Data protection declaration in accordance with the EU General Data Protection Regulation (GDPR) for the app operated by Flughafen Stuttgart GmbH
I. To whom does this data protection policy apply?
The following data protection declaration provides you with an overview of what happens to your personal data when you use the Flughafen Stuttgart GmbH (FSG) app. You can access this data protection declaration at any time under the menu item “Data protection” within the app.
II. Name and address of the data controller
Flughafen Stuttgart GmbH
Flughafenstrasse 32
70629 Stuttgart
Germany
Postfach 23 04 61
70624 Stuttgart
Germany
Telefon: +49 711 948-0
Telefax: +49 711 948-2241
E-Mail: info@stuttgart-airport.com
Legal representatives:
Management Board:
Walter Schoefer
Dr. rer. pol. Arina Freitag
III. What are the contact details of the company data protection officer?
You can contact the company data protection officer of Flughafen Stuttgart GmbH by post or e-mail.
By post:
Flughafen Stuttgart GmbH
Datenschutzbeauftragter
Flughafenstrasse 32
70629 Stuttgart
Germany
By e-mail:
DSB@stuttgart-airport.com
IV. Information on the processing of your personal data
We process personal data (“data”) in accordance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Processing includes the activities described in Art. 4 No. 2 GDPR, i.e. in particular the collection, recording, storage, disclosure and transmission of data. We have listed exactly which data is processed below:
1. Is information collected when downloading the Stuttgart Airport App?
When downloading the Stuttgart Airport App, the necessary information is transferred to the App Store you have selected (e.g. Google Play Store or Apple App Store), i.e. in particular, your user name, e-mail address and the customer number of your account, the time of download and the unique device number/device ID. We have no control over this and are not responsible for this data collection. This data is processed exclusively by the respective App Store and remains beyond our control.
2. What data is processed when I start and use the Stuttgart Airport App?
The Stuttgart Airport App offers you a wide range of information about Stuttgart Airport and your trip or flight, e.g:
- Flight overview with all departures and arrivals of the current day and the following day – including flight status (e.g. boarding)
- Current waiting times at the security controls of Stuttgart Airport
- An overview of all shops available at Stuttgart Airport
- Various important information about a flight (e.g. important telephone numbers, luggage information)
In the following, we would like to set out how data is processed when the individual functions of the Stuttgart Airport App are used by FSG or third-parties commissioned by us.
In the Stuttgart Airport App, you will also find links to external websites or external offers from other providers or third-parties (e.g. airline websites). These are websites or offers for which FSG is not responsible or which are not operated by FSG. Separate data protection declarations and other regulations apply to these websites or offers, the contents of which can be found on the websites or offers.
a. Launching the Stuttgart Airport App and informational use of the Stuttgart Airport App
When you launch the Stuttgart Airport App and use the app for information purposes (without using any other functions), your IP address and a UserAgent (e.g. Apple WebKit) are collected and processed. The collection of your IP address is managed anonymously (overwriting the last 6 numbers or the last 2 blocks with “x”) so that this data cannot be assigned to any natural person. This data is required to send a request to the FSG server in order to provide you with contents of the Stuttgart Airport App.
The data will be deleted within 24 hours after a request. This data will not be disclosed to us or any other third party.
b. Authorisations
The Stuttgart Airport App does not require any authorisations for your mobile device unless you activate push notifications (see letter c.) directly on your device.
