Below we provide you with an overview of what data we collect for what purpose and how we ensure the protection of personal data on our website.
I. What is Personal Data?
II. Who is the Controller of my Data? How is my data processed?
The controller (“we”, “us”, “our” or “Lilium”) is
Claude-Dornier Str. 1, Geb. 335, 82234 Wessling, registered with the commercial register of the local court (Amtsgericht) Munich under HRB 216921, represented by the CEO Daniel Wiegand.
phone: +49 (0)151 25388676
We have appointed a data protection officer. Our data protection officer can be reached via
Data Protection Officer
Claude-Dornier Str. 1, Geb. 335, 82234 Wessling, registered with the commercial register of the local court (Amtsgericht) Munich under HRB 216921, represented by the CEO Daniel Wiegand.
We offer services on our website www.lilium.com (the “Website”) as well as related and further business services (jointly, the “Service”). Your personal data collected and processed by Lilium might be used for the following purposes:
- to provide the functioning of Service,
- to identify and analyze your use of our Service and improve it with our legitimate interests of marketing and fraud prevention,
- to communicate with you, including via email (for example, for our newsletter or contact form),
- to conduct research and analytics on our user base and our Services,
- to prevent, investigate, or provide notice of fraud or unlawful or criminal activity,
- to comply with legal obligations, or
- as otherwise explained in our applicable Policies or by any communication by us.
III. How is my Data processed when visiting the Website, signing up for the newsletter and when you contact us?
Visiting the Website
If you browse our Website we collect and store information automatically in so-called “server-log-files” that your browser transfers to us. These are:
type/version of the browser, system software used, referrer URL, hostname of the device, time of the server request, IP-address or other unique device identifier
If you are using a mobile device the following data are collected additionally through the Website:
country code, language, hostname of the device, name and version of the operational system
We use this data only for statistical analysis for the purpose of operation, security, and optimization of our Website. However, we reserve the right to check this data retrospectively if there is a justified suspicion of illegal use based on concrete indications. This data is then stored because this is the only way to prevent the misuse of our Website and, if necessary, allow us to investigate any illegal activity committed. The storage of this data is necessary in order to protect us as the person responsible for processing the data. As a matter of principle, this data will not be passed on to third parties unless there is a legal obligation to pass it on or the transfer of data serves criminal prosecution purposes.
This data processing is based on Art. 6 (1) f. GDPR as we wish to achieve the legitimate interests of stabilizing and improving our Website, quality insurance, and fraud prevention.
We store such data for a maximum period of 7 days.
With the newsletter we inform the user about the Website, our Service and us.
When registering for the newsletter, you must provide an email address. This email address will be transmitted to and stored by us (or a provider as specified below), based on your consent Art. 6 (1) a GDPR.
Where required by law, following the registration, you will receive an email to confirm the registration (known as the “double opt-in”). By clicking the registration link you confirm that you have given your consent to the processing of your personal data for receiving our newsletter. In case of your registration for the newsletter, we (or our provider as specified below) also store your IP address, the device name, the mail provider as well as the name and the date of registration. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.
To receive our newsletter, you are only required to provide your e-mail address. After your confirmation (where required by applicable law), we store your e-mail address solely for providing you with the newsletter. The legal basis for the processing of your personal data for sending the newsletter is your consent, see Art. 6 (1) a. GDPR.
You can withdraw your consent to the processing of your personal data and for the sending of the newsletter at any time by sending an email to email@example.com or firstname.lastname@example.org or, if applicable, by sending an email to the newsletter provider, who is identified below. This can be done free of charge or without lowering service levels on our Website. Note that unsubscribing from our newsletter will not prevent you from receiving services-related email communications when using our services (e.g., account verification, confirmations of transactions, technical or legal notices).
We may track your user behavior as further described in the description of the provider specified in the following.
