Welcome to HAM Data Protection Statement for users of the Star Alliance Biometric Hub

Data Protection Statement for users of the Star Alliance Biometric Hub

Date of issue: February 2022

The protection of your privacy is an important concern for the Hamburg Airport Group. We, Flughafen Hamburg GmbH as a company within the Hamburg Airport Group, want you to know what data we store, when we store that data, and how we use that data.

In this document, we inform you about how we collect, process and personal data relating to you as a user of the Star Alliance Biometric Hub (hereinafter “SBH”) within the context of biometric boarding pass checks at Hamburg Airport.

1.       General; Definitions of Terminology

Our Data Protection Statement makes use of terminology used in the General Data Protection Regulation (GDPR).

2.       Responsibility and Contact

The SBH is a product of Star Alliance GmbH, Frankfurt Airport Center 1, 5th Floor, 60546 Frankfurt/Main (hereinafter “Star Alliance”). It facilitates non-contact biometric identification (facial recognition) of passengers at the airport. Various data processing activities are necessary for biometric services, with different Controllers involved.

Flughafen Hamburg GmbH (hereinafter “Hamburg Airport”, “we”, “us”), contactable at

Flughafenstrasse 1-3
D-22335 Hamburg
Tel.: +49 40 5075 2161

supports Star Alliance in the provision of biometric services as Controller for the processing of personal data at the following access points within Hamburg Airport’s area of responsibility: Security checkpoints (“Airside Access (Security)”).

With this Data Protection Statement, we fulfil our information obligations arising from GDPR Articles 12 - 14, relating to the scope and purpose of the processing of personal data.

If you wish to view or update or your personal data or have questions about data protection with relation to biometric access control, you may contact us at any time by sending an email to datenschutz@ham.airport.de or by post at the address above.

You may also reach our data protection officer by email using the address datenschutz@ham.airport.de or by post using the postal address above, with the added address line “z. Hd. Datenschutzbeauftragter” after the company name.

This Data Protection Statement relates exclusively to the data processing activities within the area of responsibility of Hamburg Airport, specifically to data processing at selected “Airside Access (Security)” points clearly identified as biometric checkpoints.

Subsequent data processing associated with biometric matching is within the area of responsbility of Star Alliance. Registration for the use of SBH and the use of the associated Star Alliance Navigator app are subject to the Data Protection Statement of Star Alliance, available online at: Privacy Policy - Star Alliance

Data processing activities at other security checkpoints, e.g. at the boarding pass checkpoint in the Departures area, is within the responsibility of the respective airline and of Star Alliance.

3.       Processing your personal data

With regard to the following data processing activities, within the area of responsibility of Hamburg Airport, you may enforce your rights with regard to Hamburg Airport as an affected person (see Point 6) at any time.

3.1.    Collection of personal data from usage of biometric boarding pass checks

3.1.1. Collection of personal data from registered SBH users

Insofar as you are a registered member of the Miles & More frequent flyer programme of Austrian, Lufthansa, and SWISS, have registered for SBH, and make use of non-contact passenger identification systems at selected checkpoints at Hamburg Airport, we collect a short video sequence of your face, using so-called touchpoint cameras, as soon as you enter the recognition zone. A photograph is then automatically extracted from the video sequence, to be sent to Star Alliance and used to identify you.

This processing is necessary to facilitate the use of biometric identification services for Airside Access (Security) and/or at the boarding gate, i.e. for the biometric matching by Star Alliance of the generated photograph with your biometic profile as stored by Star Alliance. Hamburg Airport has no access to your biometric profile data stored by Star Alliance. After biometric matching and your identification by Star Alliance, we, and specifically the checkpoint operated under our auspices, receive only the necessary boarding pass information (flight date, flight number, departure port, SENQNUMMER, frequent flyer status) and thereby information about your access entitlement. The data thus transferred to Hamburg Airport is the same information which Hamburg Airport would receive if the boarding pass check was conducted using boarding pass scanners.

The legal basis for this data processing is the consented granted when you registered for SBH in order to be able to be identified using the Star Alliance biometric identification service at Hamburg Airport (GDPR Art. 9 No. 2a and Art. 6, No. 1a). You may also view the text of the grant of consent after having granted consent within the Star Alliance app.

