorm 1.2/AICC . The cookie keeps track of the Sco ID if launched as the player can display multi SCOs which can be launched. Can contain the Sco relative path and user int identifier.

    AWSALB

    persistent 1 week

    This cookie is used to manage routing of the user request through application load balancing by ensuring the same route.

    AWSALBCORS

    persistent 1 week

    This cookie is used to manage routing of the user request through application load balancing by ensuring the same route. As AWSALB but with ‘same site’ attribute.

    ASP.NET_SessionId


    This is a default cookie that is required for ASP based pages to load. Without this cookie, our website will not function. Contains the unique session identifier. Does not contain any Personal Information.

    CYBERU_lastculture


    This cookie is used to ensure our login and maintenance pages load in the local language of origin. Contains the Region (e.g., U.S.) of the incoming machine.

    loginCyberU_LogoutRedirectUrl


    This cookie holds the redirect URL used after a user's session times out.

    CYBERU_backUrl


    Is used internally by our CSX application to redirect to login page in password reset and MFA functionalities.

    The use of cookies is in our legitimate interests pursuant to Art. 6 para. 1 (f) GDPR in the provision of a training platform.

    c. Option of removal

    You have the right to object to the use of Cookies. You can use your browser to display the cookies stored on your computer, delete the existing cookies or set the configuration so that not all or no cookies are stored. Please note that some functions may not work or may not work properly if you deactivate the setting of Cookies.

  • 4.22 Luggage handling

    This information about the processing of your personal data is based on the processing of your personal data as part of the luggage handling and securing of a fast, accurate and correct flight dispatching by Flughafen München GmbH (FMG).

    4.22.1 Description and scope of the specific data processing

    Based on § 45 LuftVZO, FMG - as the airport operator - is responsible to provide and develop the infrastructure for the reliable execution of the air traffic.

    This also includes the administration and the operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment - starting with the transport from the check-in counters of the airlines including the required sorting and ending with the transport on the destination conveyors as well as the transport of the pieces of luggage that are subject to control to and from the control points.

    FMG receives the required personal data of the airlines to fulfill the tasks as the airport operator as part of the provision of the central infrastructure of the luggage system with luggage transport and sorting.

    To fulfill the tasks, FMG additionally provides information about the status of the luggage based on a request by your airline.

    This includes the following data:

    • Salutation, name (last and first)
    • Flight data
    • Location data about the piece of luggage in the transportation system

    4.22.2 Purposes and legal principles

    Purposes:

    • Fulfilling the tasks as the airport operator to provide and develop the infrastructure for the reliable execution of the air traffic
    • Administration and operation of central infrastructure facilities such as the luggage system incl. the associated luggage transportation equipment
    • Fulfilling the tasks as the airport operator to implement the required safety measures
    • Defense against legal claims
    • Fulfilling the requirements of public safety authorities

    Legal principles:

    • Fulfillment of legal obligations (art. 6 para. 1 lit. c GDPR a.o. i.c.w. § 45 LuftV-ZO, § 5 para. 3, § 8 and § 9 LuftSiG, VO EU 2015/1998)
    • Protection of legitimate interests for an effective and efficient disposition of pieces of luggage, for the clarification of questions (a.o. public authorities, customs), for the delivery of contractual services to FMG customers (e.g. airlines) and for the clarification and defense against legal claims (art. 6 para. 1 lit. f GDPR)

    4.22.3 Recipients of personal data

    • FMG internal departments for the execution of the luggage sorting and luggage loading
    • Airlines, ground handling services
    • Public authorities, courts

    4.22.4 Transfer to recipients in third countries

    The a.m. personal data are transmitted via the SITA network to the airline with which you established a transport contract. If the airline has its seat in a third country outside the EU, then this can involve a data transfer to this third country.

    Contracting partner of FMG for access to the SITA network is SITA Switzerland Sarl, 26 Chemin de Joinville, 1216 Cointrin, Schweiz. In accordance with Art. 45 GDPR, the EU Commission has decided that Switzerland offers an adequate level of data protection.

    4.22.5 Storage duration

    • 100 days in the operational system
    • 15 months in the archive system

    4.22.6 Source of the data

    Data subject/airlines.

  • 4.23 Internal reporting office for reporting persons

    Data protection information about the processing of personal data by the internal reporting office

    The Legal and Compliance (RCC) corporate unit of Flughafen München GmbH (“FMG” or “we”) offers employees and external parties the opportunity to report compliance violations to an internal reporting office. Employees and external parties such as providers, contractors, suppliers and customers can contact the internal reporting office and report violations of legal provisions within the scope of § 2 of the Whistleblower Protection Act (HinSchG), in particular in connection with corruption, fraud, theft, embezzlement, vandalism, property damage, competition offenses. Issues related to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the prevention and handling of sexual harassment, violations of the Code of Conduct and the guidelines of the FMG Corporation such as the “Gifts and Invitations Guideline” and other regulations applicable in the FMG can also be reported.

    Name and contact data of the controller

    FMG is controller for the internal reporting office under the data protection law. As part of the option provided in the Whistleblower Protection Act (HinSchG) of entrusting a third party with the tasks of an internal reporting office, FMG also assumes the tasks of an internal reporting office for the following corporate companies as joint controller in accordance with art. 26 GDPR:

    • aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH
    • AeroGround Flughafen München GmbH
    • Allresto Flughafen München Hotel und Gaststätten GmbH
    • Cargogate Munich Airport GmbH
    • eurotrade Flughafen München Handels-GmbH
    • FMSicherheit Flughafen München Sicherheit GmbH
    • FMV - Flughafen München Versicherungsvermittlungsgesellschaft mbH
    • LabCampus GmbH
    • Flughafen München Realisierungsgesellschaft mbH
    • Terminal 2 Gesellschaft mbH & Co oHG

    In principle, the data subjects can contact the controller of the internal reporting office (FMG) as well as the controller of the corporate companies, which the FMG entrusted with the tasks of the internal reporting office. As part of the agreement about joint controllership, FMG and the above-mentioned corporate companies also agreed about close coordination when fulfilling requests from data subjects and notifications of data protection violations and possible communications to the data subjects in accordance with art. 34 GDPR. You can reach the internal reporting office of FMG using the following contact data:

    Interne Meldestelle
    RCC Flughafen München GmbH
    Nordallee 25
    85356 München
    Germany
    Phone: +49 89 975 403 40
    (Monday to Friday during regular office hours)
    Email: hinweise@munich-airport.de

    The contact data of the entrusting corporate companies and the contact details of the respective data protection officers can be found under section 1 of this data protection declaration.

    Contact data of the FMG data protection officer:

    Datenschutzbeauftragter
    Flughafen München GmbH
    Nordallee 25 85356 München
    Germany
    Email: datenschutzbeauftragter@munich-airport.de

    Categories of personal data

    The submission of notices to the reporting office is voluntary, a report can also be made without us processing the data of the person providing the notice.

    In particular, we use the online portal "Business Keeper Monitoring System" of the EQS Group AG, Karlstraße 47, 80333 Munich (hereinafter: BKMS® System). In this context, please note that anonymous tips should only be submitted from private devices outside the company network, as this is the only way to ensure the required confidentiality.

    As part of the task completion, the following personal or person identifying data are regularly processed by the reporting office:

    • Data of persons named as part of reports
    • Data of persons processed as part of the exercise of tasks of a reporting office, especially in the area of the procedure and documentation
    • Data of persons who are consulted by the reporting office for the exercise of tasks
    • Data of persons providing notices that they voluntarily disclose to the reporting office

    Purposes

    FMG offers employees and business partners the opportunity to report compliance violations directly to the internal reporting office. This can be provided via various reporting channels, e.g. personal conversation, phone, letter, email or the BKMS® system.

    The internal reporting office is responsible to maintain reliable principles of corporate management in day-to-day operations, the possibility of reporting violations via the BKMS® system is designed as an additional mechanism for employees and external parties to also anonymously submit notices and be available for questions.

    Legal basis

    For processing of notices as per HinSchG:

    The reporting office processes the personal data of persons providing notices, persons involved in the proceedings and persons who may be accused due to legal obligations (art. 6 para. 1 lit. c GDPR). These obligations are applicable for HinSchG for:

    • the establishment and design of the reporting office (§ 10 p. 1 i.c.w. §§ 16 HinSchG)
    • the process for internal reports (§ 17 HinSchG)
    • the execution of follow-up actions (§ 18 HinSchG)

    If special categories of personal data are processed by the reporting office, then this is justified with the necessity for the fulfillment of the task (art. 9 para. 2 lit. g GDPR i.c.w. § 10 sentence 2 HinSchG).

