logo heinemannOnline Shop
Über uns
Unsere Shops
Unser Management
Unser Unternehmen
NeuigkeitenUnser Leitbild
Karriere
Job board
Arbeitgeber
Jobprofile
Ausbildung
Bewerbung
Data privacy statement for www.frankfurt-airport-retail.com/

Table of Contents

1       General Details

1.1        Objectives and responsibilities

1.2        Legal bases

1.3        Data subject rights

1.4        Erasing data and storage period

1.5        Processing security

1.6        Forwarding data to third parties, sub-contractors and third party providers

2       Processing as Part of Our Online Services

2.1        Collecting information about use of the online services

2.2        Contact form and establishing contact by e-mail

2.3        Career portal

2.4        Google Tag Manager

2.5        Content management system (CMS)

2.6        Consent management via Usercentrics

2.7        Google Analytics

2.8        YouTube

2.9        DoubleClick

2.10      Google Fonts

2.11      Hosting

3       Data processing in our physical stores

3.1        Compliance with customs and tax regulations during sales

3.2        Tax Refund Service

3.3        Payment services

3.4        Digital receipt

3.5        Video

4       Application Process

4.1        Job portal

4.2        Direct applications

4.3        Incorporation in the applicant pool

5       Cookie Policy

5.1        General information

5.2        Cookie overview

5.3        Objection options

6       Social Media

 

1 General Details

1.1 Objectives and Responsibilities

1. This Data Protection Policy informs you about the type, scope and purpose of the processing of personal data in relation to our online services and the associated websites, functions and content (hereinafter jointly referred to as the “Online Services” or “Website”). Details of these processing activities can be found in Section 2.

2. Details of data processing activities in our bricks-and-mortar shops are described in Section 3. The application process is described in Section 4.

3. The provider of the Online Services and party responsible for data protection is Frankfurt Airport Retail GmbH & Co. KG (Flughafen Frankfurt, Frankfurt Airport Center 1, PO Box 507, D-60549 Frankfurt, Germany) - hereinafter referred to as the “Provider,” “We” or “Us.”

4. Our Online Services are rendered by Gebr. Heinemann SE & Co. KG (Koreastraße 3 - 5, D-20457 Hamburg).

5. Our data protection officer can be contacted via the following e-mail address: dataprotection@gebr-heinemann.de.

6. The term “User” includes all Online Services customers and visitors.

1.2 Legal Bases

We collect and process personal data based on the following legal bases: a) Consent in accordance with Article 6(1), point (a), of the General Data Protection Regulation (GDPR). Consent is any voluntary, specific, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative act by which the data subject indicates his or her agreement to the processing of personal data relating to him or her. b) Necessity of executing a contract or adopting preparatory measures in accordance with Article 6(1), point (b), GDPR, i.e. we require the data to honour our contractual obligations to you or we require the data to prepare entering into a contract with you. c) Preparing to honour a legal obligation in accordance with Article 6(1), point (c), GDPR, i.e. processing the data is required by law or other requirements. d) Preparing to safeguard justified interests in accordance with Article 6(1), point (f), GDPR, i.e. processing is necessary to protect our legitimate interests or the legitimate interests of others, except where such interests are overridden by your interests or fundamental rights and freedoms that require the protection of personal data.

1.3 Data Subject Rights

You have the following rights with regard to data processing by us: a) Right to complain to a supervisory authority in accordance with Article 13(2), point (d), GDPR, and Article 14(2), point (e); GDPR. b) Right of access in accordance with Article 15, GDPR; c) Right of rectification in accordance with Article 16, GDPR; d) Right to erasure (“Right to be forgotten”) in accordance with Article 17, GDPR; e) Right to restriction of processing in accordance with Article 18, GDPR; f) Right to data portability in accordance with Article 20, GDPR and g) Right to object in accordance with Article 21, GDPR. Notice: Users may object to the processing of their personal data in accordance with the legal requirements at any time with effect for the future. You may, in particular, object to processing for direct marketing purposes. Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes on GDPR.