You may withdraw your consent at any time within the profile management features of the Star Alliance Navigator app. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

3.1.2. Collection of personal data from non-registered SBH users

Please note: Insofar as you have not granted consent or have withdrawn consent, you are neither permitted nor able to (successfully) use the biometric identification service. Alternatives means of passing the security checkpoint and boarding gates are available to you, in particular the scanning of your boarding pass. You are neither contractually nor legally required to make use of the biometric identification service.

If, contrary to the express notice at each access point, you attempt to use the biometric identification service for identification at Hamburg Airport without being registered for SBH or without having granted consent to data processing, a video sequence/photograph of you will be taken and transmitted to Star Alliance for biometric matching as soon as you enter the recognition zone. The identification will, however, fail and the process will terminate with an error message.

The legal basis for data processing is our legitimate interest in the provision of non-contact boarding pass checks to optimise process flow (GDPR Art. 6, No. 1f). If you do not wish for a video sequence/photograph of you to be taken and transmitted to Star Alliance, do not enter the SBH boarding pass check recognition zone; instead, use an alternative checkpoint. Beyond this, you may object to the processing of your data at any time, pursuant to GDPR Art. 21 (see also Point 6).

3.2.  Period of data storage

Your personal data, collected at the access points for the respective checkpoints, is deleted as soon as the identification process is complete and/or your personal data has been transmitted.

4.       Transmission of data to external service providers

In addition to transmitting your personal data to Star Alliance (see also Point 3.1.1.), we also need to transmit your data to third parties, in strict compliance with applicable data protection law. It is for example possible that external service providers (especially IT service providers) gain access to personal data in order to provide technical support for the biometric checkpoints.

In this case, your personal data is only handled in accordance with our express instructions and on the basis of an agreement for order processing pursuant to GDPR Art. 28. In this agreement, the service provider guarantees providing service in accordance with applicable data protection law The legislative framework expressly identifies the use of appropriate professional service providers as necessary for our legitimate interest in providing our services to you professionally and economically (Lawfulness of Processing, GDPR Art. 6, No. 1f). In such cases, we remain responsible for the protection of your data.

In this context, we transmit your data with the following service provider:

  • Airsphere GmbH, Am Technologiepark 8, 82229 Seefeld, Tel.: +49 8152 983 7800, Email: info@airsphere.de

5.       Location of data processing and data security

The processing of your personal data during biometric boarding pass checks within the area of responsibility of Hamburg Airport takes place exclusively within Germany and/or the European Union. So as to protect your data from unauthorised access and misuse, we have implemented comprehensive technical and organisational measures in accordance with current technology and the requirements of European data protection law (GDPR Art. 32); furthermore, for the same purpose, we have put an agreement in place where order processing is necessary, pursuant to GDPR Art. 28.

6.       Rights of data subjects

As a data subject, you have the following rights:

  • Right of Access, GDPR Art. 15
  • Right to Rectification, GDPR Art. 16
  • Right to Erasure (“Right to be forgotten”), GDPR Art. 17
  • Right to Restriction of Processing, GDPR Art. 18
  • Right to Data Portability, GDPR Art. 20
  • Right to Object, GDPR Art. 21

There is no prescribed form to be adhered to in the enforcement of your rights as a data subject. You can, for example, send an email to datenschutz@ham.airport.de or make use of the contact options on our website. We hereby inform you that, in order to fulfil your request, we will process the personal data collected as part of your data protection enquiry in accordancew ith GDPR Art. 6, No. 1f for documentation and discharge purposes, deleting such data after 3 years.

Furthermore, you are entitled to lodge a complaint with a supervisory authority (GDPR Art. 77).

Important note:

We wish to point out once again that we only record a short video sequence within the context of the biometric identification process, transmitting a photograph extracted from this sequence to Star Alliance, and that we delete these from our systems immediately after the identification process has been completed by Star Alliance. The enforcement of the rights listed above is, as a rule, unnecessary as we neither process nor store your personal data after completion of the biometric matching and/or determination that you are not a registered participant in Star Alliance’s biometric process.

7.       Updates and changes

We may change or update parts of this Data Protection Statement without notifying you in advance. Please always consult the Data Protection Statement before using our services so that you are aware of any changes or amendments.