    If the HinSchG requires consent as a prerequisite for certain actions by the reporting office (e.g. for the transfer of personal data of the person giving the notices or phone recordings or word logs in case of phone reports), then such consent will be obtained. In these cases, the processing is carried out with art. 6 para. 1 lit. a GDPR.

    If the legitimate interests of the controller or a third party require further processing and do not outweigh the interests or fundamental rights and freedoms of the data subjects, processing can also be carried out on the basis of art. 6, para. 1 lit. f GDPR for example to protect against accusations of reprisals.

    For the processing of notices outside the application area of HinSchG:

    For reports that are assigned to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the legal basis for the processing is based on art. 6 para. 1 lit. c GDPR in conjunction with § 8 LkSG (enabling of and procedural rules for the complaints procedure, confirmation of receipt of notices, discussion of the facts). Data processing when taking remedial measures is based on art. 6 (1) (c) GDPR i.c.w. § 7 LkSG.

    The processing of personal data in the context of processing notices that contain violations of regulations outside the scope of the HinSchG is justified with the protection of legitimate interests (art. 6 para. 1 lit. f) GDPR). The legitimate interest lies in uncovering and preventing grievances and thus in averting damage to the FMG corporation, employees and customers. The processing of notices serves primarily to uncover and check abuses and violations of the law, and is embedded in our compliance management system. Based on this regulation and liability scope, the personal data required for processing the notices must also be processed. The interest of data subjects in not processing the data takes second place, since reports can be made voluntarily and anonymously and an appropriate level of protection is guaranteed for the confidentiality and integrity of the data of the whistleblower and any third parties involved through technical and organizational measures.

    Type and scope of the data use

    The personal data is processed exclusively for the purpose of processing notices and strictly under the stipulation that access to the data is only granted to certain persons and only to the extent that is absolutely necessary for the processing of the notice. Of course, all persons who have access to data are obligated to confidentiality.

    Recipients

    1. Internal use and possible transfer of that data within the corporation

    The specific recipients of data depend on the content of the notice. Incoming notices are received by a small group of expressly authorized and specially trained employees of the compliance organization at FMG (employees of the reporting office) and the notices are always treated confidentially.

    The reporting office checks whether an in-depth investigation is required and which internal bodies must be involved in clarifying the facts of a case. The reporting office also regularly informs top management about the content of the notices received, since the resolution of reported violations is one of their areas of responsibility. In addition, the auditing, corporate safety, legal and human resources departments are often called in to process notices or additional contact persons, which are required to execute the follow-up actions, are identified.

    If reports for subsidiaries are received by the reporting office within the context of the entrusting relationship, or if notices addressed to the parent company also affect corporate companies, then the management of the subsidiaries and, if necessary, the responsible offices or departments of the corporate companies will be informed and consulted to process the notice, because the respectively affected corporate companies have the original responsibility to resolve and pursue an identified violation.

    We ask that you only send the notices to the reporting office that relate to the reporting categories listed in paragraph 1 of this data protection information. We will not forward your request for reasons of confidentiality, but ask you to contact a suitable office if your notice is outside the area of responsibility of the reporting office.

    2. Disclosing data to controllers outside the FMG corporation

    Investigations may require the involvement of other FMG employees or employees of corporate companies and possibly also external parties such as specialized law firms, auditors or forensic experts. Of course, all internal and external parties involved in the process are obligated to the confidential treatment of disclosed information.

    3. Disclosure to government agencies

    If necessary, FMG may be legally obligated to provide information on compliance violations to government agencies (e.g. investigating authorities or courts). In case of such obligations, as well as seizures, we are unable to withhold the information you have submitted.

    4. Whistleblower system service provider

    The BKMS® system is provided by Business Keeper GmbH (member of the EQS Group), Bayreuther Str. 35, 10789 Berlin in Germany as processing on behalf of FMG.

    Personal data and information entered into the whistleblower system is stored in the BKMS® system in a high-security computer center. Only FMG can review the data; the processor and third parties have no access to the data. This is ensured in a certified process through comprehensive technical and organizational measures.

    Disclosure of data to third countries

    As a matter of principle, personal data is not transferred to third countries outside the EU/EEA as part of the fulfillment of the duties of the reporting office.

    Depending on the content of the notice, it may be necessary in individual cases to also pass on the data to recipients in third countries. In third countries, the rights of data subjects and the confidential treatment of personal data may not be legally guaranteed to the same extent as in the EU.

    If you, as the reporting person, do not want us to transfer your personal data to countries outside the EU, please let us know in your report and we will check whether a transfer is not necessary to protect our legitimate interests. Please note that it may not be possible to fully process your report without passing on your data.

    Duration of the storage

    After the plausibility check has been carried out, the reporting office will check whether storage is required.

    Irrespective of the storage periods listed below, after the notice has been checked and the notice procedure has been completed, measures are taken to make the process documentation as data-efficient as possible, e.g. by means of blacking out or pseudonyms.

    The procedural documents are generally deleted after the individual case has been examined 3 years after the conclusion of the notice procedure. The documentation may be kept longer to meet the requirements of the Whistleblower Protection Act or other legislation, as long as this is necessary and proportionate.

    Rights of the data subject

    As a person providing notices, a person involved in the process and possibly an accused person, you are entitled to the following rights of a data subject based on the GDPR:

    • Right to information
    • Right to correction or deletion
    • Right to the restriction of the processing
    • Right to object to processing
    • Right to data transferability

    To exercise your rights and to revoke your consent, please contact the controller at the contact address given above. Alternatively, you can also assert your data protection rights via the BKMS® system or at the following email address: datenschutzanfrage@munich-airport.de

    Please note that the reporting office must also protect the rights of third parties and can therefore only provide information in abridged form or blackened out if this would seriously impair the achievement of the processing goals (art. 14 para. 5 lit. b GDPR) or would disclose information which by its very nature should be kept secret (§ 29 para.1 BDSG).

    Right for a complaint to the supervisory authority

    You have the right to file a complaint with the supervisory authority if you believe that the processing of your personal data is unlawful. The contact data for the supervisory office responsible for us are: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Post office box 1349, 91504 Ansbach, Germany, Phone: +49 (0) 981 / 53 1228, poststelle@lda.bayern.de, www.lda.bayern.de.

    Source of the data

    If personal data has not been collected from the data subject and there is an obligation to provide information, we will refer you separately to the information provided here and let you know the source of the personal data in accordance with the circumstances of the individual case.

    Please note that the appropriate period for the notification is subject to separate review criteria due to the specific circumstances of the processing of your personal data by the internal reporting office and, in particular, deviations from the period defined in Art. 14 para. 3 lit. a GDPR may also be justified in the confidentiality obligations due to overriding legitimate interests of third parties.

    Change in the data protection information

    We reserve the right to change our safety and data protection measures if this is required due to legal or technical developments. In these cases, we will also adapt our data protection notices accordingly. Therefore, please note the current version of our data protection information.

    Miscellaneous

    The communication between your terminal and the BKMS® system takes place via an encrypted connection (SSL). The IP address of your computer will not be saved while using the whistleblower portal. To maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (so-called null cookie). The cookie is only valid until the end of your session and becomes invalid when the browser is closed. As the person providing the notice, you have the option of setting up a protected mailbox in the BKMS® system with a pseudonym/user name and password of your choice. Therefore, you can communicate securely with the reporting office using your name or anonymously.

    Version: December 11, 2024

  •  4.24 LabCampus Community Platform

    See below for information on why and for how long we process your personal data, the legal basis for this, and your rights with regard to data processing if you use our LabCampus community platform.

    Websites of providers to which we link here are subject to the privacy notices or policies published on those sites.

    Please take time to read our privacy policy, as it contains important information about how we use your personal data.

    4.24.1 Content of this policy

    When we use the term “data” in this text, we are referring exclusively to personal data as defined by the GDPR.

    4.24.2 Description and extent of data processing

    Our platform offers you a wide range of services. For example, you can learn about the latest innovations at LabCampus and about various catering options. You can utilize services via the platform, e.g. contacting LabCampus Community and Facility Management. The community platform also has a forum for exchanging information. The forum is intended to promote interdisciplinary cooperation and thus innovation.

    The LabCampus community platform can only be accessed by registered users. For this reason, we provide you with the option of creating a community account and thus registering to use our platform. To do so, enter your details and submit them to us via the form provided here. We store the data transmitted to us and do not disclose them to third parties.

    4.24.2.1 Creation of a community account

    To create your account, we process your work e-mail address and the password chosen by you. The password must fulfill the minimum criteria described in the terms of use. We process it only as a hash value and cannot read your password in plain text but can recognize whether a correct or incorrect password is used for further log-in attempts.

