Purpose & Definitions
The data controller in the sense of the European data protection laws is Lufthansa Technik AG.
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing is any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1 Collecting and processing of personal data
It is not possible to use MROradar anonymously as MROradar requires a registration.
1.1 Data processed in the registration process
During the registration process you will be asked to provide mandatory information which includes the following personal data:
Your name (First, last name)
Your business email address
This mandatory information is marked as such. In the event a registration has not been completed, the data will not be saved.
1.2 Data processed while using MROradar
We will collect personal data that you enter or provide to us while using MROradar. For example the following personal data can be entered in the profile settings of your account:
additional contact details, like business phone number (optional)
It will be optional to provide this information.
Furthermore we will collect data related to the activities you will perform within the application. This will be a timestamped link between your user profile and the data you create / alter while using certain functions such as comments, create/publish RFPs, or create/submit proposals.
These commercial data will be kept safely stored and not accessible to anyone not related/invited to your RFP or proposal. LHT as platform operator will only use the data for the purposes specified in section 2. It will not be diverted from its intended use. All LHT departments not related to the MROradar team will act as normal platform users and are customers to MROradar as all other parties.
1.3 Data automatically processed from Users
Every time you use the internet your internet browser will automatically transfer certain information that we will store in so-called log-files.
The log-files will solely be stored for the detection of malfunctions and security reasons (e.g. attack detection) for a period between seven and ten days. Log-files will be stored for a longer period of time and might be transferred to investigating authorities if they are needed as evidence if an incident took place. They will be subject to restriction of processing upon the final clearance of the matter.
In particular, log-files include the following information:
IP address of the network from which the online service is accessed,
Date and time of request,
Size of transferred data,
URI of the accessed data,
Operating system and information regarding the internet browser used, including add-ons,
HTTP Response Status Code
For special forms of automatic data processing, such as cookies, please refer to section 6.
2 Purposes of data processing
We may evaluate, retain and use the information provided to us and the data generated from your use of the services only and exclusively limited to the following purposes:
2.1 Offer our service
The main purpose to process personal data is to ensure the functionality of MROradar. If you use MROradar the above mentioned personal data as well as information about activities you performed within the application will be accessible to other users of the platform that you collaborate with (i.e. users of your company or users of another company that is assigned to the RFP). For example, users who are authorized by a company to see RFP relevant information of a joint project will be able to see and access the information you share as well as your contact details on MROradar.
2.2 Prevent abuse and legal defense
To comply with our legal requirements, enforce our Terms & Conditions, respond to claims that content violates the rights of others, or protect anyone's rights, property or safety we might use the personal data provided by your side.
2.3 Keep you informed
From time to time we might contact you to inform you about critical service updates or other information which is important to support our service. We may also contact you to ensure that information we have in our records is accurate or when in need of additional information to complete your profile.
2.4 Improve our services
In order to improve our service we might contact you to receive feedback and comments from you about our services and inquire about any features you would like to see in future offerings. We may also contact you to ask for your satisfaction rate.
2.5 Statistical purposes
To provide, customize, measure and improve our Services with a focus on the content we might use personal data in order to assist us for our own internal statistical and analytical purposes. No person-related analysis of the data will be carried out. (Commercial data from RFPs and proposals will neither be used for statistical purposes, nor other evaluations will be conducted.)
3 Transfer of data and duration storage
3.1 Transfer of data to third parties
Your personal data will only be transferred to third parties if we or a third party have a legitimate interest in the transfer or you granted us your consent to the transfer. A legitimate interest is the securing of a safe and stable operation of the application. We may also transfer personal data which has been rendered anonymous to third parties for statistical purposes. Commercial data will not be transferred to other providers in any case.
Additionally, personal data might be transferred to third parties if we are obliged to transfer the data by German statutory provisions or by an enforceable order of a German court or administrative authority.
3.2 External service providers
We reserve the right to appoint external service providers for the collection and use of personal data. These service providers will only have access to data they need for the performance of their services. Service providers will generally be appointed as commissioned data processors which are only allowed to process the personal data according to our instructions.
3.3 Duration of storage
We will store your personal data as long as we have a legitimate interest in the storage meaning as long as you are using the application as a registered user. In all other cases we will delete your personal data with the exception of those data that we need to store further in order to comply with contractual or statutory retention periods. Data which is only kept because it is subject to a retention period will be blocked for other uses.
4 Rights of the data subject
You have the right of access to your personal data and - if certain prerequisites are present - also to correction, to erasure, to limitation of the data processing and a right to data portability.
In case you gave us your consent for the processing of data you may withdraw your consent at any time. Please address your request to: email@example.com. Please note that you might also be able to correct your data in MROradar by yourself.
4.1 Access to Data
You have the right to be informed whether your personal data is being processed by us, and, if this is the case, to what extent. You are able to access your personal data within your user profile and other parts of the application. If you require information beyond that visible in the application, please contact firstname.lastname@example.org.
