A. Purpose of data processing
Edelweiss processes the personal data of its customers for the purpose of carriage, which includes in particular
- reservation,
- booking,
- rebooking,
- cancellation,
- management of check-in,
- communicating with the customer with regard to carriage,
- operation of the flight,
- simplifying of immigration procedures,
- processing of irregularities in relation to baggage,
- improvement of offers from Edelweiss and its positioning in the market and
- securing payment transactions (also referred to hereinafter as “carriage”).
The basis for this processing of data is Art. 13 Sec. 2 Letter a FADP / Art. 6 Sec. 1 Letter b GDPR
B. Sharing of data with the authorities in Switzerland and abroad
1. Definition API and PNR data
API data (“Advanced Passenger Information”) is basic information about passengers that is required by certain government authorities for entering and leaving the country. It includes the name, date of birth, sex, nationality, travel document data and e-mail address of passengers. API data also includes other data, such as flight information (e.g. flight number and arrival and departure times).
PNR data (“Passenger Name Record”) is all the information and data required for carriage (e.g. booking code, name, e-mail address, flight information, payment information and details of travelling companions), plus any additional data in connection with carriage, in particular information sent by you (e.g. frequent flyer information or special requests) or third parties (e.g. travel agencies).
2. Disclosure to authorities
For legal and regulatory reasons, it is necessary that we share certain personal and booking information (including API and PNR data) with the governmental authorities in Switzerland and abroad.
2.1 Security and entry
For security reasons and to verify the entry formalities, the authorities in some countries require data about travel to and from these countries, as well as for overflights above their territory. In this context, Edelweiss is obliged to transfer your API and PNR data to domestic and foreign authorities. Such data is transferred based on intergovernmental agreements or national laws. Data of this kind is generally required by the authorities in the country of departure and arrival.
For example, under US law the border authorities (U.S. Customs and Border Protection) receive your personal information and information related to your trip when you book a flight between Switzerland and the USA. The US authorities have given the same guarantees with regard to the use of data to Switzerland as they have to the European Union; they will only use the information for combating terrorism and other serious, crossborder criminal offences. The data is stored for at least three years and six months and may also be shared with authorities in other countries. You can find additional information on the use of your data by foreign authorities and the measures to protect your data at the following link:
www.cbp.gov
2.2 Investigative activities
Edelweiss is obliged to share your personal data with criminal prosecution, administrative or judicial authorities in Switzerland and abroad in case they require its disclosure for the prevention or prosecution of crimes, misdemeanours, or comparable administrative misconduct. Such a transfer is only performed if based on legal or regulatory requirements.
The basis for this processing of data is Art. 13 Sec. 2 FADP / Art. 6 Sec. 1 Letter f GDPR
C. Credit assessment and anti-fraud measures
We reserve the right to verify payment transactions in order to prevent fraud and other improper usage in connection with payments. Internal and external sources of information are used for this purpose. If fraudulent activity is suspected and/or detected, we also reserve the right to share the relevant information (including personal data) with other companies of the Lufthansa Group. The target page is possibly not barrier free., which may also check the data for their own purposes.).
The basis for this processing of data is Art. 13 Sec. 2 FADP / Art. 6 Sec. 1 Letter f GDPR
D. Data processing by third parties in Switzerland and abroad
Edelweiss allows personal data to be processed by third parties in Switzerland and/or abroad (also in countries where legislation does not guarantee appropriate data protection) for the purpose of operating the website and to meet the purposes stated in this Privacy Statement.
In the case of the transfer of data to countries without appropriate data protection, Edelweiss ensures that the measures required are implemented (generally by signing recognised data protection agreements, e.g. based on standard contractual clauses of the EU), in order to protect personal data in accordance with the applicable data protection law.
Namely, Edelweiss transfers data for processing in all places where an Edelweiss flight destination is linked. Furthermore, within the framework of the Data Protection Act, data may also be transferred for processing within Europe, India, USA and Canada.
1. External data recipients
External recipients of personal data include
- service providers in the areas of ground handling, transport, marketing, customer feedback, IT, payment services and credit agencies,
- platforms for sending newsletters,
- operators of live help chat,
- companies of the Lufthansa Group,
- airlines outside the Lufthansa Group,
- partner companies as well as
- government offices and authorities.
2. Combating fraud and “unruly passengers”
“Unruly passengers” are passengers who display improper, aggressive or violent behaviour towards other passengers or the crew, or who damage the aircraft.
Edelweiss is entitled to exchange its passengers’ personal data within the Lufthansa Group and with other airlines in order to document, analyse and prevent cases of fraud and instances of "unruly passengers", and to process the data relating thereto.
If you have harmed or injured other passengers, Edelweiss can also disclose your personal data and information in connection with the harm and injury to other third parties (e.g. the authorities, injured persons and insurance companies).
The basis for this processing of data is Art. 13 Sec. 2 FADP / Art. 6 Sec. 1 Letter f GDPR
3. Booking process
If you start a booking process, we collect booking data and personal data, in particular your name, first name, date of birth, telephone number, e-mail address and, in encrypted form, your credit card information. This data is only stored if a payment process is initiated by the customer.
The basis for this processing of data is Art. 13 Sec. 2 Letter a FADP / Art. 6 Sec. 1 Letter b and f GDPR