    4.24.2.2 Completion of registration

    Once you have registered, we first check whether your e-mail domain, i.e. the part of the address that comes after the @ symbol, is enabled for use of our platform. If this check comes back positive, your account is created and we send you a link with a request to confirm your e-mail address as part of a double opt-in procedure. In this way, we make certain that you have access to the e-mail account indicated and that you entered your e-mail address correctly. Otherwise, you receive an error message and are informed that your e-mail address has not been validated for use of the platform.

    Your community account is only activated once you click on the verification link, and only then can you log in to the community platform and complete your registration. To do so, you must enter your position at the company and a nickname, which must comprise at least two letters. In addition to the information provided, we save the date and time at which you created your community account in order to log your registration with the portal and as proof of your e-mail verification if necessary. We also save the date and time of your most recent login.

    Provision of the data requested is essential for the creation of your community account. Without these data, we cannot create a community account. We use the data to provide your community platform account. The data are saved in your personal central account, where you can view them at any time and change your password.

    When your account is created, your traffic data as described under “3.1 Log files" above are also processed.

    4.24.2.3 Communication within the platform

    A contact form is provided for communication within our platform. The entries made in the form are forwarded to the e-mail account of the LabCampus team responsible for the particular inquiry. Further communication takes place by e-mail. When the information is forwarded, the text of the message and the following data are processed: the e-mail address connected to your account as the sender of the message, the date and time at which the message was sent, the information that the message came from the platform as the subject of the message, the language setting you have chosen for the platform, and the identification number assigned by the system to your account.

    4.24.2.4 Interaction within the platform

    You can like posts that we publish in the community. These likes, like views, are anonymous, which means that neither we nor the community members can see which posts you have viewed and which you have liked.

    4.24.2.5 Videos and web analysis services integrated into the platform

    When we embed videos on our platform, these are saved on YouTube. YouTube is a platform provided by YouTube LLC, with its registered office at 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube is a subsidiary of Google. We embed our videos via YouTube because local hosting is not sufficiently powerful for the presentation of the videos. For more information, see "3.5 Integrated videos (YouTube)."

    If you have given us consent to place cookies for the statistical analysis of visitor access, i.e. reach measurement, via the consent management tool from "consentmanager" integrated into our website, we use these cookies to improve the quality of our platform and its content. These cookies tell us how the platform is used by the community, enabling us to continuously optimize our offering and our posts. For more information, see "3.2 Cookies and pixels." Information on the consent management tool is provided under "3.2.1 General information on cookies" and on reach measurement under "3.2.2.2 Matomo – LabCampus."

    4.24.3 Purpose/legal basis

    Your data are processed in order to make it possible to register on and login to our community platform as well as to communicate with you.

    Registration on the platform is voluntary and based on your consent in accordance with Art. 6 Para. 1 (a), Art. 4 (11) in conjunction with Art. 7 Para. 4 GDPR.

    In connection with the use of the platform, your data are processed in accordance with the applicable terms of use. The legal basis for this is Art. 6 Para. 1 (b) GDPR.

    We process the e-mail address provided for the purpose of efficient and effective communication. This purpose also constitutes our legitimate interest. The legal basis for this is Art. 6 Para. 1 (f) GDPR.

    4.24.4 Recipients/transmission to third countries

    Our community platform is maintained and operated by our partner, Das Büro am Draht Software-Entwicklung GmbH, located at Blücherstrasse 22, 10961 Berlin (hereinafter "BaD"). It is hosted by our partner Hetzner Online GmbH, located at Industriestrasse 25, 91710 Gunzenhausen (hereinafter Hetzner). We use AWS Cognito for control of access and AWS Secret Manager for account management. AWS Cognito and AWS Secret Manager are offerings of Amazon Web Services EMEA SARL, located at 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter AWS). Likewise, we use AWS for the forwarding of inquiries submitted via the contact form.

    BaD, Hetzner and AWS all process your data, unless we have explicitly stated otherwise here, on our behalf and according to our instructions within the European Union (EU). This means that BaD, Hetzner and AWS do not and are not permitted to use your data for themselves, particularly not for their own purposes or their own promotions.

    Please note that AWS complies with the data protection code of conduct for cloud infrastructure services providers (CISPE), i.e. the code of conduct ratified by the European Data Protection Board (EDPB) and adopted by the French data protection authority CNIL in accordance with Article 40 GDPR, and therefore undertakes to comply with the EU’s data protection standards, even when data are transmitted outside of the EU, so that your personal data are adequately protected under data protection law.

    4.24.5 Retention/deletion

    You can delete your own account via the platform at any time by clicking "Delete account" in your account settings and telling us your reason for doing so. Your data will then be deleted. You can also send an e-mail to community@labcampus.de or request deletion via the contact form available here. Your account will then also be deleted.

    Status: September 2023

  • 4.25 Business-to-Business Portal (B2B)

    The Business-to-Business (B2B) portal is available to airport users, airlines, airline associations, representatives of the licensing authority or service providers operating at the Munich site to gain access to personalised information of various kinds. To ensure that the information published on the portal is only accessible to authorised persons, you must create a personalised user profile. The portal is also used to register for newsletters, events or expedited parking or to order publications and make specific enquiries.

    4.25.1 Purpose of processing

    Your data will only be processed for the following purposes:

    • Provide personalised information to users
    • Prevent abuse of benefits (expedient parking)
    • Indicator to subscribe to newsletters
    • Registration/deregistration for events
    • Allocation of event topics
    • Avoidance of no-shows

    Categories of personal data

    Profile data depending on use case.

    • Salutation, title, first name, last name, e-mail, company, function, street, postcode, city, country, identification documents
    • Parking start, parking end, flight number departure, flight number arrival

    IT usage data (system-related)

    • IP address, website visited, and functions used, timestamp
    • Information about the device used (mobile device, desktop, etc.), operating system, browser type and versions used

    4.25.2 Legal basis

    • For sending the newsletter or for passing on contact data to the Bavarian Ministry of Housing, Construction and Transport (responsible authority), consent is required (Art. 6 Para. 1 Sentence 1 Letter a GDPR).
    • For contacts with business and system partners, as well as for the security of the information technology systems (log data), legitimate interest applies (Art. 6 para. 1 sentence 1 letter f GDPR).
    • For event management (invitation, implementation, follow-up) of mandatory annual consultations with airport users as well as for the implementation of the approval process in the event of a fee adjustment (legal basis: Art. 6 para. 1 lit. c GDPR in conjunction with § 19b LuftVG).

    4.25.3 Categories of recipients

    Depending on the intended use of the portal:

    • The respective competent department
    • Parking control center
    • Company that develops the system further (order processing contract)
    • Authorities, but only if consent has been given

    4.25.4 Transfer to third countries

    Personal data is not transferred to third countries.

    4.25.5 Duration of storage

    • Deletion of the indicator that a data subject is invited to events if there is a corresponding number of no-shows.
    • The deletion of the stored personal data for travel agencies takes place in rotation no later than 5 years after no further contact has taken place.
    • Deletion by users themselves

    4.25.6 Possibility of removal or revocation

    In order to exercise his or her rights concerning the B2B portal, the person concerned may contact the B2B portal, preferably by e-mail, at the following address:

    datenschutzanfrage@munich-airport.de

    Status: 6.9.2023

  • 4.26 Lost & found office

    As a transport business, the airport is required under Sections 978 et seq. of the Bürgerliches Gesetzbuch (BGB – German Civil Code) and state lost property laws to maintain a Lost & Found office In order to comply with the legal requirements, it is necessary to process personal data of finders, owners, proprietors, and employees.

    Categories of personal data

    The following data are collected in order to properly process the lost property, comply with legal obligations, and protect legal interests:

    • First name
    • Last name
    • Address and country
    • E-mail and telephone number
    • ID card number (or alternative identification numbers)
    • Billing data

    Recipients

    In addition to the Lost & Found employees (specialist department), the following external recipients receive your personal data:

    • Finder: In the case of entitlement to a finder’s reward, the finder receives the address of the authorized recipient if the item of lost property or the auction proceeds are collected by the rightful owner within the first three years after the item of lost property is auctioned (Section 978 (2) sentence 5).
    • Public authorities that are authorized recipients, such as the responsible/issuing authority for identity documents or law enforcement authorities in the case of a criminal offense

    Duration of storage

    The data are pseudonymized three years after the date of the auction.

    Billing data are pseudonymized and stored for 10 years in accordance with the tax regulations.

