Data protection and data security

The Lufthansa Group companies collect, process and use personal data of customers, shareholders, employees and suppliers on a daily basis. For the business processes of the passenger airlines in particular, the Group depends on personal information about customers. The Lufthansa Group protects and secures all data according to the highest standards.

The legally required responsibilities are implemented by the Lufthansa Group in an integrated data protection organization on all levels. The department Group Data Protection ensures the application of legal provisions across the entire Lufthansa Group. It familiarizes employees with legal requirements and regularly conducts data protection audits. In addition, data protection experts advise individual departments concerning the introduction of new systems and the design or change of processes.

Employee sensibilization and targeted training

Group Data Protection regularly makes employees aware of the importance of data protection.

The Group Data Protection Commissioner supports employees and managers by means of training courses, web-based training programs and comprehensive communication in understanding data protection, its necessity and its principles within the Lufthansa Group. This includes important concepts, the organization of data protection and specific aspects concerning certain areas. The Group Data Protection Commissioner plans the necessary training measures as a recommendation, informs those responsible about their training obligations and supervises – as much as this is technically possible – by means of an automated monitoring system and concrete controls, that these training obligations are met.

IT security

The increasing digitalization of business processes within the Lufthansa Group also increases the necessity of prevention against cyber risks. At the Group level, the department IT Security is responsible for implementing requirements concerning data protection and IT security. This includes the development of appropriate concepts and measures such as e-mail encryption, a cyber crime awareness campaign and protection from criminal activity over the Internet. The risk and security management systems as well as selected measures are regularly checked by internal auditors.