1.4 Erasing Data and Storage Period

The data subject’s personal data shall be deleted or blocked as soon as the purpose for the storage becomes inapplicable. Storage may apply beyond this if this was proposed by the European or national legislator in Union law orders, laws or other requirements to which the controller is subject. Blocking or deleting the data shall also apply if a storage period specified by the stated standards expires unless there is a necessity for further storage of the data for entering into or executing a contract.

1.5 Processing Security

1. We have implemented appropriate and state-of-the-art technical and organisational security measures (TOMs). Therefore, the data we process are protected against accidental or intentional manipulation, loss, destruction and unauthorised access.

2. The security measures include, in particular, the encrypted forwarding of data between your browser and our server.

1.6 Forwarding Data to Third Parties, Sub-Contractors and Third Party Providers

1. Data shall only be forwarded to third parties as part of the legal requirements. We only forward users’ data to third parties if this is necessary, for example, for billing purposes or for other purposes if the forwarding is necessary to honour contractual obligations to users.

2. Insofar as we commission subcontractors for the processing of personal data or if it cannot be excluded that subcontractors can access personal data, we have taken appropriate contractual precautions as well as corresponding technical and organisational measures in dealings with these companies.

3. Insofar as we use content, tools or other means from other companies (hereinafter jointly described as “Third Party Providers”) and their stated registered office is located in a third country, it is to be assumed that forwarding data to the Third Party Providers’ countries of domicile takes place. The forwarding of personal data to third countries by us shall only occur if there is an adequate level of data protection, user consent or other legal permission.

2 Processing as Part of Our Online Services

2.1 Collecting Information About Use of the Online Services

1. When using the Online Services, information is automatically forwarded to us by the user’s browser. This includes the name of the website accessed, file, date and time of access, amount of data forwarded, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

2. This information is processed on the basis of legitimate interests in accordance with Article 6(1), point (f), GDPR (e.g. optimisation of the Online Services) and to ensure the security of the processing in accordance with Article 5(1), point (f), GDPR (e.g. to defend against and clarify cyber attacks).

3. The information is automatically deleted 4 weeks following the end of the connection - i.e. use of the Online Services - provided no other storage periods to the contrary apply.

4. Collecting data and storing data in log files are absolutely necessary to render the Online Services. Therefore, the user has no right to erase, object or correct the data.

2.2 Contact Form and Establishing Contact by E-Mail

1. When establishing contact with us (via online form or email), the data provided by the user are processed exclusively for the purpose of handling and processing the enquiry.

2. The data shall only be used for other purposes on the basis of the user’s consent.

3. The user’s data shall be stored in our customer relationship management system (“CRM System”) or a comparable software/database. The statutory storage periods for business letters apply.

2.3 Career Portal

1. When using our career portal, automatic forwarding to https://www.gebr-heinemann.de/de/Karriere/Jobsuche occurs.

2. The portal is operated by Gebr. Heinemann SE & Co. KG (Koreastraße 3 - 5, D-20457 Hamburg). Please note the Data Protection Policy applicable there.

2.4 Google Tag Manager

1. This website uses the Google Tag Manager. This service allows website tags to be managed via an interface. The Google Tool Manager only implements tags, does not set any Cookies and does not collect any personal data. The Google Tag Manager triggers other tags that may collect personal data. However, the Google Tag Manager does not access such data.

2. Were a deactivation implemented at domain or Cookie level, it remains in place for all tracking tags, insofar as these are implemented via the Google Tag Manager.

2.5 Content Management System (CMS)

1. We also use the services of Contentful GmbH, Ritterstraße 12 - 14, D-10969 Berlin, for our website. Contentful is a content management system (CMS) hosted in the cloud (AWS). All content and documents that are displayed on the website are stored in the CMS. When you access the website, the system also accesses the Contentful server. Contentful does not store any user data in the log file.