    Legal basis

    The legal basis for the processing of your data as described in this section is Article 6 (1) sentence 1c) of the GDPR in conjunction with Sections 978 et seq. of the BGB, Section 10 of the bayerische Fundverordnung (BayFundV – Bavarian Lost Property Regulation) and Article 6 (1) sentence 1f) of the GDPR (legitimate interest).

  • 4.27 Service center

    In the Service Center at Munich Airport, you can find a wide range of services to make your stay at Munich Airport as enjoyable as possible:

    Categories of personal data

    The following data are collected to identify customers and allocate items or property and for billing:

    • First name
    • Last name
    • Address
    • Payment data

    If the person picking up the item is not the customer:

    • Name and address of the depositor
    • Name and address of the person picking up the item (with authorization)
    • ID card number (in special cases such as loss of the storage document)

    Recipients

    Personal data are sent to the following categories of recipients:

    • Recipients within the company (specialist department, billing department)
    • Suppliers (e.g. for cleaning, luggage transport)

    Duration of storage

    Delivery notes are stored for up to 13 months.

    Billing data are stored until the end of the respective statutory retention periods of six or ten years.

    Legal basis

    The legal basis for the processing described in this section is Article 6 (1) sentence 1b) of the GDPR (performance of a contract or steps prior to entering into a contract) and Article 6 (1) sentence 1f) of the GDPR (legitimate interest).

  • 4.28 Telephone and video conferences via MS Teams

    Privacy Policy regarding the conduct of telephone and video conferences via MS Team

    4.28.1 Introduction / scope of application

    This privacy policy contains information on the processing of personal data in connection with the use of Microsoft Teams in order to conduct telephone and video conferences (online meetings) and other communication involving persons who are not present locally.

    4.28.2 Data controller & contact

    Unless another controller is expressly named for individual services, the controller for all processing operations covered by this privacy policy is:

    Flughafen München GmbH
    Nordallee 25
    85356 Munich
    Germany
    Tel. +49 89 975 00
    E-mail: info@munich-airport.de

    Contact details for Flughafen München GmbH, hereinafter also referred to as "FMG" or "we", and its subsidiaries can be found here.

    4.28.3 Data protection officer & contact

    Data protection officer of Flughafen München GmbH, Nordallee 25, 85356 München-Flughafen, e-mail: datenschutzbeauftragter@munich-airport.de

    The contact details for data protection officers at our subsidiaries can be found here.

    4.28.4 Purpose and scope of the processing of personal data

    For conducting telephone and video conferences (online meetings) and other communication involving people who are not present locally.

    Microsoft Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Microsoft").

    When using Microsoft Teams, various types of personal data are processed. The scope of data processing depends on the information provided and settings made by the data subject and whether Microsoft Teams is used via the app or the browser.

    Depending on the type and scope of participation and the individual settings of the data subject, the following personal data may be processed:

    • User data (first name, last name, display name, e-mail address, profile picture, language settings, IP address, device/hardware information)
    • Meeting data (date, time, meeting ID)
    • Text, audio, or video data (depending on the configuration of the online meeting and the individual settings of the data subject, text entries in the chat window as well as the data collected via the microphone and video camera of the device used may be processed)
    • Recordings (MP4 file of the video, audio and presentation recordings, M4A file of the audio recordings, text file of the online meeting chat)
    • Telephone connection data

    If the online meeting is recorded, this fact will be communicated to the data subjects in advance, and – if necessary – consent will be obtained. The fact that an online meeting is being recorded is also indicated by a banner during the meeting.

    4.28.5 Legal basis for the processing of personal data

    • Art. 6 (1) (1) (a) GDPR is the legal basis if the processing of personal data is based on the (implied) consent of the data subject.
    • Art. 6 (1) (1) (b) GDPR is the legal basis if the processing of personal data is necessary for the performance of a contract or to implementa-tion of pre-contractual measures taken at the data subject’s request.
    • Art. 6 (1) (1) (f) GDPR is the legal basis if the processing of personal data is necessary to safeguard our legitimate interests.

    4.28.6 Recipients

    Personal data is transmitted to the following recipients or categories of recipi-ents:

    • Internal company recipients (e.g. departments responsible for pro-cessing for specific purposes, in particular the participating employees)
    • Munich Airport Group companies (an up-to-date overview of the Group structure can be found at https://www.munich-airport.com/company-profile-263193)
    • As a provider of Microsoft Teams, Microsoft receives knowledge of the above-mentioned personal data within the framework of the provisions of the concluded data processing agreement; this does not include the content of end-to-end encrypted communication.

    4.28.7 Transmission to third countries

    A transfer to a third country outside the European Union is not intended, but cannot be ruled out in the context of the use of MS Teams. The transfer is justified under data protection law, as the following instruments are used under Art. 44 et seq. GDPR:

    • Adequacy decision (EU-U.S. Data Privacy Framework)
    • Standard data protection clauses

    4.28.8 Duration of storage

    Personal data will only be stored for as long as is necessary to achieve the stat-ed purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted following the statutory provisions.

    4.28.9 Data protection requests / rights of data subjects

    Every data subject has the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object to processing, and the right to data portability within the scope of the statutory provisions.

    Contact details for exercising your rights as a data subject:

    Flughafen München GmbH
    Data protection request
    Nordallee 25
    85356 Munich
    E-mail: datenschutzanfrage@munich-airport.de

    4.28.10 Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of personal data relating to them infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

    4.28.11 Obligation to provide personal data

    As a rule, the data subject is not obliged to provide the personal data. Likewise, there is generally no legal requirement for provision, nor is provision necessary for the conclusion of a contract.

    However, participation in online meetings is not possible without providing the minimum required personal data.

    4.28.12 Automated decision-making (including profiling) and effects

    Automated decision-making does not take place.

    4.28.13 Reference to further information

    Further supplementary information on data protection can be found in the general privacy policy.

    4.28.14 Status of the information

    Date: October 25, 2023

  • 4.29 Applicant interviews with video via MS Teams

    Privacy Policy regarding the conduct of applicant interviews with video via MS Teams

    4.29.1 Introduction / scope of application

    This privacy policy contains information on the processing of personal data in connection with the use of Microsoft Teams in order to conduct telephone and video conferences (online meetings) and other communication involving persons who are not present locally.

    4.29.2 Data controller & contact

    Controller of the processing activities is the respective company of Munich Airport Group to which you sent your application. Contact details for Flughafen München GmbH and its subsidiaries can be found here

    4.29.3 Data protection officer & contact

    Data protection officer of Flughafen München GmbH, Nordallee 25, 85356 München-Flughafen, e-mail: datenschutzbeauftragter@munich-airport.de

    The contact details for data protection officers at our subsidiaries can be found here.

    4.29.4 Purpose and scope of the processing of personal data

    The Microsoft Teams application is used to conduct video interviews with applicants and online meetings.

    Microsoft Teams is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as "Microsoft").

    When using Microsoft Teams, various types of personal data are processed. The scope of data processing depends on the information provided and settings made by the data subject and whether Microsoft Teams is used via the app or the browser.

    Depending on the type and scope of participation and the individual settings of the data subject, the following personal data may be processed:

    • User data (first name, last name, display name, e-mail address, profile picture, language settings, IP address, device/hardware information)
    • Meeting data (date, time, meeting ID)
    • Text, audio, or video data (depending on the configuration of the online meeting and the individual settings of the data subject, text entries in the chat window as well as the data collected via the microphone and video camera of the device used may be processed)

    Video interviews are not recorded. As an applicant, by acknowledging the data protection information, you guarantee that you will also not make any recordings.

    Communication between FMG and you as an applicant is encrypted throughout the entire video interview.

    Confidentiality: As an applicant, you also guarantee that you will maintain confidentiality about presentations and all internal company information that may be shared with you by the specialist departments during a video interview. This rule also applies to screenshots, which are also prohibited.

    Transparency during the MS Teams conference

    You will be informed in advance by the recruiting team about all participants in the MS Teams conference (name, department) when you are invited to the interview. The attendance data required for participation will be made available to the interview participants announced in advance only. Transparency is ensured during the MS Teams conference through communication and visibility of all discussion partners and attendees. By taking note of the data protection information or participating in the video interview, you guarantee that you will not pass on the participation data to unauthorized persons.

    Before the video interview begins, you should make sure that the people present in your room are aware that audio and/or video will be transmitted as part of the video interview and that their image and words can be transmitted to the other participants in the interview. If necessary, you should inform the persons present in the room accordingly and, if applicable, name the recipients of the voice and video transmission. If there are people in the room who are not participants in the video interview or who do not agree to a corresponding transmission, they must be given the opportunity to leave the room before the interview begins.