c. Activating notifications (“push notifications”)
If you activate the notification function (“push notifications”) in the Stuttgart Airport App after a separate query by the app, you will have the option of receiving up-to-date information on the status of a flight (“flight subscription”) or on new promotions in shops you have marked as favourites (“shop favourites”). You will receive this information when you activate “push notifications” even if the Stuttgart Airport App is not open. If you activate push notifications in the app, the platform you are using (Android, iOS, Windows) will generate an identifier in the form of a device token for your mobile device. This device token is then issued with an SHA-512 hash in the Stuttgart Airport App. FSG is not able to use this SHA512 hash to identify you personally. The SHA512 hash is stored in the administration back-end hosted on Microsoft Azure to identify your mobile device and to deliver push notifications to your mobile device. A push notification is triggered via the Azure Notification Hub. It is sent via the respective provider of the Smartphone Operation System (e.g. Android Firebase Messaging or Apple Push Services). You can receive app push notifications for the following areas at Stuttgart Airport:
- Flight subscription and messaging via push notification
You have the option of subscribing to a flight and thus always being informed of changes in the flight status by push notification on your mobile device. You can activate the subscription function by pressing the bell symbol to the right of the flight destination. You will then receive a push message on your mobile device whenever the flight status changes (e.g. on approach, landed, etc.), regardless of whether the app is open or not. The push notification request for a specific flight, and thus the above-mentioned SHA512 hash, is deleted no later than one hour after the flight has reached its last potential status (e.g. “end of baggage claim”) or when you delete the flight subscription from the administration back-end hosted on Microsoft Azure. - Shop favourites and push notification
You have the option of marking a shop located at Stuttgart Airport as a favourite. In this case, you will receive push notifications on your mobile device, for example, if the shop offers a discount promotion or provides a discount coupon in the form of a QR code. The push notification request for a specific shop and thus the above-mentioned SHA512 hash will be deleted from the administration back-end hosted on Microsoft Azure as soon as you remove the respective shop from your favourites list. Removing a shop from your favourites list is possible at any time.
The legal basis for the processing is, in each case, your consent to receive push notifications in the specific situation and thus Art. 6 (1) a) GDPR.
You can revoke your consent to the storage and use of your data to receive push notifications at any time with effect for the future. You can revoke your consent directly in your mobile device, for example as follows:
Deactivate push notifications in the iOS operating system:
- Open “Settings” in your mobile device.
- Search for the “Stuttgart Airport” app and select it.
- Select the item “Messages”.
- Here, you can deactivate push notifications under the item “Allow messages”.
Disabling push notifications in the Android operating system
- Open the Notification Centre”.
- Tap and hold your finger on a notification from the “Stuttgart Airport” app, then tap “App Info”.
- Remove the tick under the item “Receive notifications”.
d. Contact form
You can contact us via the Stuttgart Airport App. In this case, the personal data you send to us (e.g. name, e-mail, subject on which you contact us, individual contact text) will be stored.
The data will be stored by us in order to be able to respond to your enquiry in an appropriate way. The data from the contact form is transmitted in encrypted form to our web server. Depending on the subject matter on which you contact us, your data and your request will be transmitted to internal third-parties (e.g. to specialist departments of FSG) or external third-parties (e.g. to service providers based at Stuttgart Airport). You can find more information about this at www.stuttgart-airport.com/privacy-statement.
If you contact us, the legal basis for data processing is Art. 6 (1) f). GDPR. We use your personal data exclusively to process and answer your enquiry appropriately. This also applies in the case of a possible transfer of your data to third-parties. This is also our legitimate interest in the sense of Art. 13 (1) d). GDPR.
Personal data will only be stored for as long as is necessary to achieve the above-mentioned purpose (final clarification of your specific enquiry or concern) or in accordance with statutory retention periods.
e. Ratings and feedback in the Stuttgart Airport App
When you use the Stuttgart Airport App, we will ask you at a certain point in time to provide a rating using a star scale (1 - bad / 5 - very good). The request to submit a rating will only be made locally and based on a stored counter. If you give a rating in the form of stars (1 - bad / 5 - very good) and send it to us, this rating will be sent to us anonymously. A combination or consolidation of this data with the data listed under IV. 2. a. or any other possibility by which conclusions could be drawn about a natural person is not possible at any time.
