A. Principle

Protecting the privacy of our customers is very important to Edelweiss. In the following, we set out the principles according to which we collect and process personal data (information that determines your identity or makes it determinable for us; hereinafter also referred to as “data”) via this website and other websites and applications operated by Edelweiss (hereinafter also referred to as “website”) and for what purposes. This information is particularly intended for:

· users of our website;

· passengers;

· individuals who use our services or who may be interested in them;

· contacts of our business customers and partners;

· individuals who contact us;

· recipients of our newsletters, personalised offers and other marketing communications and activities;

· participants in customer satisfaction and opinion surveys;

· participants at events.

Please note that there is additional information on specific data processing (such as our Cookie Policy). We also often provide you with the relevant information at the place where we collect your personal data. Please also consult the contractual conditions for individual services, for passengers in particular our General Conditions of Carriage.

We collect and process your personal data carefully, only for the purposes described in this privacy policy and only to the extent necessary and within the scope of the applicable legal provisions. We retain your personal data only to the extent and for as long as necessary for the provision of our services, or we are required to do so by law. If you provide us with data about other persons (e.g. family members or friends for joint bookings), we assume that you are authorised to do so and that the data is correct. Please ensure that the persons concerned are informed of this privacy policy.

We have aligned this privacy policy with both the Federal Act on Data Protection (FADP) and the European General Data Protection Regulation (GDPR). Whether these and/or other data protection laws apply depends on their scope in each individual case.

Section I contains the general data protection information and Section II contains specific cases of data processing.

B. Controller responsible for data processing

Unless communicated otherwise, the controller of the data processing described in this privacy policy is:

Edelweiss Air AG
The Circle 32
CH-8058 Zurich Airport
Switzerland

Website: www.flyedelweiss.com

(hereafter “Edelweiss”, “we” or “us”)

 

Our EU representative pursuant to article 27 GDPR is:

Swiss International Air Lines AG Frankfurt Branch
Cargo City Süd 558 c
D-60549 Frankfurt am Main
Germany

C. Contact

If you have any questions about this privacy policy or about data protection at Edelweiss, or if you wish to exercise your data protection rights in accordance with Subsection L, please contact:

Edelweiss Air AG
Data protection officer
The Circle 32
CH-8058 Zurich Airport
Switzerland

dataprotection@flyedelweiss.com

Inquiries not related to data protection such as requests or feedback on individual bookings or services will not be answered nor forwarded by our Data Protection team.

D. Sources of personal data

You often disclose personal data to us yourself, for instance when you send us data or communicate with us. The provision of personal data is voluntary in most cases, which means that you are not generally obliged to disclose your personal data to us. However, we do have to collect and process the personal data that is required for processing contractual relationships and fulfilling associated obligations or that are prescribed by law as we would otherwise be unable to conclude or continue the contract in question. For example, you need to provide us with information that we are bound to transfer to local or foreign authorities, so we are allowed to carry you to your flight destination (see Subsection E.3).

We may also collect personal data about you ourselves or automatically, such as when you book a flight or use other offers. This may be technical data about your device, data about the transaction or your behaviour. For example, we can analyse the data collected during the booking process and, on this basis, make assumptions about your personal interests, preferences, affinities, and habits. This enables us, for instance, to tailor our offers and information to your individual needs and interests (see Subsection J).

We may also receive personal data from other companies of the Lufthansa Group. Further information about this can be found in Subsection E.6. We may also receive information about you from other third parties, such as companies we work with, persons who communicate with us or public sources.

For example, we may receive information about you from the following third parties:

· cooperation partners;

· persons that act on your behalf (family members, legal representatives);

· travel service providers you use;

· banks, insurance companies, distribution partners, and other contractual partners for payments;

· providers of online services, e.g. providers of internet analysis services;

· information services for compliance with statutory requirements such as export restrictions;

· authorities, parties, and other third parties in connection with official and judicial proceedings;

· public registers such as the debt collection or commercial register, from public offices, from the media, or from the internet.

E. Main purposes

In short, we process personal data for the following purposes:

· processing of contracts, for example, the processing necessary to conduct your flight and to provide other services;

·  information and marketing;

· compliance with legal requirements;

· security;

· protection of rights;

· administration and support within the Lufthansa Group;

· specific use cases (as described in Section II).