    4.29.5 Legal basis for the processing of personal data

    The processing of personal data is based on your consent pursuant to Article 6(1) letter a of the GDPR in conjunction with Section 26(2) of the BDSG (German Federal Data Protection Act) and, with regard to the content of the job interview, on the basis of Section 26(1) sentence 1 of the BDSG.

    Voluntary nature of participation in video interviews and right of withdrawal

    We have already informed you in advance that the video interview is only one of several options. Your participation is voluntary. Alternatively, the following options are also possible: telephone interview, on-site interview, etc.

    Please contact the recruiting team if you would like to choose another option.

    You have the right to revoke your consent at any time with effect for the future without giving reasons for doing so. To do this, please contact: jobs@munich-airport.de.


    4.29.6 Recipients

    Personal data is transmitted to the following recipients or categories of recipi-ents:

    • Internal company recipients (e.g. departments responsible for pro-cessing for specific purposes, in particular the participating employees)
    • Munich Airport Group companies (an up-to-date overview of the Group structure can be found at https://www.munich-airport.com/company-profile-263193)
    • As a provider of Microsoft Teams, Microsoft receives knowledge of the above-mentioned personal data within the framework of the provisions of the concluded data processing agreement; this does not include the content of end-to-end encrypted communication.

    4.28.7 Transmission to third countries

    A transfer to a third country outside the European Union is not intended, but cannot be ruled out in the context of the use of MS Teams. The transfer is justified under data protection law, as the following instruments are used under Art. 44 et seq. GDPR:

    • Adequacy decision (EU-U.S. Data Privacy Framework)
    • Standard data protection clauses

    4.29.8 Duration of storage

    Personal data will only be stored for as long as is necessary to achieve the stat-ed purposes or as required by the statutory storage and retention periods. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely deleted following the statutory provisions.

    4.29.9 Data protection requests / rights of data subjects

    Every data subject has the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object to processing, and the right to data portability within the scope of the statutory provisions.

    Contact details for exercising your rights as a data subject:

    Flughafen München GmbH
    Data protection request
    Nordallee 25
    85356 Munich
    E-mail: datenschutzanfrage@munich-airport.de

    Contact details for subsidiaries of Flughafen München GmbH can be found here.

    4.29.10 Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they consider that the processing of personal data relating to them infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

    4.29.11 Obligation to provide personal data

    As a rule, the data subject is not obliged to provide the personal data. Likewise, there is generally no legal requirement for provision, nor is provision necessary for the conclusion of a contract.

    However, participation in online meetings is not possible without providing the minimum required personal data.

    4.29.12 Automated decision-making (including profiling) and effects

    Automated decision-making does not take place.

    4.29.13 Reference to further information

    Further supplementary information on data protection can be found in the general privacy policy.

    4.29.14 Status of the information

    Date: November 23, 2023

  • 4.30 Contact Parking 

    By using a contact form under https://www.munich-airport.de/kontaktanfrage-parken-4624305 on the web page of Munich Airport, parking customers, interested persons and web page visitors can obtain information on various topics from Munich Airport.

    4.30.1 Scope of Processing

    In the context of your contact approach, the data entered by yourself into the entry mask are being processed. This comprises your contact data as well as any facts and details provided by you.

    Contact Data:

    • Form of address, title, name, first name
    • Postal address
    • Email address, telephone number

    Information and facts:

    • Online Booking
    • Booking-ID
    • Topic
    • Your message
    • Uploads if applicable

    4.30.2 Purpose of Processing

    The described data or data categories of your person are processed for the purpose of answer-ing and dealing with your inquiry, which has been transmitted to us in the free text field “Your message”. In general the provision of the contact form “Contact Parking” serves the purpose of making it possible for interested persons, visitors of the web page and particularly parking customers to address their issues and inquiries regarding parking at Munich Airport with Flughafen München GmbH.

    This concerns in particular following topics:

    • Technical problems
    • Receipts
    • Complaints / queries
    • Barrier-free parking
    • Registration for travel agency parking
    • General inquires

    4.30.3 Legal Basis for the processing of personal data

    The processing of personal data is based on following legal basis:

    • Insofar as your inquiry concerns services rendered based on a contract, the processing of your inquiry is necessary for the completion of a contract. Insofar as the service has been made use of by yourself and you are a contracting party, the data processing is based on Article 6 (1) sentence 1 lit. b) 1. Version GDPR
    • Necessity to protect the legitimate interests of Flughafen München GmbH (FMG) pursuant to Article 6 (1) sentence 1 lit. f) GDPR. FMG has a legitimate interest to offer visitors of the web page, parking customers and interested persons a barrier-free and uncomplicated communication channel regarding relevant topics for these groups of persons and to facilitate contacting accordingly.

    4.30.4 Recipients

    In general service providers commissioned by FMG with administration services of our IT-systems may receive your personal data. In addition, operators of data processing service centers, in which applications implemented by us, are hosted, may receive your personal data.

    For the provision of the contact form, FMG uses a system of ConSol Consulting & Software Solutions GmbH with headquartes in Munich. A data processing agreement has been concluded with the provider of the software solution, which obliges the provider in particular to comply with all legal data protection requirements and to act in addition solely within the instructions of Flughafen München GmbH.

    4.30.5 Transmission to third countries

    A transfer of data to a third country outside the European Union does not take place.

    4.30.6 Storage period and criteria for the definition of the period

    3 months after the closure of your file your data are blocked for further processing and are deleted at the latest 6 years after the closure of the file.

    4.30.7 Necessity of data and consequences of non-provision

    Personal data are provided on a voluntary basis. If you do not provide these data, we may as a consequence not be able to process your inquiry.

    4.30.8 Option for removal

    You are entitled at any time to object to the processing of your personal data for reasons which arise from your personal situation.

    Please do send your objection to kontakt.parken@munich-airport.de. We reserve to make an individual assessment of your request before execution of a limitation or discontinuation of the processing or deletion.  

  • 4.31 Charging of electric vehicles during parking 

    We do offer various options for charging your electric vehicle while parking.

    The charging and payment process is performed by using the bar code on the parking ticket and is linked to the parking transaction. Please scan the bar code of your parking ticket at the scanner of the eSelector and start the charging process by selecting the charging point.

    Please note: If you are using a parking garage with automatic number plate detection, your vehicle license plate may also be linked with the parking ticket as part of the entire parking process. (Please cf. paragraph 4.9 Privacy Policy Privacy Policy - Munich Airport (munich-airport.com)).

    Payment for the electricity charged and if applicable for the parking charges is made before the exit at automatic pay stations. Further information concerning charging of your electric vehicle can be found here: Charging electric vehicles - Munich Airport (munich-airport.com).

    4.31.1 Scope of processing

    In addition to the data collected during the parking process and if applicable for an online reservation, following data are processed:

    • Amount of energy charged (Kilowatt hours (kWh))
    • Amount to be paid for charging
    • eSelector used
    • Charge point used
    • Date, time, duration of charging process

    Further information regarding the scope of data processing during the parking process and for online reservations can be found in this data privacy statement under paragraph 4.8 Park-ing reservations and paragraph 4.9 Automatic number plate detection at parking entrances.

    4.31.2 Purpose of processing

    Data are processed for following purposes:

    • Handling of charging and payment process

    4.31.3 Legal basis

    The processing of personal data is based on following legal basis:

    • Necessary for the fulfillment of a contract to which the data subject is party (cf. Art. 6(1) sentence 1 lit. b) 1st variant GDPR): Allgemeine Einstellbedingungen Parken (General Conditions Parking).

    4.31.4 Recipients

    Personal data are transmitted to following recipients resp. categories of recipients:

    • Producer of a software for the operation of charging points as well as maintenance and support of the software with headquarters in Germany.

    4.31.5 Transmission to third countries

    A transfer to a third country outside the European Union is not intended.

    4.31.6 Duration of storage and criteria for defining the duration

    The data record is stored for up to 92 days in the system for controlling the parking facilities and storing the relevant data records.

    4.31.7 Necessity of the data and consequences of non-provision

    • The provision of personal data is contractually required. If you do not provide your da-ta, this may mean that we cannot fulfill the contract concluded for the use of the parking garage including the use of the charging points.

    4.31.8 Possibility of removal or revocation

    Your processed personal data are required, insofar as they are based on the lawfulness of processing in accordance with Art. 6 para. 1 lit. b or c GDPR, to ensure the conclu-sion/execution of the contract with Flughafen München GmbH as part of your parking process. Consequently, there is no possibility of objection in this regard.

  • 4.32 Boarding pass check - access control to the airside part of Munich Airport

    Special security precautions apply at airports. Only authorized persons may be granted access to the airside security area.

