Interview with Barbara Kirchberg-Lennartz, Lufthansa, about the right to information under the GDPR

Interview with Barbara Kirchberg-Lennartz, Lufthansa, about the right to information under the GDPR

Author: Gerhard Walter, Editor, Solutions by HANDELSBLATT MEDIA GROUP GMBH


  • the most important changes to order data processing requirements under the GDPR
  • challenges when implementing the right to information under the GDPR
  • measures taken by Deutsche Lufthansa AG to fulfil customers’ right to information

What are the most important changes to order data processing requirements under the GDPR?

As I see it, there were no major changes between BDSG and GDPR requirements for order data processing itself, apart from statutory joint and several liability. The GDPR offers the additional possibility of joint responsibility in accordance with Art. 26. That means you must always consider carefully whether joint control might exist, particularly when personal data are being processed in a distributed way within the group. In practice, requirements for agreement between technical and organisational measures have increased because Article 32 formulates the requirements in a very abstract way.

There are several tools that promise to provide information almost at the push of a button. How does that work in practice, and how can such tools actually help?

These tools can be useful when requests for information are very standardized and the personal data being processed is not too complex, or subject to frequent changes. They’re particularly useful when as part of an initial inquiry, you have the opportunity give the data subject structural information about why key data is being processed. On that basis, the data subject can then decide whether or not to make a more precise request in order to receive more detailed information. This is useful when you’re providing information to employees, for example. In the first step, you can provide master data information explaining the different and manifold ways in which employee data is processed. Then if the data subject makes a more precise request for information, that information can be provided. This second information step usually excludes automated processing because of the sheer number of requests possible.

Why has implementation of the right to information according to GDPR been failing until now?

Failure to implement the right to information is not an option, and in most cases it doesn’t happen. What does cause difficulties repeatedly is the question of how much scope and detail the information provided has to contain. This is particularly true when a person requests information for a specific reason. For example, they could be involved in a legal dispute with the person responsible, and are hoping to gain information that will prove beneficial. So far, court rulings on this have been inconsistent. So no clear criteria can be derived from case law as yet.

Article 15 formulates a right that, assuming it can be met at all in practice, doesn’t necessarily mean the person concerned will understand all aspects of why their data is being processed. For that, they would need to understand the business processes of the company involved in depth. The BDSG contains a number of exceptions whose examination and application involve additional complexity. From what point on do trade secrets restrict the right to information under Section 29 Paragraph 1 Sentence 2 BDSG? Or the possible restrictions under Sections 33 and 34, which permit certain reductions in obligations to provide or disclose information. What’s needed here are clear guidelines, for example from the EDSA and the DSK. That would help us reach an interpretation of the right to information that is both GDPR-compliant and practical.


What measures does Deutsche Lufthansa AG take to meet customers’ right to information?

Easy-to-find contact information for exercising your rights as a data subject; a central inbox; a structured process for compiling all the necessary information; the principle of First and Second Information.

Data protection processes must ensure that the scope of information is always adapted to the actual processing situation. From documentation in the processing directory to amending data processing information for those concerned, expanding the information process and adapting information content, you need seamless processes that will safeguard your ability to provide information, and also fulfil all other data subject rights.

Do you use the German government’s corona app?
Yes, wholeheartedly! It was designed in line with the ’Data Protection by Design’ principle, and is a good example of how that can succeed. I’ve also recommended using the government app within Lufthansa so as many employees as possible will opt to use it. Tools like this can help to contain the pandemic. Now we’re learning how to use it, and developers are gaining insights for future improvements.

Since the beginning of 2008, Dr Barbara Kirchberg-Lennartz has been responsible for data protection in the Lufthansa Group and is Data Protection Officer for a total of 35 group companies. After gaining her doctorate in business administration, she chose to start her career at Deutsche Lufthansa AG. Her career development in the Lufthansa Group has involved internal auditing, controlling, IT sales, production and consulting, and HR management. In senior staff, project and management roles, she has gained knowledge and experience in both the aviation and IT sectors.