1. Processing of contracts (carriage and other services)

We process personal data in connection with the initiation, administration, and processing of contractual relationships. Contract processing also includes any agreed personalization of services.

If you are a passenger, we process the data you provide us with when you book a flight and other services to fulfil the contract of carriage and the respective service contracts. The mandatory and optional information is indicated in the booking process (such as name, email address, phone number, payment information, travel documents etc.) and only stored if you complete the booking. Additional services may be offered by us or our partners and include advance seat reservation, additional baggage, pre-order of meals, upgrade options (including bid upgrade services), baggage collection and check-in service, travel insurance, accommodation, car rental, package deals and other services.

The purpose of contract processing generally comprises everything that is necessary or reasonable for concluding, executing, and, where applicable, enforcing a contract.

For example, this includes processing in order to:

· communicate with you;

· provide customer service;

· administer and manage our IT and other resources;

· process payments and for accounting purposes in general;

· store data in compliance with retention obligations;

· establish, notify, and, if applicable, publish winners of raffles or similar campaigns;

· assert legal claims from contracts;

· terminate and end contracts.

Our basis for this processing is the performance of a contract to which you are a party or for pre-contractual measures (Art. 6 Sec. 1 Letter b GDPR).

2. Information and marketing

We process personal data for relationship management and marketing purposes, for example in order to send you newsletters and offers to carry out marketing campaigns. These may include our own offers, those of other companies of the Lufthansa Group, or those of partners. Messages and offers may be personalized. We may use technologies that allow us to determine if the recipients have opened the message or interacted with promotional materials in another way.

If we ask you for consent, for example when you subscribe to a newsletter, our basis for this processing is your consent (Art. 6 Sec. 1 Letter a GDPR). If we process personal data for information and marketing activities without asking for consent, we have concluded on a case-by-case basis that our legitimate interest forms a sufficient basis for that processing (Art. 6 Sec. 1 Letter f GDPR). See Subsection L for information about your right to withdraw your consent or to object to processing.

3. Compliance with legal requirements

We process personal data in order to comply with legal obligations and to prevent and detect infringements. Our obligations may derive from Swiss laws and intergovernmental agreements or from the laws and regulations of any country worldwide, as well as self-regulations, industry and other standards, our own “Corporate Governance”, or official directives.

For the carriage of passengers specifically, we may be legally required to collect and disclose defined personal data to authorities in the countries on the travel itinerary. This may include the following personal data:

· “Advanced Passenger Information” (API Data): basic information about passengers that is required by specific government authorities for entering and leaving the country. It includes the name, date of birth, sex, nationality, travel document data and e-mail address of passengers. API data also includes other data, such as flight information (e.g. flight number, arrival and departure times);

· “Passenger Name Record” (PNR Data): information and data required for carriage (e.g. booking code, name, e-mail address, flight information, payment information, details of travelling companions), plus any additional data in connection with carriage, in particular information sent by you (e.g. frequent flyer information, special requests) or third parties (e.g. travel agencies);

· health data such as a specific immunization status;

· child travel permit, if a child is travelling alone or with one parent only.

This information is required for legal, security, regulatory and administrative reasons, which may include the following purposes:

· border control;

· immigration formalities;

· to combat organized and international crime, terrorism, and other serious crimes;

· for public health purposes; e.g. orders by an authority for combating an epidemic or pandemic;

· other lawful purposes subject to applicable law.

Usually, such data is required by the authorities of the country of departure and/or arrival and therefore must be disclosed to Swiss and foreign authorities involved, such as criminal prosecutors, judicial, health or other administrative authorities. For example, the U.S. border authorities (U.S. Customs and Border Protection) receive API and PNR data when you book a flight between Switzerland and the USA. The U.S. authorities have given the same guarantees with regard to the use of data to Switzerland as they have to the European Union; they will only use the information for combating terrorism and other serious, cross-border criminal offences. The data is stored for at least 15 years and can be passed on to authorities in other countries. Additional information on the use of your data by foreign authorities and on protective measures can be found at the following link:

www.cbp.gov

Edelweiss is also obliged to disclose your personal data to Swiss and under circumstances foreign criminal prosecution, judicial or administrative authorities if they require the disclosure in order to prevent or prosecute crimes, misdemeanours or administrative misconduct or for administrative duties.