    Controller and data protection officer

    Flughafen München GmbH

    Data protection officer
    Flughafen München GmbH
    Nordallee 25
    85356 Munich
    Germany
    e-mail datenschutzbeauftragter@munich-airport.de

    Scope of processing

    When accessing the airside security area, the following categories of data are collected by scanning the boarding pass:

    • Last name, first name
    • Boarding pass data (including sequence number, flight data, booking class, seat number)
    • Boarding pass scanner number, scan time
    • The boarding pass data is derived from your booking data with your airline, which you confirmed when you checked in with your airline.

    Purpose of processing

    Processing is used to ensure authorization for access to the airside security area (access control).

    Legal basis

    Necessity for compliance with a legal obligation to which the controller is subject as an airport operator [see Article 6, paragraph 1, sentence 1, letter c) GDPR]. The legal obligation arises from Section 8 of the German Aviation Security Act (LuftSiG).

    Categories of recipients

    Personal data is transmitted to the following recipients or categories of recipients:

    Group companies: FMSicherheit Flughafen München Sicherheit GmbH

    Some of the data is also available to airline employees at the gate for individual queries as part of the process for optimizing the punctuality of check-in (see "Optimization of punctuality during check-in and departure").

    Transmission to third countries

    Transmission to a third country outside of the European Union is not planned.

    Term of storage and criteria for determining the effective period

    The data on your boarding pass will be stored for 30 days in the boarding pass control system in order to be able to trace any faults and comply with official requests. After 30 days, the data is pseudonymised and used for statistical purposes (aggregated figures) for operational analysis. The pseudonymous data will be deleted after 18 months.

    Data source

    The data is collected as part of boarding pass scans during boarding pass checks.

    Necessity of the data and consequences of failure to provide data

    The provision of personal data is voluntary. However, it is not permissible to grant you access to the airside part of Munich Airport if you do not provide this data.

    Status of the information

    Date: March 25, 2024

  • 4.33 Optimization of punctuality during check-in and departure

    If any passengers have failed to appear at the gate of their flight during the boarding process, a decision must be made as to whether the gate will be closed and the baggage of these passengers will be unloaded to ensure punctual departure. Airlines' gate staff can search for the last contact point of a boarding pass scan by seat number or boarding sequence number, so that they can better assess whether the missing passengers can still be expected soon.

    Controller and data protection officer

    Flughafen München GmbH

    Data protection officer
    Flughafen München GmbH
    Nordallee 25
    85356 Munich
    Germany
    E-mail: datenschutzbeauftragter@munich-airport.de

    Scope of processing

    • Flight and seat number
    • Boarding sequence number
    • Boarding pass scanner number (location), scan time

    Purpose of processing

    Optimization of punctuality of check-in and departure.

    Legal basis

    Required for the purposes of pursuing the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject [see Article 6, paragraph 1, sentence 1, letter f) GDPR]. The legitimate interests consist of punctual handling and adherence to the flight schedule and thus serve all of the data subjects.

    Categories of recipients

    Boarding pass scanner number (location) and scan time are transmitted to the following recipients on the basis of the flight and seat number or boarding sequence number:

    Airlines or their employees, or authorized employees at the gate

    Group company: aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH

    Transmission to third countries

    Transmission to a third country outside of the European Union is not planned.

    Term of storage and criteria for determining the effective period

    Retrieval via the seat number or boarding sequence number is possible only until the flight is closed.

    Data source

    The scan time and location are recorded as part of boarding pass scans during boarding pass checks (see 4.36).

    Necessity of the data and consequences of failure to provide data

    The provision of personal data is voluntary. However, it is not permissible to grant you access to the airside part of Munich Airport if you do not provide this data.

    Status of the information

    Date: March 25, 2024

  • 4.34 Processing of customer contact data

    4.34.1 Scope of processing

    For customer communication with partners and service providers, the following data is processed by the FMG departments and subsidiaries with which the customers are in contact:
    First name/last name, business e-mail address, telephone number and, if applicable, fax number, company (employer) incl. address, communication content

    4.34.2 Purpose of processing

    Customer relationship management
    (maintaining contact directories and lists, processing of offers and orders, communication with contact persons)

    4.34.3 Legal basis

    Art. 6 (1) sentence 1 lit. f GDPR: Legitimate interest (efficient processing of quotations and orders as well as corresponding business correspondence)
    Art. 6 (1) sentence 1 lit. b GDPR: if the data subject becomes or is a party to the contract.
    Art. 6 (1) sentence 1 lit. c GDPR: if required by law, e.g. for validation of supplier relationships.

    4.34.4 Recipients

    In the course of communication with data subjects and the processing of contracts, the providers of the applications and IT systems used by FMG may also receive your personal data, e.g. operators of data centers that host applications used by us may have access to your personal data. In the case of any third country transfers of personal data outside the EEA, the requirements of Chapter V of the GDPR are met by us as the controller and by the processors involved.

    4.34.5 Duration of storage and criteria for defining the duration

    Your data will generally be stored for as long as is necessary to achieve the above-mentioned purpose and will be deleted once the purpose no longer applies. This is usually the case when the business relationship has ended and there are no statutory retention periods to the contrary.

    4.34.6 Possibility of removal or revocation

    If your data is processed on the legal basis of legitimate interest, you have the right to object to the processing of your data at any time. In the event of changes to contacts (contact persons) and contact details, please get in touch with your direct contact person.

  • 4.35 Reviews on social media

    If you published a review about Munich Airport on Google Maps, we evaluate this review in order to learn from it and improve the services at Munich Airport. For suitable reviews, we can also publish an answer, e.g. to answer a question contained in the review.

    4.35.1 Responsible person and contact

    Google is responsible for Google Maps and the reviews published there. Further information on this can be found in Google's privacy policy.

    Flughafen München GmbH is responsible for the evaluation of the reviews published on Munich Airport as described here. Their contact details and the contact details of the data protection officer can be found above in section 1.

    4.35.2 Scope of processing

    We process the following data categories of the published reviews:

    • Social media platform on which the review was published
    • Date/time of the review (and possibly the last edit)
    • Number of stars awarded
    • Review text
    • If applicable, the answer we published to the review
    • If applicable, the name of the reviewer published by Google

    We use techniques from the field of "artificial intelligence" to automatically discover structures and patterns in the published reviews and gain insights from them. We also use such techniques to automatically prepare possible answers to new reviews from previous reviews and our responses to them. The publication of an answer (and the answer text) is always based on the decision of a human employee.

    4.35.3 Purposes of processing

    • Improvement of services at Munich Airport
    • Communication with the reviewers about the points they have addressed

    4.35.4 Duration of storage

    The data of individual reviews are stored and evaluated by us for up to 10 years, so that we can track and evaluate trends and developments in the quality of our services over longer periods of time.

    4.35.5 Legal basis

    The legal basis for the processing described in this section is Art. 6 (1) sentence 1 (f) GDPR (balance of interests, based on our legitimate interest in improving the services at Munich Airport and communicating with our reviewers about it).

    4.35.6 Right to object

    You can object to the processing of your data described here at any time, e.g. by e-mail to datenschutzanfrage@munich-airport.de. In the event of your objection, we will no longer process the data of your review(s), unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.

    4.35.7 Categories of recipients & transmission to third countries

    The recipients of the review data processed by us are our responsible specialist department and the contract processors for IT services that we use. A transfer to third countries is not intended.

  • 4.36 Information on the processing of personal data in the context of the Advent calendar competition

    4.35.1 Scope

    This privacy policy contains information on the processing of your personal data in con-nection with participation in the Munich Airport Advent Calendar competition, visiting this website and participating in the voluntary survey in the Munich Airport Advent Calendar competition.

    To participate in the Advent calendar competition, interested participants sign up on the Advent calendar platform and access a protected area with their own password.

    If you have signed up for the newsletter as part of participating in the Advent calendar competition, please refer to the information in section 4.3 Newsletter of the privacy policy on the Munich Airport website.

    For websites of other providers, to which, for example, links are referred, the data protection information and declarations there apply.