Use of Mailchimp; Transfer of Data outside the EU
The mail provider “Mailchimp” by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA receives and processes on our behalf the data necessary for the newsletter, in particular email address, IP address, device name. This data is processed on servers in the USA. We entered into a so-called Data Processing Agreement (“DPA”) to comply with the requirements under Art. 28 GDPR with MailChimp that defines roles and responsibilities of us as the controller and data exporter and MailChimp as the processor and data importer with regards to the respective data processing. As part of the DPA, MailChimp agrees to abide by and process personal data that is subject to GDPR in compliance with the Standard Contractual Clauses for processors approved by the European Commission (“SCC”), which are incorporated by reference and form an integral part of the DPA.
Mailchimp is a service with which the dispatch of newsletters can be organized and analyzed. With the help of Mailchimp we can analyze our newsletter campaigns. When you open an e-mail sent with Mailchimp, a file contained in the e-mail (so-called web beacon) connects to the Mailchimp servers in the USA. This allows us to determine whether a newsletter message has been opened and which links have been clicked on.
If you do not want Mailchimp to analyze your data, you must unsubscribe from the newsletter. For this purpose, we provide a respective link in every newsletter. The data stored for the purpose of newsletter subscription will be stored by us and MailChimp until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of MailChimp after you unsubscribe from the newsletter. Data stored by us for other purposes remain unaffected.
When contacting us via email or phone, your details are stored for the purpose of processing the enquiry and, if applicable, follow-up questions are processed based on your consent (where required by applicable law), according to the legal basis of Art. 6 (1) a. GDPR, based on a pre-contractual or existing contractual relationship according to the legal basis of Art. 6 (1) b. GDPR, or based on our legitimate interests according to the legal basis of Art. 6 (1) f. GDPR.
IV. What Third Party Services, Cookies, Analytics and Links to Social Networks does the Website use?
How to withdraw my consent: You can withdraw your consent by deactivating the use of individual or all Cookies in the settings of your browser at any time. To find out how to change the settings, please consult the help function of your browser. You may also deactivate and manage a lot of online Cookies by different businesses on the US-website http://www.aboutads.info/choices/ or the EU-website http://www.youronlinechoices.com/uk/your-ad-choices/. However, we want to point out that without Cookies the use and comfort of use of our Website may be restricted.
Third Party Services
We use the YouTube service provided by Google LLC, D/B/A YouTube, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube: email@example.com, website: http://www.google.com/ . If you are located in the EU, please note that the processing also takes place in a third country for which there is no adequacy decision by the Commission. Therefore, the level of protection customary for the GDPR cannot be guaranteed during transmission, as it cannot be ruled out that in third countries e.g., authorities can access the data collected.
The legal basis for the transmission of personal data is your consent in accordance with Art. 6 (1) a. GDPR, which you have given on our website.
Videos from the YouTube platform are integrated into our website via the YouTube service. You can revoke your consent at any time. You can find more detailed information on withdrawing your consent either with the consent itself or at the end of this data protection declaration.
Further information on the handling of the transferred data can be found in the provider's data protection declaration at https://policies.google.com/privacy.
Links to Social Networks
V. Is my Data transferred or disclosed to Third Parties?
We will transfer your personal data to a third party only within the scope of legal provisions, i.e. if we are obliged to transfer the data due to a government or court order, or, if applicable, legal provisions authorize the transfer acc. to Art 6 (1) c GDPR, or if you give your explicit consent (where required by applicable law) acc. to Art. 6 (1) a GDPR. This might, in particular, include the transfers as described in the following.
Transfer to our Subsidiaries
We might transfer personal data you have provided to us on our Website, such as e-mail and country, to our subsidiaries for their own business purposes, including sales and marketing activities (e.g., direct marketing or invitations to events).
Transfer based on legal obligations or for the protection of legitimate interests
To the extent we are obliged to do so by law, court order, or by an enforceable official order, or if we consider it necessary due to our own legitimate interests, for example in connection with the commission of criminal offences, we will transmit your personal data to authorities entitled to receive information. The legal basis is Art. 6 (1) c GDPR.