Data transfers to authorities are based on our legitimate interest in complying with Swiss and foreign laws and in supporting the above-mentioned purposes (Art. 6 Sec. 1 Letter c and f GDPR). If the processing relates to special categories of personal data (such as health data) the legal basis is Art. 9 Sec. 2 Letter a, g or i and Art. 10 GDPR.

4. Security

We process personal data for security purposes – for your and our security. Examples of processing for this purpose include:

· IT security measures;

· physical access control;

· imposition of flight bans to “unruly passengers”. “Unruly passengers” are passengers who display improper, aggressive, or violent behaviour towards other passengers or the crew, or who damage the aircraft.

· exchange of data within the Lufthansa Group and other airlines in order to document, analyse, and prevent cases of fraud and instances of “unruly passengers”;

· disclosure of data in connection with harm, injury and criminal acts to authorities and insurance companies.

The basis for this data processing is our legitimate interest in ensuring that the data is processed in a secure manner (Article 6 Sec. 1 Letter f GDPR).

5. Protection of Rights

We want to be able to establish and enforce our claims and defend ourselves against the claims of others. Our claims may include claims of employees, companies affiliated with us and our business partners. We therefore also process personal data for the protection of rights, for instance in order to enforce claims judicially, before or out of court, and before authorities worldwide, or to defend ourselves against claims.

The legal basis for this data processing is our legitimate interests in protecting our rights (Art. 6 Sec. 1 Letter f GDPR).

6. Administration and support within the Lufthansa Group

The Lufthansa Group maintains and builds processes that serve all or several Lufthansa Group companies to improve efficiency and stay competitive. Edelweiss and other Lufthansa Group companies may therefore share personal data in order to support each other’s processing purposes in accordance with this privacy policy (see Subsection G.1).

Examples of joint administration and support are:

· administration of IT including systems used by multiple Lufthansa Group companies;

· central storage and management of data used by multiple Lufthansa Group companies;

· training and education;

· forwarding of inquiries that concern other Lufthansa Group companies;

· joint anti-fraud measures (see Section II Subsection B);

· data sharing on “unruly passengers” (see Subsection E.4);

· generally, the review and improvement of inter-company processes.

The legal basis for this data processing is our legitimate interest in efficient administration and support within the Lufthansa Group (Art. 6 Sec. 1 Letter f GDPR).

F. Legal bases according to the GDPR

Depending on the applicable law, data processing is only permitted if the applicable law specifically allows it. This does not apply under the FADP, but it does apply under the GDPR. If not indicated for the respective purpose above, the processing of your personal data is based on one of the following legal bases:

· your consent, when we requested it, for example for newsletters, marketing cookies etc. (Art. 6 Sec. 1 Letter a GDPR);

· fulfilment of a contract with you or for pre-contractual measures, for example in the context of a booking with us or with one of our partners (Art. 6 Sec. 1 Letter b GDPR);

· compliance with a legal obligation, for example, our obligation as air carrier to communicate API data to the competent authorities based on EU Directive 2004/82/EU and article 104 et seq. Swiss Federal Act on Foreign Nationals and Integration (Art. 6 Sec. 1 Letter c GDPR);

· legitimate interests including our own interests and third-party interests, for example in enhancing customer satisfaction, in advertising and marketing activities, in safeguarding and organizing business operations, including the development of websites, in protecting passengers, customers, employees, and other individuals, as well as data, secrets, and assets of the Lufthansa Group, in risk management, in the enforcement or defence of legal rights and claims and in complying with Swiss and foreign law as well as internal rules and regulations (Art. 6 Sec. 1 Letter f GDPR).

G. Data disclosures

1. Data disclosure to Lufthansa Group companies

Edelweiss belongs to the Lufthansa Group. More information and reports by the Lufthansa Group and its companies are available in its Lufthansa Group Company Profile. Edelweiss may disclose personal data within the Lufthansa Group in order to perform and fulfil its contractual obligations towards you, your booking requests or customer service. Disclosure may serve to facilitate intra-Group administration or support of the group companies concerned and their own processing purposes.

