Data Protection Statement (as of 05 February 2021)
(As of 05 February 2021)
I. Name and contact details of the data controller
1. The protection of your personal data is very important to us. In the following, we would like to inform you in detail about what personal data is processed when using our website and offers.
2. The responsible data controller according to Art. 4 para 7 General Data Protection Regulation (“GDPR”) is the company
Schauenburgerstraße 61, 20095 Hamburg
(hereafter: “MYFLYRIGHT”). Further information can be found in our imprint.
3. You can reach our data protection officer at email@example.com or alternatively by post at our address with the addition “data protection officer”.
4. We process personal data in strict compliance with the applicable data protection regulations. This means the data will only be processed with legal permission; in particular, if the processing of the data is necessary for the provision of our contractual and online services, e.g. when consent is legally required, as well as on grounds of our legitimate interest (i.e. interest in the analysis, optimization and economic operation and security of our online content within the meaning of Art. 6 para. 1 lit. f. GDPR, especially for range measurement, creation of profiles for advertising and marketing purposes, collection of access data and use of third-party services).
5. The legal basis of consent is Art. 6 para. 1 lit. a. and Art. 7. GDPR. The legal basis for the processing of data in order to provide our service and execute contractual duties is Art. 6 para. 1 lit. b. GDPR. The legal basis for the processing of data in order to fulfil our legal obligations is Art. 6. Para. 1 lit. c. GDPR, and the legal basis for the processing of data for the safeguarding of our legitimate interests is Art. 6, para 1. lit. f. GDPR.
II. Collection and storage of personal data
a) When visiting the website
1. When you visit our website, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information will be collected without your intervention, and stored until automated deletion:
- IP address,
- Date and time of the request,
- Duration of website visit,
- Time zone difference to Greenwich Mean Time (GMT),
- Content of the request (specific page),
- Access Status/ HTTP status code,
- Amount of data transmitted,
- Website from which the request comes,
- Websites you visit with us,
- Internet service provider,
- Browser type,
- Server log files,
- Operating system and its interface,
- Language and version of the browser software.
2. The data mentioned is processed by us for the following purposes:
- Ensuring smooth connection of the website,
- Ensuring comfortable use of our website,
- Evaluation of system security and stability as well as for further administrative purposes.
b) When contacting us
When you contact us by e-mail, telephone, postcard or via a contact form, the data provided by you (e.g. e-mail address, address, name, telephone number or content of the request) will be processed by us to answer your questions and/ or process your request. The legal basis for this is Art. 6 para. 1 lit. b GDPR.
c) During contract fulfilment
1. If you entrust us with the implementation of your passenger compensation, we will collect and use the following personal data from you, for the fulfilment, processing and billing of the contractual services:
- Passenger title,
- Passenger first name,
- Passenger last name,
- Passenger address,
- Passenger e-mail address,
- Passenger phone number,
- Payment details (PayPal or bank account) for the payment of the compensation,
- Number of passengers.
Contract and flight data
- Flight data (e.g. flight number, date, time),
- Travel information needed to enforce your compensation,
- Travel documents (e.g. booking, boarding pass, etc.),
- Information on compensation already received and ongoing complaint procedures,
- Signed declaration of assignment.
2. The data processing is based on your request and is required pursuant to Art. 6 para. 1 lit. b GDPR for the stated purposes for the appropriate processing of the mandate and for the mutual fulfilment of obligations arising from the contractual relationship.
III. Transfer of data
1. No transfer of your personal data to third parties will occur for purposes other than those listed below. Transfer of your personal data to third parties will only take place if you have expressly consented to this pursuant to Art. 6 para. 1 lit. a GDPR, the transfer is required pursuant to Art. 6 para. 1 lit. f GDPR to assert, exercise or defend legal claims, and additionally there is no reason to assume that you have a prevailing legitimate interest in not transferring your data, in the event that there is a legal requirement to transfer the data pursuant to Art. 6 para. 1 lit. c GDPR, and if this is permitted by law and in accordance with Art. 6 para. 1 lit. b GDPR is required for the settlement of contractual relationships with you.
2. Insofar as this is required pursuant to Art. 6 para. 1 lit. b GDPR for the settlement of contractual relationships with you, your personal data will be passed on to third parties. This includes, in particular, passing on to our lawyers, experts, opponents of the proceedings and their representatives (in particular their lawyers), as well as courts and other public authorities for the purpose of correspondence, as well as asserting and defending your rights.