4.2 Rectification of Data
You have the right to rectification of inaccurate personal data. In your profile settings you are able to see, review and change your personal information, like contact information or your profile picture, after signing in to your account. Please update your personal information immediately if it changes or is inaccurate. The personal data which is relevant for the registration process like your name, your company or your email address can only be modified by authorized MROradar system administrators. In order to request the modification of the above mentioned and further data please send an email to email@example.com.
4.3 Erasure of Data
You have the right to erasure of your personal data processed in MROradar (‘right to be forgotten'). In case you want to delete your personal data please send an email to firstname.lastname@example.org. We will close your account and make sure that your personal data is deleted as soon as reasonably possible. The data related to your activities as described under section 1.2 of this policy will be anonymized after the closure of your account.
4.4 Restriction of Processing of Data
You have the right to demand a restriction of processing of your personal data under certain preconditions. At any time, you may ask that your preferences as to the type and amount of communication that you receive from us are modified. You can also do this by following the instructions included in each communication or newsletter. For claims beyond such case, please contact email@example.com
4.5 Data Portability
You have the right to Data Portability, i.e. to receive all personal data that you provided to us in a structured format for your use. In case you want to receive an overview of your personal data which has been collected in accordance with section 1 and 2 of this policy please send an email to firstname.lastname@example.org. We will then provide you the requested information within a reasonable period of time.
You have the right to object at any time to processing of personal data concerning you. You can do so by sending an email to email@example.com. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you as the data subject or for the establishment, exercise or defense of legal claims. You especially have the right to object if personal data concerning you is processed for direct marketing purposes.
4.7 Automated individual decision-making, including profiling
MROradar does not support the user with any automated individual decision-making, including profiling.
5 Data security
At Lufthansa Technik we take reasonable technical and organizational measures to guard against unauthorized or unlawful processing of the information collected and against accidental loss or destruction of, or damage to, your personal data.
While no system is completely secure, we believe the measures implemented by our side reduce the likelihood of security problems to a level appropriate to the type of data involved. This includes encrypting the transmission of sensitive information using transport socket layer technology, as well as safeguarding your data through firewalls, data encryption and authentication procedures in order to maintain the security of your active session and to protect your personal data and the Services from unauthorized access.
6 Cookies, Tracking and Web analysis tools
A cookie is a small element of data that can be exchanged between an Internet website and a client's browser. It can be stored on either side to enable the Internet application to recognize the client on return. You can set your browser to notify you when you receive a cookie, and you may choose to accept the cookie or not. If you do not accept the cookie, the corresponding Internet page cannot be accessed. If you accept the cookie, you can delete it after the session.
6.1 Behavioral Remarketing
6.2 Social Plugins
MROradar does not use social plugins.
6.3 Tracking tool: Google Analytics
We use Google Analytics as a tracking tool. Its functions are explained in the following paragraphs.
The use includes the Universal Analytics operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyze a user's activities across devices.
Google Analytics is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). We use Google Analytics with the additional function offered by Google to anonymize IP addresses. While doing so, Google already shortens IPs within the EU in most cases and only does so in the United States in exceptional cases, while always saving shortened IPs only. You may object to the collection or processing of your data by using the following link to download and install a browser plugin: http://tools.google.com/dlpage/gaoptout?hl=en.
To prevent Universal Analytics from collecting data across different devices, you must opt-out on all systems used.
The legal basis for using it is our legitimate interests in accordance with Article 6(1)(f) of the GDPR for the purpose of enhancing the efficiency of our website and (direct) marketing.
Google Analytics gives us insights into the following data:
- When the website was accessed (month, year, week, day, time of day)
- What devices were used to access the website and what browser and operating system those devices use
- What individual pages of the website are visited
- Visitors' regions and languages
- Visitors' click behavior or click paths, click frequency
- Dwell times on the individual pages of the website
- Most-clicked pages on the website
- Where the website was accessed from (referrer)
- How often the website or its individual pages were called
- Whether and how visitors return to the website or its individual pages
You can obtain more information on this tracking tool at: https://analytics.google.com/analytics/web/
Duration of Data Storage
The data sent by us and linked to cookies, user-identifiers (e.g. User-IDs) or advertising-identifiers are automatically deleted after 14 months, the shortest possible option in the Google Analytics settings. Data whose retention period has been reached is automatically deleted once a month.
7 Complaints to data protection authorities
You also have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for Lufthansa Technik AG is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str 22, 7. OG
Phone: +49 40 42854-4040Fax: +49 40 4279-11811
The following European legislation applies to the subject of data privacy:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
For Germany this regulation is supplemented by the "Bundesdatenschutzgesetz (neu)"
Lufthansa Technik has appointed Dr. Barbara Kirchberg-Lennartz as the data protection officer for Lufthansa Technik. She can be reached as follows:
Dr. Barbara Kirchberg-Lennartz
Deutsche Lufthansa AG
Dep.: FRA CJ/D
8 Contact information
If you have comments or questions, any concerns or a complaint regarding the collection and use of your personal data, please feel free to contact us via the following email address: firstname.lastname@example.org.
Last update: April 2nd, 2019