2. The legal basis for using the CMS is our legitimate interest (Article 6(1), point (f), GDPR). Contentful ensures that our Online Services are presented optimally for our users.

3. For more information on the purpose and scope of data collection and its processing by Contentful, please visit the website of the provider  https://www.contentful.com and view its Data Protection Policy at https://www.contentful.com/legal/de/privacy/.

2.6 Consent Management via Usercentrics

1. We use the Usercentrics Consent Management Platform as a consent management tool as part of the analytics activities on our website. The Usercentrics Consent Management Platform collects log file and consent data using JavaScript. This JavaScript makes it possible to inform users about their consent to certain tags on our website and obtain, manage and document such consent. 2. We process the following data in that regard:

  • Consent data or data of consent (anonymised logbook data (Consent ID, Processor ID, Controller ID), Consent Status and Timestamp).

  • Device data (e.g. abbreviated IP addresses (IP v4, IP v6), device information and timestamp)

  • User data (e.g. email, ID, browser information, SettingIDs and Changelog)

The ConsentID (contains the above-mentioned data), the Consent status including timestamp are stored in the local memory of your browser and simultaneously on the used cloud servers. Further processing only occurs if you submit a request for information or withdraw your consent. In such a case, the corresponding information is made available to us in a compact data format in an easily readable text form for the purpose of data exchange (JSON file). 3. No user information is stored for the statistics of the use of the consent granted or not. Only the frequency and locations of clicks are stored. 4. Personal data are stored on a Google Cloud server located in the EU (Brussels and Frankfurt am Main). 5. The purpose of the data processing is the analysis and management of the consent granted to comply with our obligation of GDPR-compliant consent management. Use of Usercentrics serves the purpose of proving granted and non-granted consent as well as managing these. 6. The legal basis for the management of your consent for the processing of your personal data is Article 6(1), point (f), GDPR. Our legitimate interest lies in the legally secure documentation and verifiability of consent, the control of marketing measures on the basis of the consent granted as well as the optimisation of consent rates. 7. The data are deleted as soon as they are no longer required. The associated Cookie has a term of 60 days. The withdrawal document regarding previously granted consent is stored for a period of three years. This storage is based on the one hand on our accountability in accordance with Article 5(2), GDPR.

2.7 Google Analytics

1. On the basis of your consent, we use Google Analytics, a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) - hereinafter “Google”, for the analysis, optimisation and economic operation of our Online Services in accordance with Article 6(1), point (a), GDPR. Google uses Cookies and other technologies. The information generated by the service about use of the Online Services by the users is forwarded to a Google server in the USA and processed there.

2. Google acts on our behalf as part of order processing in accordance with Article 28, GDPR. We have entered into a data protection agreement with Google that contains the EU standard data protection clauses.

3. We use Google Analytics with IP anonymisation activated.

4. Google Analytics stores Cookies in your web browser for a period of two years since your last visit. These Cookies contain a randomly generated user ID by way of which you can be recognised during future website visits. Users can prevent the storage of the Cookies by way of a corresponding setting in their browser software.

5. The recorded data are stored with the randomly generated user ID, which facilitates the evaluation of pseudonymous user profiles. Such user-related data are automatically deleted after 26 months. Other data remain stored in aggregated form indefinitely.

6. Further information about data use by Google, setting and revocation options can be found on Google’s websites: https://policies.google.com/technologies/partner-sites?hl=de ((“Data use by Google when you use our partners’ websites or apps”) https://policies.google.com/technologies/ads (“Data use for advertising purposes”) https://adssettings.google.com/authenticated (“Manage information Google uses to display ads to you”).

2.8 YouTube

1. We use YouTube for the integration of videos. The videos have been embedded in extended data protection mode.

2. YouTube’s website uses Cookies to collect information about website users. YouTube uses them, among other things, to compile video statistics, prevent fraud and improve the user experience.

3. By using YouTube, a connection is established with the Google DoubleClick network. Starting the video may trigger further data processing. We exert no influence on this.