3. Your data will be forwarded to supporting service providers for the above purpose, which will of course be carefully selected and bound by instructions. These include, in particular, technical service providers (hosters, service providers, operators of communication applications, etc.) who support the provision of services. Transferred data may only be used by the third parties for the stated purposes. Our obligation to confidentiality remains unaffected.
3. The data processed by cookies is required for the purposes mentioned in order to safeguard our legitimate interests as well as third parties according to Art. 6 para. 1 lit. f GDPR. Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a notice always appears before a new cookie is stored. However, disabling cookies completely may mean that you cannot use all features of our website.
V. Analysis tools
The tracking measures listed below and used by us are employed based on Art. 6 para. 1 lit. a GDPR. With these tracking measures, we want to ensure the needs-based design and the continuous optimization of our website. On the other hand, we use the tracking measures to statistically record the use of our website and evaluate it for the purpose of optimizing our offer for you. These interests are to be regarded as justified within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the corresponding tracking tools.
Google Adwords Conversion-Tracking
1. We use the online advertising program “Google AdWords” and conversion tracking as part of Google AdWords. Google Conversion Tracking is an analytical service provided by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“). When you click on a Google ad, a cookie for conversion tracking is stored on your computer. The cookies expire after 30 days. These cookies do not contain personal data and cannot be used to identify you.
2. If you visit certain pages of our website and the cookie has not yet expired, Google and MYFLYRIGHT can detect that you have clicked on the ad and were re-directed to this page. Every Google AdWords customer receives a different cookie. It is not possible, therefore, to track cookies via the websites of AdWords customers. The information obtained by the conversion cookie is used to generate conversion statistics for AdWords customers who utilize conversion tracking. With a conversion tracking tag, customers can see the total number of users who clicked on their ad and were re-directed to their page. They do not, however, receive information that can personally identify users.
Google Dynamic Remarketing
1. We use the remarketing or “similar target group” function provided by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“) on our websites. This feature enables us to provide users of our website with targeted advertising by displaying personalized, interest-based advertisements when you visit other websites in the Google Display Network.
Google Tag Manager
This website uses the Google Tag Manager. This service allows website tags to be managed through an interface. The Google Tool Manager only implements tags. This means that no cookies are used and no personal data is collected. The Google Tool Manager triggers other tags, which in turn collect data if necessary. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains valid for all tracking tags if they are implemented with the Google Tag Manager. You can find more information about Google Tag Manager under following links:
1. We use the analysis and feedback tool provided by Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (“Hotjar”). With Hotjar we analyse how you use our website. The tool shows us the surfing behaviour of our website visitors and enables us to get feedback from them.
2. We do not collect any personal data through this service. With Hotjar, we record only random and anonymous mouse clicks, mouse movements, scroll activities and non-personal text data from input fields. This means that only browser information (browser type, version, screen size, etc.); general information about the user (IP address (collected and stored in an anonymous format); language; time zone; country) and data about mouse movements, clicks, scrolling events and keystrokes are sent to Hotjar. Keystrokes in password fields or fields classified as “sensitive” are not recorded.
Facebook-, Custom Audiences und Facebook-Marketing-Services
1. Due to our legitimate interest in the analysis, optimization and economic operation of our online offer and for these purposes within the meaning of Art. 6 para. 1 lit. f GDPR we use the so-called “Facebook pixel” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
2. With the help of the Facebook pixel, Facebook is on the one hand able to determine the visitors of our online offer as a target group for the presentation of advertisements (so-called “Facebook Ads”). Accordingly, we use the Facebook pixel to display our Facebook Ads only to Facebook users who have shown an interest in our Websites or who have specific characteristics (e. g. interests in certain topics or products determined by the websites visited) that we submit to Facebook (so-called “custom audiences”). With the help of the Facebook pixel, we also want to make sure that our Facebook Ads are in line with the potential interest of users and do not have a nuisance effect. Using the Facebook pixel, we can also track the effectiveness of Facebook Ads for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook Ad (so-called “conversion”).