(2) Evaluation of the Stuttgart Airport App in the respective App Store
When you use the Stuttgart Airport App, we will ask you to rate our app in the respective App Store at a certain time by means of a pop-up window. The pop-up window will appear after a defined number of access times. We will not receive any information about this step. If you decide to rate our app in one of the App Stores, the data protection policy and data protection regulations of the respective App Store (e.g. Apple App Store or Google Play Store) apply exclusively.
f. Integrated map applications for arrival & departure
As part of our Stuttgart Airport App you can use an integrated map application to determine your arrival and departure route. When you use this function, an external link to the map application is generated which is opened by the respective operating system. We have no knowledge of the information associated with this. If you use this function, the data protection policy and data protection regulations of the respective third-party or map provider (e.g. Apple, Google) apply exclusively.
g. Use of the Shops & More function
You can use the “Shops & More” function in the Stuttgart Airport App. This function enables you to filter or sort the list of shops and other businesses located at Stuttgart Airport according to criteria you set (for example, by category, area, open, coupon available). The filters you set here are only stored temporarily and locally on your mobile device. The filters you set do not remain in place. We have no knowledge of the information associated with this.
If you decide to store a shop as a favourite, e.g. to be informed about discount promotions offered by the shop, you may be asked to allow the receipt of push notifications (see the information on activating notifications under IV. 2. c.).
h. “Sharing” a flight
The Stuttgart Airport App also gives you the option of sharing a flight via your mobile device, e.g. by e-mail, text message or WhatsApp. We have no knowledge of the information associated with this. If you use this function, the data protection guidelines and data protection information of the third-party provider used (e.g. Apple, Google, Facebook) apply exclusively.
i. Sending an error report in case of crashes or technical issued affecting the app (so-called “crash report”)
In order to ensure the stable use and system operation of the Stuttgart Airport App, you will be asked to submit a crash report in the event of technical issues within the app (e.g. the app crashes or the non-availability of a function within the app). The crash report is a file that describes where the app crashed or did not display content correctly. Among other things, the following data will be transmitted to us:
- Error description
- Used device and operating system
- Device specific settings (country, language)
Before a crash report is transmitted to us, you will be asked whether you agree to the transmission of the report to us.
In this case, the legal basis for data processing is Art. 6 (1) f). GDPR and our legitimate interest in the stable operation of the application and, in addition, in the regular provision of updates for the error-free operation of the application. This is also our legitimate interest within the meaning of Art. 13 (1) d). GDPR.
If you submit a crash report to us, the crash report will be stored for 28 days.
V. To which recipients or categories of recipients will my data be passed on / will my data be passed on to third countries or international organisations?
As a matter of principle, we will only pass on data to third-parties if you have consented to the transfer, if the transfer is required by law, if the transfer is necessary for the processing of contractual relationships or business initiations, if there is a legal or official obligation to transfer the data, or if the transfer is based on any other legal basis (e.g.: external contractors within the scope of Art. 28 GDPR).
We have commissioned a service provider for the programming and maintenance of the Stuttgart Airport App and have concluded an agreement with the service provider within the meaning of Art. 28 GDPR. The service provider supports us e.g. in operating the app and developing updates. This is the company Byte5 digital media GmbH, Hanauer Landstraße 114, 60314 Frankfurt am Main.
Our app also uses a back-end, which is hosted via Microsoft Azure. We have carried out all necessary configurations here, which stipulate and ensure that your data is processed within the EU/EEA. However, we cannot exclude the possibility that in certain cases, e.g. due to server redundancies of the provider, over which we have no influence, anonymous, personal or personally identifiable data may be processed in third countries (i.e. countries outside the EU/EEA).
Insofar as data is transferred to third countries, this is managed exclusively in accordance with the GDPR. In this case, we have ensured that an appropriate level of data protection is in place. An adequate level of data protection is guaranteed by the use of standard contractual clauses of the EU Commission in accordance with Art. 46 (2) c). GDPR. The EU standard contractual clauses can be accessed via the following link:
https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF
VI. How long will my data be stored?
Data will be processed and stored by us for as long as it is necessary for the fulfilment of the respective purposes and obligations, be these contractual or legal in nature, for example. If this requirement is no longer necessary, the data will be deleted, unless the deletion is contrary to statutory storage obligations. More detailed information on the respective retention periods can be found in the functions of the Stuttgart Airport App described above.