    4.35.2 Data protection officer & contact to the data protection officer

    The person responsible for data protection law is:

    Flughafen München GmbH
    Route and Passenger Development
    Nordallee 25, 85356 München-Flughafen
    E-Mail: digital@munich-airport.de

    Data protection officer contact details
    datenschutzbeauftragter@munich-airport.de

    4.35.3 Categories of personal data

    The following categories of personal data are processed from the registered participants:

    Processing in the context of the Advent calendar competition:

    • Title

    • Name
    • E-mail address
    • Password (for login)

    Processing in the context of the voluntary survey:

    • Frequency of participation in the competition

    • Country of origin and postal code
    • Travel frequency
    • Year of birth + - 15 years
    • Travel behavior
    • Feedback on user-friendliness
    • Recording of the airport visit
    • IT usage data (IP address, time stamp)

    4.35.4 Purposes of processing

    The personal data is processed exclusively for the following purposes:

    Advent calendar competition:

    • Identification and notification of the winners after the draw of the daily prizes and the main prize

    • Personal address of the logged-in users: on the Advent calendar platform and in the email communication required within the scope of the competition during the competition period
    • Identification of participants to exclude multiple participation
    • Transmission of the winner's data to the sponsor partner of the competition for contacting and providing the winnings (e.g. to airline partners for personalized flight tickets)

    Survey:

    • The aggregated, non-personally identifiable data of the participants generated from the surveys will be further processed for the purposes of optimizing the user experience within the competition, as well as optimizing advertising measures.

    4.35.5 Legal basis for the processing of personal data

    Advent calendar competition:

    The processing of personal data for participation in the competition is based on the follo-wing legal basis: fulfillment of a contract (terms and conditions of participation in the competition) concluded between the competition participants and the person responsible [cf. Art. 6 (1) b) GDPR].

    Survey:

    The processing of personal data for participation in the survey is based on the following legal basis: Consent [cf. Art. 6 (1) a) GDPR].

    You have the option to revoke your consent at any time without giving reasons by sending an e-mail to digital@munich-airport.de. The processing of personal data based on consent remains lawful until the time of revocation.

    4.35.6 Recipients:

    Personal data is transmitted to the following recipients or categories of recipients:

    • Internal: Employees of the participating specialist departments

    • External:

      - Employees of the commissioned agency, which is used on the basis of a contract for order processing for hosting and administrative support.
      - For data of the winners: respective sponsor partners of the competition

    4.35.7 Transmission to third countries

    Transmission to a third country outside of the European Union is not planned.

    4.35.8 Duration of storage

    The deletion of the personal data of all registered participants in the survey will take place after the survey and the associated organizational processes have been evaluated, no later than 28.02.2025.

    The data of the winners can be stored until the expiry of statutory limitation periods. This period corresponds to the standard limitation period for claims under Section 195 of the Bürgerliches Gesetzbuch (BGB – German Civil Code). Unless another starting point for the limitation period is determined, the period begins at the end of the year in which the claim arose (Section 199 (1) BGB). The data are erased if they are no longer required and this is not precluded by legal retention periods.

    4.35.9 Obligation to provide personal data

    The Advent calendar competition is a contract-like legal relationship. The provision of the data is contractually required for participation and execution of the competition. Failure to provide the data means that participation in the Advent calendar competition is not possible.

    The survey on the Advent calendar competition is a voluntary participation based on informed consent in accordance with Art. 6 (1) a) GDPR. The provision of the data is neither contractually nor legally required. Failure to provide the data means that participation in the survey is not possible.

    4.35.10 Data source

    Independent data entry by the participants.

    4.35.11 Automated decision-making (including profiling) and effects

    Automated decision-making does not take place.

    4.35.12 Explanations on special processing of personal data

    • Log data / log files

      Every time you access content on our websites, data is stored that may allow identification.


    The following data is collected in the process:

    • Date and time of access

    • Server load at the time of the request
    • IP address
    • Visited page on our website
    • Notification of whether the call was successful
    • Amount of data transferred
    • Information about the device used (mobile device, desktop, etc.), operating system, browser type and versions used

    4.35.13 Purposes of processing

    The temporary storage of this data is necessary for the execution of a website visit to ena-ble the delivery of the website. Further storage in log files takes place to ensure the functionality of the website and the security of the information technology systems. This stored data is evaluated exclusively for the analysis of technical malfunctions and possible attacks on our website. In addition, the data can be analyzed anonymously for statistical purposes.

    4.35.14 Legal basis

    The legal basis for the corresponding processing of your data is Art. 6 (1) sentence 1 (f) GDPR (balance of interests, based on our legitimate interest in maintaining the functionality of the website and statistically evaluating the use of our website).

    4.35.15 Categories of recipients

    Individual websites are operated by external hosting service providers and/or managed by external agencies. These will each act on our behalf as a data processor and process the data exclusively in accordance with our instructions.

    4.35.16 Transmission to third countries

    Transmission to a third country outside of the European Union is not planned.

    4.35.17 Duration of storage

    In order to be able to research appropriately in the event of technical malfunctions or possible attacks on our website and report to supervisory authorities and security bodies if necessary, we delete or anonymize the log data no later than one month.

    4.35.18 Automated decision-making (including profiling) and effects

    Automated decision-making does not take place.

    4.35.19 Website tracking: eTracker

    On the website of the Advent calendar competition, we use the service "etracker Analytics" of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com). Because the privacy of our visitors is important to us, the data that may allow a reference to an individual person, such as the IP address, login or device identifiers, are anonymized or pseudonymized as early as possible. It is not used in any other manner, aggregated with other data or shared with third parties.

    Here you can find more information on data protection at etracker.

    The etracker is used on our website by anonymous web analysis without the use of Cookies (cookie-less). If you do not object to anonymous web analysis, your usage behavior on this website will be recorded exclusively without Cookies (cookie-less). Further information on this can be found under etracker -Cookie-less-etracking.

    Data processing in this case is based on the legal provisions of Art. 6 (1) f) GDPR (legiti-mate interest). Our aim is to optimize the Advent calendar competition for the benefit of the participants, which is also our purpose.

    4.35.20 Recipients of the data

    internally: Employees of the participating specialist departments
    External: Employees of the commissioned agency and the service provider used for web analysis.

    4.35.21 Transmission to third countries

    The data generated by etracker is processed and stored exclusively in Germany on behalf of the provider of this website by etracker and is therefore subject to the strict German and European data protection laws and standards. No transmission to third countries takes place.

    4.35.22 Data protection requests / rights of data subjects

    Data protection law grants you various rights with regard to your personal data, including, without limitation, the right of access to personal data concerning you, the right to rectification, erasure, restriction of processing, objection to processing, data portability, and to withdraw consent at any time. Unless otherwise indicated for the individual processing operations, you may contact datenschutzanfrage@munich-airport.de to establish your rights.

    4.35.23 Right of access

    You have the right to request information from the controller pursuant to Art. 15 GDPR about your personal data processed by the controller. Please note that the right of access may be restricted under certain circumstances in accordance with legal provisions (in-cluding, without limitation, Section 34 of the German Federal Data Protection Act (BDSG)).

    4.35.24 Rectification

    You have the right to request from the controller without undue delay the rectification of inaccurate personal data concerning you in accordance with Art. 16 GDPR. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

    4.35.25 Restriction/blocking

    You have the right to request from the controller, within the framework of the provisions of Art. 18 GDPR, the restriction of the processing of personal data concerning you.

    As a precaution, we note the following: Certain personal data of the data subject must usually be kept in a blocked data file to ensure that data is properly blocked at all times.

    4.35.26 Erasure

    You have the right to request from the controller the erasure of your personal data under the conditions of Art. 17 GDPR.

    4.35.27 Objection

    Under the conditions of Art. 21 GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation. In this case, we will only process your data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done for the establishment, exercise or defense of legal claims.

    4.35.28 Revocation

    You have the right to revoke your consent at any time with effect for the future. The processing of personal data based on consent remains lawful until the time of revocation.

    4.35.29 Data portability

    Under the conditions of Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, to transmit it to another controller and to request that the personal data be transmitted directly from one controller to another.

    4.35.30 Right to lodge a complaint with a supervisory authority

    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable law. The competent supervisory authority in Bavaria for the non-public sector is Bavaria DPA (Bayerisches Landesamt für Datenschutzaufsicht), Ansbach.

    Comprehensive information on your data subject rights can also be found in the data protection declaration on the Munich Airport website in sections 6 and 7.

    4.35.31 Status of the information

    27.11.2024

5 External booking requirements

On our website you will be redirected to the external booking platforms described below. The bookings are processed independently of Flughafen München GmbH. The privacy policy of the provider in question will apply.

5.1 Package travel arrangements

The booking process "Package holidays" is operated by travianet GmbH, a company in the FTI Group, with headquarters in Deggendorf, Germany. The process is subject to the privacy policy of travianet GmbH.

5.2 Car rentals

The booking process "Car rentals" is operated by TravelJigsaw Limited with headquarters in London, UK. The trade name of the rental car booking platform is Rentalcars.com. The process is subject to the terms of the privacy policy of Rentalcars.com.