4. You can find more information about data protection at YouTube in the Data Protection Policy at: http://www.youtube.com/t/privacy_at_youtube

5. The processing of such information is based on your consent in accordance with Article 6(1), point (a), GDPR.

2.9 DoubleClick

1. Doubleclick by Google is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

2. Doubleclick by Google uses Cookies to display advertisements that are relevant to you. In that respect, a pseudonymous identification number (ID) is assigned to your browser to check which advertisements were displayed in your browser and which advertisements were called up. The Cookies do not contain any personal information. Use of DoubleClick Cookies only enables Google and its partner websites to display ads based on previous visits to our website or other websites on the internet. Google forwards the information generated by the Cookies to a server in the USA for evaluation and storage there. Under no circumstances will Google combine your data with other data collected by Google.

3. Doubleclick is automatically reloaded once you grant your consent to the use of YouTube. You consent to the processing of data about you by Google in the manner and for the purposes set out above.

4. You can prevent the storage of the Cookies by way of a corresponding setting in your browser software. In addition, you can prevent the collection of the data generated by the Cookies and related to your use of the websites to Google as well as the processing of such data by Google by downloading and installing the browser plugin available under the following link under the item “Extension for DoubleClick deactivation.”

5. More information about DoubleClick by Google and data protection can be found here: https://policies.google.com/technologies/ads?hl=de

2.10 Google Fonts

1. To make the visit to our website attractive, we use fonts from Google, the so-called Google Fonts.

2. We have integrated the Google Fonts locally, i.e. in our web server. This means that there is no connection to Google servers and, therefore, no forwarding of your data to Google.

2.11 Hosting

1. Our website uses Microsoft Azure. The provider is Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399, USA.

2. The web server and a database of the website are operated in the Azure cloud - as is our e-mail system. The cloud server is located in the Netherlands.

3. The legal basis for use of Microsoft Azure is our legitimate interest (Article 6(1), point (f), GDPR) in efficiently hosting the systems.

3 Data processing in our physical stores

3.1 Compliance with customs and tax regulations during sales

Purpose and legal basis

Depending on the origin of the goods, the respective destination, and the country of residence, different taxes and duties apply in travel retail, for which the retailer must provide appropriate evidence to the authorities. In addition to the receipt, the required evidence includes proof of export (“Ausfuhrnachweis”) in accordance with § 4 No. 1 lit. a in conjunction with § 6 (1) No. 2 UStG (German Value Added Tax Act), §§ 8 para. 1, 9 para. 1 UStDV (German VAT Implementation Regulation) and proof of purchase (“Abnehmernachweis”) in accordance with § 6 para. 3a No. 1 UStG, § 17 UStDV, Art. 147 MwStSystRL (VAT Directive).

For the purpose of efficiently and reliably fulfilling customs and tax documentation requirements, we process your personal data within the framework of the so-called resident procedure:

1. Creation of proof of export by scanning the boarding pass

The anonymous proof of export is created by scanning the boarding pass presented and serves as proof of export of the goods sold to a third country. For this purpose, we only read the flight number and the departure and destination airports from your boarding pass and store this data as proof of export on the receipt.

2. Creation of proof of purchase

Proof of purchase is created in two steps by scanning the proof of identity (e.g., passport, identity card, identity card (Switzerland)) and a final confirmation of permanent residence (EU/non-EU) by signature. Proof of identity is only scanned if proof of identity from a non-EU country is presented and a third country has been previously identified as the destination.

When scanning the proof of identity, the first and last name of the traveler, the number of the proof of identity, and the country of issue are recorded using the machine-readable zone (MRZ) of the identity document. If this is not technically possible, we will, as an exception, make a pictorial copy of the proof of identity.

Proof of purchase is only archived if the gross purchase value exceeds the tax-law threshold of 50 €.