We often work with other Lufthansa Group companies as joint controllers according to data protection law. We also often engage other Lufthansa Group companies as service providers.

2. Other companies and authorities

We may disclose your personal data to other companies if we make use of their services. These service providers generally process personal data on our behalf as so-called “processors”. Our processors are obliged to only process personal data in accordance with our instructions and to take suitable measures to ensure data security. Certain service providers are also joint controllers or independent controllers.

Examples include services in the following areas:

· travel technology;

· advertising and marketing services, for example for the delivery of messages and information;

· corporate management services, accounting or asset management for example;

· payment services;

· IT services, for example in the areas of data storage (hosting), cloud services, the delivery of e-mail newsletters, and data analysis and refinement;

· advisory services, for example the services of tax advisers, lawyers, management consultants.

In individual cases, we may disclose personal data to other third parties for their own purposes, for example if you have granted your consent or we are legally obliged or authorized to share such information. In such cases, the data recipient is legally responsible as independent controller of the data and usually provides its own data protection notice.

Examples of such cases include the following:

· the disclosure of personal data to courts and authorities within Switzerland and abroad (see Subsection E.3);

· the processing of personal data in order to comply with a court or administrative order, or to enforce or defend legal rights or claims, or if we consider such processing to be necessary on any other legal grounds. We may also disclose your personal data to other parties involved in any proceedings.

Please take note of our Cookie Policy concerning independent data collection by third-party providers whose tools we have integrated into our websites.

H. Transfer of personal data to countries outside Switzerland and the European Economic Area

As an airline operating worldwide, we transfer your personal data potentially to every country of the world according to this privacy policy. The countries in question may not have laws that protect your personal data to the same extent as in Switzerland or the European Economic Area. If we transfer your personal data to such a country, we will ensure that your personal data is protected in an appropriate manner.

One means of ensuring adequate data protection is, for example, to conclude data transfer agreements with the recipients of your personal data in third countries that ensure the required level of data protection. This includes agreements that have been approved, issued, or recognized by the European Commission and the Swiss Federal Data Protection and Information Commissioner, known as standard contractual clauses. An example of the data transfer agreements generally used by us is available on the website of the EU commission. Please note that such contractual arrangements can partially compensate for weaker or missing statutory protection but cannot rule out all risks completely (e.g. government access abroad). In exceptional cases, transfer to countries without adequate protection may also be permissible in other cases, e.g. based on consent, in connection with legal proceedings or if the transfer is necessary for the execution of a contract.

I. Retention of personal data

We retain your personal data:

· for as long as it is required for the purpose of processing and compatible purposes, in the case of contracts normally for at least the duration of the contractual relationship;

· for as long as it is subject to a statutory retention requirement. For example, a ten-year retention period applies to certain data;

· for as long as we have a legitimate interest in storing it. This may be the case, in particular, if we need personal data to enforce or defend claims, for archiving purposes, and to ensure IT security.

J. Profiling and automated decision-making with legal effect

“Profiling” refers to a procedure during which personal data is processed on an automated basis in order to analyse personal aspects or make predictions, e.g. the analysis of personal interests, preferences, affinities, and habits or the prediction of likely behaviour. Profiling is a common procedure across industries. Profiling supports us in the purposes mentioned in Section I Subsection E and Section II and is based on the legal bases mentioned. For example, profiling helps us to:

· continuously improve our offers and tailor them to individual needs;

· present our contents and offers to you in accordance with your needs;

· show you advertisements and offers that are likely to be relevant for you;

· support you better with our customer service.

We do not make any decision about you which is based solely on automated processing and which has legal consequences for you or significantly affects you in a similar way. If we do, we will notify you separately. You will then have the opportunity to have the decision reviewed by a human being.

K. Data security

We take appropriate technical and organizational security measures in order to safeguard your personal data, protect you against unauthorized or unlawful processing activities, and to counter the risk of loss, unintentional changes, inadvertent disclosure, or unauthorized access. However, like all companies, we cannot completely rule out data security infringements; certain residual risks are unavoidable.