If you have given us a separate consent to use and transfer your personal data, your personal data may be passed on to the recipients named therein. As part of the provision of third-party services on our Website, personal data may be passed on to third parties, for example, vendors helping us with the collection and distribution of informational materials for investors or investor candidates. In addition, no personal data will be transferred on to third parties unless, in individual cases, there is either a specific legal obligation requiring us to do so or if there is a specific legal justification for the transfer, and your interests or fundamental rights and freedoms do not prevail.
For jurisdictions outside the EU, any transfer of your personal data (including transfers to companies affiliated to us) shall be made in compliance with and, if applicable, on the relevant legal bases as set out in the data protection laws of your jurisdiction.
For any inquiries and additional questions about processing personal data please contact firstname.lastname@example.org.
VII. EU-Specific Disclosures
The following disclosures (“EU Privacy Disclosures”) apply to our processing of personal data in connection with our EU services or individuals located in the EU.
A. Is my Data transferred outside the EU?
If you are located in the EU, note that for some Services, we may transfer your personal data (including transfers to companies affiliated to us) to countries outside the EU-jurisdiction where we collected your personal data (so-called third countries).
In the course of a transfer of personal data to a third country, we will regularly provide appropriate guarantees to maintain an appropriate level of Data Protection, for example, by concluding the Standard Contractual Clauses issued by the European Commission (“SCC”) to ensure that the transfer of data takes place with the same level of data protection that corresponds to the GDPR, or in accordance with the data protection laws of your jurisdiction. In compliance with these requirements, we transmit data to service providers who assist us in the performance of our contractual obligations or our services and who are bound by our instructions in the context of a data processing relationship. If not publicly available, we grant you a copy of the respective appropriate guarantees or provide further information where they have been made available.
B. Use of Services on the Website that process Data outside the EU
When visiting the Website, data may be transferred to countries outside the EU where the services by Google (see Google Analytics) as well as other social networks operate. The U.S. companies providing the services e.g., Facebook, Instagram, Google, YouTube, Vimeo, Twitter and LinkedIn comply with data protection standards applicable in the European Union by agreeing to abide by and process personal data subject to GDPR in compliance with the SCC that are incorporated by reference and form an integral part of the respective data processing agreements.
C. Further Third-Party Providers that process data outside the EU
Data is transferred outside the European Union due to the integration of cloud and hosting services who work on our behalf and assist us in carrying out our business activities.
We use the service by Amazon Web Services, Inc., 410 Terry Avenue North Seattle WA 98109, USA (“AWS”) for the purpose of hosting your personal data provided through the Website, whereas personal data might be processed in the USA. AWS complies with data protection standards applicable in the European Union by agreeing to abide by and process personal data subject to GDPR in compliance with SCC that are incorporated by reference and form an integral part of the DPA. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if AWS has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the European Economic Area. For further information please refer to https://aws.amazon.com/compliance/eu-data-protection/ and https://aws.amazon.com/compliance/germany-data-protection/
For sending emails and newsletters we use the services by Mailchimp. For more details please refer to "Use of Mailchimp; Transfer of Data outside the EU" listed in Section III. above. On a case-by-case basis, we may also use other vendors for the collection and distribution of materials, in particular, but not limited to, materials for investors or potential investors.
For more information please contact email@example.com.
D. Does automated processing, including “Profiling”, take place?
In general, we do not process any personal data via automated processing including “profiling” when making contact via the Website or Service. However, such profiling may happen by third party providers through the further use of the Website or Service. We will inform you about such fact if possible.
Profiling means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of that natural person. Examples of such profiling include the analysis of data (e.g., based on statistical methods) with the aim of displaying personalized advertising or giving shopping tips. The data subject shall not be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against him or her or significantly affects him or her in a similar manner. This shall not apply where the decision (i) is necessary for the conclusion or performance of a contract between the data subject and the data controller, (ii) is admissible under the laws of the European Union or its member states to which the data controller is subject and where such laws contain appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject or (iii) is taken with the data subject’s express consent. In such exceptional cases, the person responsible shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a person by the data subject, to state his own position and to challenge the decision.