The legal basis for this processing is Art. 6 (1) (c) GDPR (compliance with legal obligations) in conjunction with Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the use of scanner technology to create positive customer experience by avoiding unnecessary waiting times at the checkout because of manual data entry.

Recipients

We use IT service providers for the processing of personal data with whom we have concluded data processing agreements in accordance with Art. 28 GDPR. Upon request, the relevant evidence will be made available to the competent customs and tax authorities for inspection if there is a legal obligation to do so.

Storage period

The personal data collected for verification purposes will be securely archived for 10 years in accordance with the statutory retention periods pursuant to §147 AO in conjunction with § 14b UStG and then irretrievably deleted.

3.2 Tax Refund Service

Purpose and legal basis

The resident procedure described in section 1 only applies to gross purchases of EUR 50 or more and to items with a gross sales price of up to EUR 1,190 per item. Travelers to a third country without permanent residence in the EU have the option, on the basis of the VAT Application Decree (UStAE), to have the VAT paid refunded for items purchased from us with a gross sales price of over EUR 1,190 in certain shops at the airport.

In such cases, we offer our customers the option of processing the refund for a service fee. For this purpose, we process the personal data required for the procedure (first and last name, ID number, permanent address, signature, and, if applicable, account details) in order to issue the necessary export and customer certificates in accordance with our general terms and conditions for the tax refund service pursuant to Art. 6 (1) (b) GDPR. The traveler has the export and purchaser status confirmed by the border customs office at the airport and submits this to the retailer for the purpose of VAT refund.

Recipient

We use IT service providers for data processing with whom we have concluded data processing agreements in accordance with Art. 28 GDPR. Upon request, the relevant evidence will be made available to the competent customs and tax authorities for inspection.

Storage period

The personal data collected for verification purposes is securely archived for 10 years in accordance with the statutory retention periods pursuant to §147 AO in conjunction with § 14b UStG and then irretrievably deleted.

3.3 Payment services

Purpose and legal basis

To make your shopping experience as pleasant as possible, we offer a range of electronic payment and refund options. The legal basis for the processing of your personal data is the fulfillment of the purchase contract and the additional services used in this context in accordance with Art. 6 (1) lit. b GDPR. There is no legal or contractual obligation for you to provide your data. However, if you do not provide your data, we will not be able to offer you the corresponding service.

Recipients

We use the following service providers to process payments

PAYONE (Lyoner Straße 9, 60528 Frankfurt am Main, Germany) for payments with Maestro, Mastercard, Visa, VPAY, JCB, and UnionPay,

EPAY (transact Elektronische Zahlungssysteme GmbH, Fraunhoferstr. 10, 82152 Martinsried, Germany) for payments with Alipay+ and WeChat Pay, and

American Express (American Express Europe S.A., Güterplatz 1, 60327 Frankfurt am Main, Germany) for payments with the Amex card.

Depending on the payment method, the IBAN or account number and bank code, expiry date and suffix of the card, as well as other transaction data (e.g. date/time of the transaction, payment amount) are processed.

Storage period

The payment service providers store and process personal data for as long as is necessary to fulfill their contractual and legal obligations. Further information on the data protection regulations of our above-mentioned service providers can be found here:

PAYONE: https://www.payone.com/DE-en/data-protection-regulations

EPAY: https://epay.de/en/support/

American Express: https://www.americanexpress.com/nl-nl/bedrijf/legaal/privacy-centrum/?inav=nl_legalfooter_privacy_centrum

3.4 Digital receipt

Purpose and legal basis

In selected stores, we offer you the option of receiving a digital receipt instead of a paper receipt. To do this, a QR code is displayed at the checkout, which you can scan with your smartphone if you wish. The QR code contains a technical transaction ID (e.g., receipt ID/token), which is used to make the receipt available online for a one-time digital retrieval.

You can then download the receipt as a PDF, have it sent to your email address, or save it in a supported app using App Bridge. In the latter case, the data protection information of the respective app provider also applies.