Security measures of a technical nature include the encryption and pseudonymisation of data, record-keeping, access restrictions, and the storage of data backups. Security measures of an organizational nature include staff training, confidentiality agreements and audits. We also require our processors to take appropriate technical and organisational security measures.

Edelweiss does not, however, guarantee the security of your data. It is your responsibility to maintain an up-to-date backup copy of the data transmitted and to store it off-site. It is also your responsibility to choose a secure password for your account, to keep it safe and to change it regularly.

L. Your rights regarding your personal data

You have the right to object to data processing particularly if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. An objection only has future effect and does not affect previous processing. If, on account of the objection, Edelweiss is no longer able to perform the services contractually agreed with you, the objection is deemed to be a breach of contract by the customer and Edelweiss has the right to terminate its contract with you without notice. Payment obligations already contractually entered into by the customer remain in force.

You can also object to data processing in connection with direct advertising (e.g. advertising e-mails) at any time. This also applies to profiling, to the extent it is related to direct advertising.

Provided the applicable conditions are met and there are no applicable statutory exceptions, you also have the following rights:

· the right to request information about your personal data stored by us;

· the right to have inaccurate or incomplete personal data corrected;

· the right to request the deletion or anonymization of your personal data;

· the right to request that the processing of your personal data be restricted;

· the right to receive certain personal data in a structured, commonly used and machine-readable format;

· the right to revoke consent with effect for the future, insofar as processing is based on consent.

Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about the identity or if this is necessary to protect other persons, to safeguard interests worthy of protection or to comply with legal obligations. If exercising certain rights will incur costs on you, we will notify you thereof in advance.

In general, exercising these rights requires that you prove your identity (with a copy of your passport or ID where your identity is not evident otherwise or cannot be verified in another way).

To exercise these rights, you can contact Edelweiss at the address given in Subsection C.

We appreciate the opportunity to address any concerns you may have in relation to our data processing. However, you are free to lodge a complaint with a competent supervisory authority.

M. Updates

We review this privacy policy regularly and update it as necessary. The current version published on our website shall apply.

A. Website access

We collect information that your browser automatically transmits to us when visiting our website. These may include the following data:

· Internet Protocol address (IP address) of the user’s device;

· Internet service provider;

· operating system, browser type and browser version used;

· date and time of the server request;

· requested website;

· referrer URL (the website previously visited).

The data automatically collected as described above is processed for the purposes of proper functioning of our websites, e.g. for establishing a connection, ensuring stability and uninterrupted system security, to improve our services, and for statistical purposes.

The legal basis for the data processing is our legitimate interest in said purposes (Art. 6 Sec. 1 Letter f GDPR).

On our websites, we also process personal data with so-called cookies and similar technologies for additional purposes such as analytics and marketing. For more information, please see our Cookie Policy.

B. Anti-fraud measures

We reserve the right to verify payment transactions in order to prevent fraud and other improper usage in connection with payments. Internal and external sources of information are used for this purpose. If fraudulent activity is suspected and/or detected, we also reserve the right to share the relevant information (including personal data) with other Lufthansa Group companies which may also verify the data for their own purposes.

The basis for this data processing is our legitimate interest in fraud prevention (Art. 6 Sec. 1 Letter f GDPR).

C. Upgrade bidding

On certain routes Edelweiss allows you to bid for an upgrade. Here you have the option of bidding for an upgrade to the next higher class of carriage. Edelweiss offers you this service in cooperation with an external service provider. In order to carry out this process, flight-related information (name, e-mail address, flight information, class of carriage) as well as the amount of your bid are transmitted to the service provider. This is used to allocate your upgrade to your originally issued flight ticket if your offer is accepted and to automatically adjust this for you. Detailed information on the processing of your data when using the Upgrade Bidding service can be found at the following link:

www.plusgrade.com

The basis for this data processing is the fulfilment of the contract in our upgrade bidding service (Art. 6 Sec. 1 Letter b GDPR).

D. Offers from third parties in the scope of carriage

In the scope of the carriage, Edelweiss will show you offers from third parties (e.g. from hotels or car rental companies) on its website. If you have given us your consent, we will also show you such offers as part of the communication before departure.

The basis for this data processing is your consent (Art. 6 Sec. 1 Letter a GDPR).