E. Your Rights
In accordance with the GDPR, you have the following rights in respect of your personal information that we hold:
- According to Art. 15 GDPR, you have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed by us. Where that is the case, you have a right to access the personal data and obtain further information.
- According to Art. 16 GDPR, you may have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.
- According to Art. 17 GDPR, you may have the right to obtain erasure of personal data concerning you if (i) it is no longer necessary in relation to the purpose for which it is collected, (ii) you have withdrawn your consent on which the processing is based, (iii) you have objected to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR, (iv) your personal data has been unlawfully processed, (v) the personal data has to be erased for compliance with a legal obligation to which Lilium is subject, or (vi) the personal data has been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
- According to Art. 18 GDPR, you may have the right to obtain the restriction of processing. Such right shall exist if (i) you contested the accuracy of the personal data, (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead, (iii) the personal data is no longer needed for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims, or (iv) you have objected to processing pursuant to Art. 21(1) GDPR pending the verification of whether our grounds legitimately override yours.
- According to Art. 19 GDPR, you have the right to obtain information about the recipients of data to whom the rectification, erasure, or restriction of processing has been communicated.
- According to Art. 20 GDPR, you have the right to obtain personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another controller. Insofar as this is technically feasible, you can request that we transfer the data directly to another data controller.
- You also have the right, without prejudice to any other administrative or judicial remedy, to object to the processing of your data or a decision taken by us in respect of any of the rights you have exercised and to complain to a supervisory authority, in particular in the European Union member state of your usual residence, place of work or place of the alleged infringement. An overview of the Data Protection Authorities may be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html or http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
To exercise your rights under this Section VII E., you can contact us without any formality by post or e-mail at the points of contact listed in Section II.
RIGHT TO OBJECT PURSUANT TO ART. 21 GDPR
OBJECTION ON GROUNDS OF YOUR PARTICULAR SITUATION
ACCORDING TO ARTICLE 21 (1) GDPR, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME, TO PROCESSING OF PERSONAL DATA CONCERNING YOU, WHICH IS BASED ON OUR LEGITIMATE INTERESTS, INCLUDING PROFILING. WE SHALL NO LONGER PROCESS THE PERSONAL DATA UNLESS WE DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE THE INTERESTS, RIGHTS, AND FREEDOMS OF YOU, OR FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS.
OBJECTION AGAINST DIRECT MARKETING
ACCORDING TO ARTICLE 21 (2) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING OF PERSONAL DATA CONCERNING YOU FOR PURPOSES OF DIRECT MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT TO THE PROCESSING FOR DIRECT MARKETING PURPOSES, YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES.
YOU CAN SEND YOUR OBJECTION INFORMALLY BY POST OR E-MAIL ADDRESSED TO AT THE POINTS OF CONTACT LISTED IN SECTION II.
F. Duration of data processing and Deletion Periods
Criteria for the storage period include whether the data is still up to date, whether the contractual relationship with us still exists, whether an inquiry has already been processed, whether a process has been completed or not, and whether legal retention periods for the personal data concerned are relevant or not.
As a rule, we only store your personal data for as long as it is necessary for the execution of the contract or the respective purpose and limit the storage period to a necessary minimum.
In the case of long-term contractual relationships, these storage periods may vary, but are generally limited to the duration of the contractual relationship or, with regard to the inventory data, to the maximum legal retention periods (e.g. in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO)).
G. Data Security
We have installed technical and organizational measures in order to safeguard our Website and/or Service against loss, destruction, access, changes, or the distribution of your data by unauthorized persons.
The Website is operated through a safe SSL-connection. If an SSL-connection is activated third parties are prevented from reading any data that are transferred by you to us.
Unless otherwise indicated, we will store your data on servers, which are located within the European Union.