For the purpose of providing the digital receipt, we process server log files (including the transaction ID). If you request the receipt by email, your email address will also be processed.

The legal basis for processing is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest is to provide you with a modern, convenient, and resource-saving alternative to paper receipts. If you do not want this processing, you can of course receive a paper receipt.

Recipients

We use IT service providers for data processing with whom we have concluded data processing agreements in accordance with Art. 28 GDPR.

Storage

The log files are stored for a maximum of 7 days and then deleted. If you have also provided an email address for shipping, it will be automatically deleted after delivery.

3.5 Video

Purpose and legal basis

Our brick-and-mortar stores are monitored by video surveillance. We process video data for the following purposes:

a) To enforce house rules, to prevent and investigate criminal offenses, and to protect people and property

b) Anonymized customer flow analysis in selected stores

The legal basis is Article 6(1)(f) GDPR (balancing of interests). Our legitimate interest lies in asserting, exercising, or defending legal claims for the purposes mentioned under a) and in optimizing our offer based on anonymized customer flow analysis (b)).

Recipients

For processing, we use service providers with whom we have concluded a data processing agreement in accordance with Art. 28 GDPR. The video recordings are forwarded to the competent law enforcement authorities on a case-by-case basis.

Storage

The video recordings are deleted 10 days after recording. A longer storage period only applies if this is necessary to enforce legal claims or to prosecute criminal offenses in specific individual cases. No personal data is stored for customer flow analysis. In the case of anonymized customer flow analysis, personal information (e.g., faces) is immediately masked before further processing, so that no personal information is stored for this purpose.

4 Application Process

For reasons of better readability, the simultaneous use of masculine and feminine and various forms of language is dispensed with - as part of the following explanations. All personal designations apply to all genders: m/f/d.

4.1 Job Portal

1. We use our Group’s job portal to receive and manage applications and thus for the purpose of (potentially) establishing an employment relationship. The portal is operated by Heinemann SE & Co. KG (Koreastraße 3, D-20457 Hamburg, Germany).

2. You can find the operator’s Data Protection Policy here: https://www.gebr-heinemann.de/heu/de/privacy. We draw attention to the fact that - despite the use of the platform itself - we remain responsible for the processing operations.

3. Insofar as you apply to us via the job portal, the operator of the job portal collects your application data on our behalf.

4. We can then access an internal area of the job portal and view your application data. We then also have the following options: Making notes that are linked to your application data; internal company communication about your application (if applicable, with the specialist departments concerned); documentation of the decision about the further processing of the application, invitation to one or more job interviews, invitation to one or more trial workdays, forwarding of an employment contract certificate, creation of a rejection and up to and including the implementation of onboarding measures.

4.2 Direct Applications

1. We give you the option of filing an application with us (e.g. by e-mail, post or via the Job Portal). Below are details about the scope, purpose and use of your personal data collected as part of the application process. We assure that the recording, processing and use of your data comply with the valid data protection law and all additional statutory provisions and that your data are treated in absolute confidence.

2. Scope and purpose of the data collection: When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents and notes taken during interviews etc.) to the extent that this is necessary to decide whether or not to establish an employment relationship. The legal basis in this respect is Section 26 BDSG (German Data Protection Act), (initiating an employment relationship), Article 6(1), point (b), GDPR (General contractual initiation) and, provided you have granted consent, Article 6(1), point (a), GDPR. The consent may be withdrawn at any time. Your personal data shall be forwarded within our company exclusively to persons who are involved in processing your application.

3. Provided the application is successful, the data you have submitted shall be stored in our data processing systems on the basis of Section 26, BDSG, and Section 6(1), point (b), GDPR, for the purpose of implementing the employment relationship.