VII. What rights do I have as a data subject vis-à-vis Flughafen Stuttgart GmbH?
If we process personal data, you are classified as a data subject within the meaning of the GDPR. You, therefore, have rights vis-à-vis Flughafen Stuttgart GmbH as the data controller. If you wish to assert such a right, please contact us:
Flughafen Stuttgart GmbH
Flughafenstrasse 32
70629 Stuttgart
Germany
E-mail: Betroffenenrechte@stuttgart-airport.com
You are entitled to the following rights:
1. Right to the disclosure of information in accordance with Art. 15 GDPR
As per Art. 15 GDPR, you have the right to request the disclosure of information about your personal data as processed by us. In particular, you may request information on the purposes of processing, the category of personal data, the categories of recipients to whom your data have been (or will be) disclosed, the planned retention period, the existence of a right of rectification, erasure, restriction of processing or opposition, the existence of a right of appeal, the origin of your data, if not collected by us, and the existence of automated decision making including profiling and, where applicable, meaningful information on the details of such data.
You also have the right to request information as to whether your personal data is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
2. Right of rectification under Art. 16 GDPR
In accordance with Art. 16 GDPR, you have the right to request the correction and/or completion of your personal data vis-à-vis us as the data controller, if the personal data processed concerning you is incorrect or incomplete. We, as data controllers, must make this correction without delay.
3. Right of deletion (“to be forgotten”) in accordance with Art. 17 GDPR
In accordance with Art. 17 (1) GDPR, you have the right to request the deletion of your personal data stored with us, unless the processing is necessary to exercise the right to a freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims (cf. Art. 17 [3] GDPR). If we, as data controllers, have made public the personal data concerning you and are obligated to delete this personal data pursuant to Art. 17 (1) GDPR, we will take all reasonable measures – including technical measures – and taking into account the available technology and the implementation costs, to inform other data controllers who are processing said personal data that you, as a data subject, have requested be deleted, including any links thereto and copies thereof.
4. Right to restrict processing pursuant to Art. 18 GDPR
Under Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted if you dispute the accuracy of the data, if the processing is unlawful but you refuse to allow its deletion and we no longer need the data, but you need it to assert, exercise or defend legal claims, or if you have lodged an objection to its processing under Art. 21 GDPR.
5. Right to data transfer pursuant to Art. 20 GDPR
In accordance with Art. 20 GDPR, you have the right to receive the personal data you have provided us with in a structured, common and machine-readable format or to request that it be transferred to another data controller.
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) e). or f). GDPR.
We, as data controllers, will then no longer process the personal data relating to you unless we can demonstrate compelling reasons for its processing that are worthy of protection and outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims. If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object to its processing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
Insofar as the respective data processing is based on consent within the meaning of Art. 6 (1) a). GDPR, you have the right to revoke your consent under data protection law at any time. The revocation of consent does not affect the lawfulness of any processing carried out on the basis of your consent until the point in time of revocation.
8. Automated decision in individual cases (including profiling) in accordance with Art. 22 GDPR
You have the right not to be subject to a decision based solely on automated processing – including profiling – that has a legal effect on you or which significantly affects you in a similar manner.
9. Right of appeal to a supervisory authority under Art. 77 GDPR
Under Art. 77 GDPR, you have the right to register an appeal with a competent supervisory authority. To do so, you can usually contact the supervisory authority at your place of residence, place of work or for our registered office. The supervisory authority responsible for Flughafen Stuttgart GmbH is:
The State Commissioner for Data Protection and Freedom of Information
Postfach 10 29 32
70025 Stuttgart
Germany
Telephone: 0711/615541-0
Fax: 0711/615541-15
E-mail: Poststelle@lfdi.bwl.de
VIII. Is there an obligation to provide the data? What are the consequences of not providing the data?
There is no legal obligation to provide the data. However, it may be necessary for you to provide your data in order to use (or use in full) the Stuttgart Airport App. If you do not wish to provide your data, the consequence of not providing your data is that you will not be able to use the Stuttgart Airport App or certain functions of the Stuttgart Airport App.
IX. Is there automated decision making in individual cases – including profiling?
There is no automated decision-making in individual cases in accordance with Art. 22 GDPR.
X. Where can I find further information on data protection at FSG?
Further information on data protection at Flughafen Stuttgart GmbH can be found at:
www.stuttgart-airport.com/privacy-statement