6 Your rights

Under data protection laws, data subjects have various rights with regard to their personal data, in particular a right to information on the personal data in question, the rectification and erasure of data, the restriction of processing, objection to processing, data portability and the right to withdraw consent at any time. Unless otherwise indicated in the various processing steps, you can exercise your rights by contacting datenschutzanfrage@munich-airport.de. Further information on the processing of your personal data when asserting your rights or other data protection inquiries can be found in Individual processing activities in the appropriate section.

6.1 Information

The data subject has the right pursuant to Art. 15 GDPR to obtain information from the controller on the processing of his/her personal data by the controller. Please note that this right may be restricted under certain circumstances in accordance with statutory regulations (in particular Section 34 of the German Data Protection Act (BDSG)).

6.2 Rectification

The data subject has the right pursuant to Art. 16 GDPR to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Depending on the purposes of the pro-cessing, the data subject has the right to have incomplete personal data completed.

6.3 Right to restriction / blocking of processing

The data subject has the right pursuant to Art. 18 GDPR to obtain from the controller restriction of processing of personal data pertaining to him/her.

By way of clarification, please note: To ensure that a data block can be complied with at all times, it is generally necessary to keep certain personal data of the data subject in a restricted data file.

6.4 Erasure

The data subject has the right, pursuant to the criteria set out in Art. 17 GDPR, to obtain from the controller the erasure of personal data pertaining to him/her.

6.5 Objection

The data subject has the right, pursuant to the criteria set out in Art. 21 GDPR, to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds warranting protection for the processing which override your interests, rights and freedoms or which serve to establish, exercise or defend against legal claims.

6.6 Withdrawal

The data subject has the right to withdraw his/her consent with future effect at any time. The withdrawal of consent shall not affect the lawfulness of processing of personal data based on consent granted prior to the withdrawal.

6.7 Data portability

The data subject has the right, pursuant to Art. 20 GDPR, to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit the data to another controller or to have the data transmitted directly from one controller to another.

6.8 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if they believe that the processing of personal data relating to them violates the law. The supervisory authority in the state of Bavaria responsible for the non-public area of the airport is the Bavarian State Office for Data Protection Supervision, Ansbach.

7. Exercising the rights of the data subject

This information about the processing of your personal data refers to the processing and answering of your inquiries in accordance with art. 15-21 of the General Data Protection Regulation (GDPR).

Flughafen München GmbH (in the following: FMG) or the subsidiary/affiliated company to which your data protection inquiry refers or to which you addressed your inquiry are responsible with respect to legal data protection.

The contact data can be found in section 1 of this data protection declaration. The contact data of the identified data protection officer can also be found here.

Note: Inquiries that affect subsidiaries/affiliated companies of FMG must be addressed directly to the subsidiary/affiliated company of FMG. A current overview of the corporate structure can be found on the website under https://www.munich-airport.com/company-profile-263193.

Please note that many other companies are also active on the premises of the Munich airport and these companies may - on their own responsibility - process data about you. This refers, for example, to airlines that start and land on the Munich airport. The respective inquiries should be addressed directly to the data protection officers of the respective airline. An overview of the airlines can be found here.

7.1 Description and scope of the specific data processing

7.1.1  Coordination/processing/answering of your inquiry

On one hand, we process your personal data for the on-time, content-correct and complete processing and the answering of your inquiry. For this purpose it is required to hand your inquiry to selected internal FMG departments that can normally process your personal data and therefore can research for applicable personal data.

In close cooperation with the data protection officer of FMG, the corporate Compliance unit reviews your inquiry, performs an identification with the affected departments, coordinates the obtaining of the required information, prepares the answer to your inquiry and answers it centrally addressed to you. An external legal advice is obtained if this is required.

The department selection is made individually and depends on your relationship with FMG (whether you are, for example, a passenger, a subscriber of a newsletter, participant in contests, user of the free WIFI, user of the contact form of the website, user of the online parking lot booking, supplier or other contract partner, etc.).

The personal data that you transmitted to us directly through your inquiry and those that we process based on the FMG services that you used are processed.

This can, for example, include the following data:

  • Salutation, name (last and first)
  • Address
  • Email address, phone, fax number
  • IP address, log files,
  • Time stamps (day, date, time)

A complete, final listing of all data is not possible, because it depends on your specific inquiry and the services used by you.

The processing activity does not generally include special categories of personal data (e.g. health data, data about religious or ideological beliefs, data about the racist or ethnic family background). However, this may be possible in individual cases if it is necessary for the processing of the specific inquiry.

7.1.2 Answer and documentation of completed inquiries

After we answered your inquiry, we store our answer delivered through the respec-tive communication channels as well as the associated documentation.

Stored are through this process:

  • Your inquiry
  • The internal compilation of the provided documentation
  • The provided documentation
  • A digital copy of the answer (e.g. by email or the fax/letter answer stored in a PDF format)

This also affects inquiries that were answered by us with a required identification question about your person and which could not be further processed due to the lack of an identification confirmation by you.

7.2 Purposes and legal principles

7.2.1 Processing/answering of your inquiry

We process your personal data for the purpose of the on-time processing and answering of your inquiry. The obligation for answering is based on our own commitment to the transparency against the affected persons as well as the GDPR-conforming processing of personal data. The processing and answering of your inquiry is also based on the requirements in section III GDPR, especially art. 12-21 GDPR (legal basis art. 6 para. 1 lit. c GDPR).

Our justified interests to correctly and completely answer your inquiry with regards to content in a timely manner are also based on the above (legal basis art. 6 para. 1 lit. f GDPR). The processing of your personal data as described here is required for this purpose. Basic rights and freedoms of third parties must be incorporated accordingly.

7.2.2 Answer and documentation of completed inquiries, legal defense

We store the required documents for completed and answered inquiries by affected persons for a specified time to counteract possible later legal disputes (especially for the defense against claims) and to be able to address accountabilities (especial-ly against the regulating authority). Our justified interests are also based on the above (legal basis art. 6 para. lit. f GDPR). The processing of your personal data as described here is required for this purpose.

7.3 Recipients of personal data

7.3.1 Processing/answering of your inquiry

  • Internal FMG departments that can potentially process your personal data 
  • Corporate area Compliance by FMG
  • Data protection officer of FMG
  • Possible IT service providers as processors
  • In an individual case: External partners for the processing/answering of the inquiry or the defense of legal claims (e.g. external lawyer's offices)
  • Courts, public authorities or other government bodies in case of legal obligations

7.3.2 Answer and documentation of completed inquiries

  • Corporate area Compliance by FMG
  • Data protection officer of FMG
  • Possible IT service providers as processors
  • In an individual case: External partners for the processing/answering of the inquiry or the defense of legal claims (e.g. external lawyer's offices)
  • Courts, public authorities or other government bodies in case of legal obligations

7.4 Transmissions to third countries

A transfer of your above mentioned personal data to third countries does not take place.

7.5 Storage duration

Data are generally retained for three years for any subsequent legal disputes (legal basis: Art. 6 Par. 1 f) GDPR, balancing of interests). This period corresponds to the standard limitation period for claims under Section 195 of the Bürgerliches Gesetzbuch (BGB – German Civil Code). If no other limitation period is determined, the period commences at the end of the year in which the claim arose (Section 199 Par. 1 BGB).

The data are erased if they are no longer required and this is not precluded by legal retention periods.

7.6 Source of the data

Your personal data that we handle as part of the processing and answering of your inquiry are regularly provided by you. We either received the data from you as part of the inquiry, or the personal data are the result of the service booked by you, or the service used by you. We do not use any other source for the data acquisition. In individual cases, however, it is possible that third parties have transmitted certain data about you to us (e.g. an airline you use, with which you take off or land at Munich Airport).

7.7 Requirement of the provision of personal data

The provision of your personal data is not legally or contractually required, or re-quired for the establishment of a contract. You are not obligated to provide your da-ta.

However, the non-provision of your data may result in the fact that we cannot allo-cate certain data that is stored in our devices to your person and therefore cannot process and answer your inquiry or can only partly process and answer your inquiry.

7.8 Automated decisions, profiling

An automated decision making in accordance with art. 22 GDPR that causes a legal effect against you or a profile generation do not take place.

7.9 Option for removal/for revocation

By addressing datenschutzanfrage@munich-airport.de, you have the option to object to the processing of your personal data. However, a revocation may result in the fact that we cannot process and answer your inquiry or we cannot completely process and answer your inquiry.

Additional information about your rights in accordance with art. 15-21 GDPR can be found under item 6 of the data protection declaration.


8 Changes to the Privacy Statement

We reserve the right to amend this Privacy Statement to ensure that it is always in compliance with the current legal requirements or to implement changes in our services in the Privacy Statement, e.g. when introducing new services. For your next visit to our website the new Privacy Statement will then apply.

9 Status

December 2024