4. Data storage period: Where we do not make an offer to you, you reject the offer or withdraw your application, we reserve the right to store at our company the data forwarded by you based on our justified interests (Article 6(1), point (f), GDPR) for up to 6 months from the end of the application procedure (rejection or withdrawal of the application). The data shall subsequently be deleted and the physical application documents shall be destroyed. The storage is aimed, in particular, at purposes involving furnishing proof in the event of a legal dispute. Where it is evident that the data will be required following expiry of the 6-month storage period (e.g. as a result of a threatened or pending legal dispute), the data shall only be deleted if they have become irrelevant in respect of continued storage. In addition, storage may also occur for a longer period if you have granted corresponding consent (Article 6(1), point (a), GDPR) or if statutory storage periods conflict with the deletion.

4.3 Incorporation in the Applicant Pool

1. Insofar as we do not make you a job offer, it may be possible to include you in our applicant pool. In the event of inclusion, all documents and details from the application shall be forwarded to the applicant pool to contact you in the event of suitable vacancies.

2. Inclusion in the applicant pool is based exclusively on your express consent (Article 6(1), point (a), GDPR). Granting consent is voluntary and is not related to the current application process. The data subject may withdraw his/her consent at any time. In such a case, the data shall be irrevocably erased from the applicant pool unless legal reasons for the storage apply.

3. The data from the applicant pool shall be irrevocably erased no later than two years after consent has been granted.

5 Cookie Policy

5.1 General Information

1. Cookies are pieces of information that are forwarded from our web server or third-party web servers to the users’ web browsers and stored there for subsequent retrieval. Cookies may be small files or other types of information storage.

2. If users do not want Cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored Cookies can be deleted in the system settings of the browser. The exclusion of Cookies can lead to functional restrictions of these Online Services.

5.2 Cookie Overview

  • _gid

  • Provider: Google

  • Purpose; registers a unique ID that is used to generate statistical data about how a visitor uses the website.

  • Term: 1 day

  • _ga

  • Provider: Google

  • Purpose: registers a unique ID that is used to generate statistical data about how a visitor uses the website.

  • Term: 1 Month

  • _gat_#

  • Provider: Google

  • Purpose: Used by Google Analytics to limit the request rate.

  • Term: Browser session

  • Access:

  • Provider: Gebr. Heinemann

  • Purpose: Used to manage the browser session.

  • Term: Session duration

5.3 Objection Options

Once you have granted your consent, you can object at any time to the use of Cookies for range measurement and advertising purposes via Click here to open.

6 Social Media

Purpose and legal basis

As joint controllers within the meaning of Art. 26 GDPR, we operate the Instagram channels together with the platform provider Meta Platforms Ireland Limited ("Meta").

The joint responsibility applies exclusively to the processing of insights data (page statistics) that Meta provides us with for the purpose of evaluating the use of the channels. The distribution of responsibilities is set out in the "Page Insights Controller Addendum," available at: https://www.facebook.com/legal/terms/page_controller_addendum

As the operator of the social media platform, Meta is solely responsible for platform-specific processing (processing of log and tracking data). Requests regarding the processing of personal data for page insights should therefore be directed primarily to Meta. Detailed information on data protection is provided by the platform operator at the following link: https://www.instagram.com/legal/privacy/

As the operator of the social media channels, Frankfurt Airport Retail processes the personal data that you actively provide to us via our Instagram channel (e.g., content of messages, comments, likes) for the purpose of presenting and promoting the company and its services, as well as for communicating with customers, interested parties, and applicants.

The legal basis for the processing of your personal data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest lies in the external presentation of our company and direct communication with users. Use of Instagram is voluntary.

Recipients

We may use IT service providers with whom we have concluded data processing agreements in accordance with Art. 28 GDPR to manage our social media presence. We have no influence on data processing by Meta. Meta may also transfer personal data to third countries, in particular the USA. Meta is certified under the EU-US Data Privacy Framework (DPF).

Storage period

We delete content that you send us directly via Instagram (e.g., messages) after processing or as soon as the purpose no longer applies. Publicly visible interactions (comments, likes) remain until you remove them yourself or ask us to delete them. Meta's deletion periods are subject to the platform operator's guidelines.

Status January 2026