The Lufthansa Group companies collect, process and use personal data of customers, shareholders, employees and suppliers on a daily basis. For the business processes of the passenger airlines in particular, the Group depends on personal information about customers. The Lufthansa Group protects and secures all data according to the highest standards.
The legally required responsibilities are implemented by the Lufthansa Group in an integrated data protection organization on all levels. The department Group Data Protection ensures the application of legal provisions across the entire Lufthansa Group. It familiarizes employees with legal requirements and regularly conducts data protection audits. In addition, data protection experts advise individual departments concerning the introduction of new systems and the design or change of processes.
The Group Data Protection Commissioner supports employees and managers by means of training courses, web-based training programs and comprehensive communication in understanding data protection, its necessity and its principles within the Lufthansa Group. This includes important concepts, the organization of data protection and specific aspects concerning certain areas. The Group Data Protection Commissioner plans the necessary training measures as a recommendation, informs those responsible about their training obligations and supervises – as much as this is technically possible – by means of an automated monitoring system and concrete controls, that these training obligations are met.
The business processes of the Lufthansa Group are supported by IT components in almost all areas. The use of IT inevitably entails risks for the stability of business processes and for the availability, confidentiality and integrity of information and data. The Increasing digitalization also increases the need to prevent cyber risks.
The Lufthansa Group continuously monitors the global IT security situation. On the basis of these observations, the Executive Board has adopted a wide range of measures in recent years to strengthen the Lufthansa Group's IT security and implemented them in a large number of projects. The measures focus on risk-oriented implementation in IT systems and processes, taking into account the Lufthansa Group's partners and providers.
Group-wide cyber security program
Technological tools for the prevention of cyber attacks were introduced, processes were adapted to the changing threat situation, organizational changes were made and awareness campaigns were carried out. Since the end of 2018, a three-year program to increase cyber resilience within the Lufthansa Group has been carried out. The cyber security program approved by the Executive Board implements Group-wide measures in various core areas and a large number of projects. This also includes the area that prepares the Lufthansa Group's airlines for the next generation of eEnabled aircraft.
Information security within the Group
Lufthansa Group security experts are in close contact with external security companies, research groups, other companies and government agencies. A Security Operations Center (SOC) is on duty 24/7 to protect and secure the IT infrastructure. A Computer Emergency Response Team is permanently on standby to provide a rapid response in the event of a security incident or cyber-attack. Lufthansa Group security experts regularly take part in security training courses and conferences.
IT risk and IT security processes are organized across business segments. The status of IT risks and security is surveyed annually, consolidated at Group level and dealt with by the Lufthansa Group Risk Management Committee. The risk and security management systems and selected measures are also regularly reviewed by the internal audit department.
Controls also relate to external service providers: the operating and commercial risks naturally associated with outsourcing are continuously evaluated and controlled. Audits by independent third parties ensure that the ISO27001 certification of all Lufthansa Ground Operations processes, the underlying IT processes at national and international airports and the corresponding operationally relevant departments is maintained in the long term.
Raising employee awareness
Training and events on the topics of information security and data protection are held regularly within the Lufthansa Group for all employees. Risk awareness is continuously raised through other internal channels. A global cyber-security response process enables the Lufthansa Group to react to potential security incidents at any time.
The Lufthansa Group has a uniform risk management system. The protective goals of confidentiality, integrity and availability of information security are separate risk categories in the risk management system and are thus part of the risk reporting to the Executive Board and the Audit Committee of the Supervisory Board.