3. The Facebook pixel is directly integrated into our web pages by Facebook and can store a so-called cookie, i.e. a small file, on your device. If you then log in to Facebook or visit Facebook when you are logged in, your visit to our online offer will be noted in your profile. The data collected about you is anonymous for us, i. e. it does not allow us to draw conclusions about the identity of the users. However, the data is stored and processed by Facebook so that it can be linked to the respective user profile and used by Facebook as well as for its own market research and advertising purposes. If we transfer data to Facebook for comparison purposes, it is encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done with the sole purpose of matching the data encrypted by Facebook.
4. Facebook’s processing of the data is governed by Facebook’s Data Usage Policy (https://www.facebook.com/policy.php). For specific information and details about the Facebook pixel and how it works, please visit the Facebook Help Center (https://www.facebook.com/business/help/742478679120153?id=1205376682832142).
5. You may object to the collection by the Facebook pixel and use of your data to display Facebook ads. To set what kind of ads you see on Facebook, you can go to the page set up by Facebook and follow the instructions on how to set up use-based advertising (https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen).
VI. Other used programs and tools
1. When you contact us (e.g. using the contact form, live chat, fax or email), personal data is collected. Which data is collected in the case of a contact form can be seen in the respective contact form. These data are stored and used exclusively for the purpose of answering your request or for establishing contact and the associated technical administration.
2. The legal basis for processing the data is our legitimate interest in answering your request in accordance with Art. 6 Para. 1 lit.f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 Para. 1 lit.b GDPR.
3. In favor of our legitimate interest in fast and customer-friendly communication and technical administration, we use the following partner application in accordance with Art. 6 Para. 1 lit. f GDPR: Incoming e-mails, faxes and inquiries via our contact form or live chat are processed and stored by us with an application from Zendesk, a customer service platform from Zendesk Inc., 1019 Market Street San Francisco, CA 94103. To protect your data in the USA, we have concluded a Data Processing Agreement (DPA) with Zendesk based on the standard contractual clauses of the European Commission to enable the transfer of your personal data to Zendesk. Binding Corporate Rules (BCR) for data exchange within companies of the Zendesk Group are available at:
4. For more information, please refer to Zendesk's data privacy policies: https://www.zendesk.de/company/privacy-and-data-protection/
1. We use the MailChimp program to send emails to you. MailChimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404, Atlanta, GA 30318, USA. The data you stored with us when registering for the newsletter (e-mail address, name, IP address, date and time of your registration,) will be transferred to a server of The Rocket Science Group in the USA and there in compliance with the "EU-US Privacy Shield" saved. For more information about the "EU-US Privacy Shield" please visit following website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
2. For more information about MailChimp please visit following website: http://mailchimp.com/legal/privacy/
3. You can cancel or revoke the subscription of the newsletter and thus your consent to the storage of your data at any time in the future. You find more information in the confirmation email and in each individual newsletter.
4. The legal basis for the processing of the data is Art. 6 Para. 1 lit. a GDPR.
1. CloudFlareals CDN ("Content Delivery Network") is used to secure this website and optimize the loading times. The provider is CloudFlare, Inc., 665 3rd St. # 200, San Francisco, CA 94107, USA. Therefore, all inquiries are forcibly passed through their server and consolidated into statistics that cannot be deactivated. According to their own statements, the raw data collected is usually deleted within 4 hours, at the latest after 72 hours. The company Cloudfare has joined the “EU-US Privacy Shield” and thereby ensures that the data protection standards required by the EU are complied according to the EU data protection law.
2. For more information, visit the Cloudflare website: https://www.cloudflare.com/security-policy/
3. The use of Cloudflare serves to make the use of our offer more pleasant for you. The legal basis for the data processing is Art. 6 para. 1 lit. f. GDPR.
1. We use the Trustpilot rating system to receive customer feedbacks and to publish them. These feedbacks are on a voluntary basis. For the purpose of using Trustpilot, we forward your e-mail address, your name and our internal case number to Trustpilot A/S, Pilestraede 58, 5. Etage, DK-1112 Kopenhagen (“Trustpilot”). If you use the rating system (you may need to register first), your feedback will be published on our website and on the websites of Trustpilot and its partners according to Trustpilot’s guidelines. There is no right to publication and customers are not allowed to infringe any third-party copyrights.
2. For more information visit the Trustpilot website:
3. The legal basis for the data processing is Art. 6 para. 1 lit. f. GDPR. You can revoke this consent at any time. The legality of the data processing already carried out remains unaffected by the revocation.