E. Insurance

While booking, Edelweiss will offer you travel insurance on its website, provided by a third party. If you obtain the insurance (i.e. if it is “ordered” online), Edelweiss receives data from you, performs the billing directly on behalf of the third party (payment is made to Edelweiss) and sends data to the third party, such as the name of the person applying, the length of the trip and the booking code. The third party then sends you an e-mail with the relevant policy, of which Edelweiss also receives a copy.

The basis for this data processing is the fulfilment of the contract (Art. 6 Sec. 1 Letter b GDPR).

F. Newsletter

Upon request, we will keep you informed about relevant developments and offers from Edelweiss. We use the so-called double opt-in procedure to subscribe to our newsletter: when you subscribe to our newsletter on the website, for example by clicking a confirmation field, we will send you a notification e-mail. You can confirm your subscription by activating the relevant link. If you no longer wish to receive newsletters from Edelweiss, you can unsubscribe free of charge in the newsletter itself at any time.

We process your data associated with the newsletter in order to send you news about and related to Edelweiss and our partners. In addition, we also process and use the e-mail address you have entered in order to send you personalised offers associated with the newsletter.

If a link in the newsletter directs you to our websites, you also give us permission to process and use your IP address, together with geodata, web beacons or similar technologies, in order to verify whether the offers presented to you in the course of this communication meet your requirements.

Edelweiss works together with external service providers for the dispatch of the newsletter.

The basis for this data processing is your consent (Art. 6 Sec. 1 Letter a GDPR).

G. Customer satisfaction surveys

As part of analysis activities and in order to be able to offer better customer service, Edelweiss may ask you to participate in customer satisfaction surveys after you have completed your Edelweiss flight. If you would like to refrain from receiving such offers or requests at a later date, you can unsubscribe from them at any time free of charge in the corresponding e-mail via the link listed there.

The basis for this data processing is the legitimate interest in improving our offer (Art. 6 Sec. 1 Letter f GDPR).

H. Live Chat

Edelweiss provides you with online advice on flyedelweiss.com in the form of a live chat service. During a chat, the service provider sees your details on the Edelweiss website (collected via a cookie of this tool), which help him to assist you. In addition, the service provider has access to the Edelweiss passenger database (e.g. database with bookings and reservations) and can check certain data on your behalf if you give your name to the service provider and ask the service provider to check it.

Edelweiss works together with an external service provider for the operation of the live chat service.

The legal basis for processing your data is:

· fulfilment of the contract (Art. 6 Sec. 1 Letter b GDPR), if your concern relates to an existing or planned booking;

· our legitimate interest (Art. 6 Sec. 1 Letter f GDPR) in providing an optimal service and anti-fraud measures, as well as the establishment, exercise and defence of legal claims.

I. Sponsorship and cooperation requests

For the purpose of verifying and processing requests related to a potential sponsorship/partnership relationship, Edelweiss processes the personal data of the applicants.

No automated decision-making including profiling is carried out.

The basis for this data processing is the fulfilment of the contract or the implementation of pre-contractual measures (Art. 6 Sec. 1 Letter b GDPR).

J. Facebook and Instagram

Edelweiss’ official Facebook and Instagram pages are used to communicate company and product innovations, as well as attractive short and long-haul offers.

In addition, Edelweiss offers customer support via Facebook and Instagram.

We process data for the following purposes:

· evaluating analyses and statistics for the Facebook and Instagram page in relation to the interactions of its users;

· optimisation of the Facebook and Instagram page in terms of its user-friendliness and attractiveness and introduction of user-friendly marketing measures;

· other communication and interactions initiated by Facebook and Instagram users.

The legal basis for data processing when you contact us is your consent (Art. 6 Sec. 1 Letter a GDPR). In other cases, the legal basis for data processing is our legitimate interest (Art. 6 Sec. 1 Letter f GDPR) in optimising our communication on these platforms.

K. Edelweiss Experiences

Edelweiss processes personal data as part of the “Edelweiss Experiences” series of events. This data is processed for the following purposes:

· contacting the winners;

· organisation of event participation (e.g. booking the flight);

· analysing the interests of the members.

The personal data will be anonymised after the respective events have taken place.

The basis for this data processing is your consent (Art. 6 Sec. 1 Letter a GDPR).