1. We use Google reCAPTCHA (hereinafter: reCAPTCHA) on our websites. The provider is Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. The reason for using reCAPTCHA is to check whether the data is entered on our website (e.g. in a contact form) by a person or by an automated program. The data collected (e.g. IP address, set language in the browser, time zone, etc.) during the analysis are forwarded to Google.
2. For more information about Google reCAPTCHA, visit the Google website: https://www.google.com/recaptcha/,
3. The legal basis for the data processing is Art. 6 para. 1 lit. f. GDPR. The website owner has a legitimate interest in protecting its website from abusive automated spying and SPAM.
1. For the purpose for you to control the cookies, we have integrated on our website a Cookie Consent Tool (hereinafter: Cookiebot). The provider is Cybot A / S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot shows you a cookie list divided into function groups, explains the purpose of the cookie function groups and the individual cookies, as well as their storage duration. Saving a cookie is technically necessary in order to be able to use Cookiebot.
2. When you visit Cookiebot for the first time, you will see a pop-up window on our website. Here you can activate the cookies, which are divided into function groups, by clicking the appropriate box. Please note that the technical cookies are already saved when you visit the website and that the relevant box is preset.
4. For more information about Cookiebot please visit following website:
1. Our website uses the YouTube embedding function to display and play back videos from the provider "YouTube", which belongs to Google.
3. Regardless, of whether the embedded videos are played, a connection to the Google “DoubleClick” network is established every time this website is accessed, which can trigger further data processing operations beyond our control.
4. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. Regardless, Google stores your data (even for non-logged in users) as user profiles and evaluates them. Such an evaluation is carried out in accordance with Art. 6 para. 1 lit. f. GDPR based on Google's legitimate interests in the display of personalized advertising, market research and / or the needs-based design of its website. You have the right to object to the creation of these user profiles; an opt-out is possible at: https://adssettings.google.com/authenticated
5. YouTube is used in the interest of an appealing presentation of our online offers. This represents a legitimate interest in accordance with Art. 6 para. 1 lit. f. GDPR.
6. For more information, please refer to YouTube’s data privacy policies:
Google Places API
1. On our website, we use Google Places API, a service provided by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google“) to complete the address details. The transmission of addresses to Google is done anonymously.
3. The use of Google Places API serves to make the use of our offer more pleasant for you. The legal basis for the data processing is Art. 6 para. 1 lit. f. GDPR.
VII. Other Data Processing
1. If you have given your consent to receive our advertising (newsletter, e-mail, by post, etc.), we will inform you via the respective medium about our current offers using the data you have provided. You can revoke your consent at any time.
2. We may also use your email address to ask you to evaluate our services if you are our existing customer and have not objected to the use of your email address for this purpose.
3. In both cases, you can unsubscribe at any time. Please send your request to unsubscribe via email to firstname.lastname@example.org.
VIII. Your rights
1. You have the following rights with respect to us regarding your personal data:
- Right to information (Art. 15 GDPR),
- Right to rectification and deletion (Art. 16 and 17 GDPR),
- Right to restriction of processing (Art. 18 GDPR),
- Right to object to processing (Art. 21 GDPR),
- Right to data portability (Art. 20 GDPR).
2. Pursuant to Art. 77 GDPR, you also have the right to appeal to a data protection authority about our processing of your data.
3. We would like to point out that you can revoke any data protection consent that may have been granted to us at any time with effect for the future. The same applies to consent to advertising. You should contact us by e-mail to exercise this right: email@example.com
The respective revocation can lead to our offers being no longer or only partially available.
4. Insofar as the processing of your personal data is based on a balance of interests, you may object to the processing. When exercising an objection, we ask that you state why we should not process your personal data in the manner that we have. In case of a justified objection, we will review the situation and either stop or adjust the data processing or point out the compelling legitimate grounds on which we will continue to process the data.
IX. Data deletion
1. The data stored with us is deleted as soon as it is no longer necessary for its purpose and the deletion does not conflict with any statutory storage requirements. Unless the data is not deleted, because it is required for other and legitimate purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons.
2. According to the legal requirements, the storage takes place for six (6) years according to § 257 (1) HGB (trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents, etc.) as well as for ten (10) years according to § 147 (1) AO (Books, records, management reports, accounting records, trade and business letters, tax documents, etc.).