Website Privacy Notice

 

Below we provide you with an overview of which Personal Data we collect for what purpose and how we ensure the protection of Personal Data on our Website and/or Services (as defined below). Please read this Privacy Notice before continuing using our Website and/or Services.

For specific information on data protection, you can also refer to:

Recruitment
For information on processing your Personal Data through our careers section on the Website and recruiting purposes, please refer to our Recruitment Privacy Notice.

Social Media
For details on processing of your Personal Data on our social media pages, please refer to our Social Media Privacy Notice.

Cookie Notice
For details on processing of your Personal Data by the use of tracking technology including cookies and analytics, please refer to our Cookie Notice.

(collectively, the “Privacy Notices”).

Website Privacy Notice

I. What is Personal Data

II. Applicable Data Protection Laws

III. Who is the Data Controller of my Personal Data? How is my Personal Data processed?

IV. For which purposes is Personal Data processed via the Website?

V. Origin of Personal Data

VI. How is Personal Data processed?

VII. What Third Party Services, Cookies, and Links to Social Networks does the Website use?

VIII. Is my Personal Data transferred or disclosed to Third Parties?

IX. Children’s Privacy

X. Access and Changes to this Privacy Notice

XI. Contact

XII. EU-Specific Disclosure

A. Is my Personal Data transferred outside the EU?
B. Use of Services on the Website that process Personal Data outside the European Union
C. Further Third-Party Providers that process Personal Data outside the European Union
D. Does automated processing, including “Profiling”, take place?
E. What are my Rights?
F. Duration of Personal Data Processing and Deletion Periods
G. Data Security

I. What is Personal Data?

Personal Data is any information relating to an identified or identifiable natural person. Personal Data includes e.g., name, email address or telephone number, information about hobbies, memberships or websites viewed. Personal Data may also include identifier such as an identification number, location data, online identifier such as the IP-address or other unique device identifier.

The definition and which categories of data are considered Personal Data may differ depending on the applicable data protection law.
 

II. Applicable Data Protection Laws

If you are located in the European Economic Area (the “EEA” or “EU”), the applicable legal basis for processing Personal Data and its requirements can be found, in particular, in the Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (“General Data Protection Regulation” or “GDPR”).

The applicable German legislation besides GDPR is the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and the German Telecommunication and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG).

If you are located in the UK, the applicable legal basis for processing Personal Data is the Data Protection Act of 2018.  In Switzerland, the Swiss Federal Act on Data Protection (FADP) (including, as of September 1st, 2023, the revised FADP) is the governing law. In Brazil, the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) is the governing law. If you are in the United States, federal and/or state laws may be applicable.

III. Who is the Data Controller of my Personal Data?

The Data Controller (“we”, “us”, “our” or “Lilium”) is

Lilium GmbH,
Galileostrasse 335, 82131 Gauting, registered with the commercial register of the local court (Amtsgericht) Munich under HRB 216921, represented by its managing directors.
email: privacy@lilium.com
phone front desk: +49 1757539269

Lilium GmbH and Lilium eAircraft GmbH have appointed a data protection officer.  Our data protection officer can be reached via
Data Protection Officer
Galileostrasse 335, 82131 Gauting, email: privacy@lilium.com.

Other Data Controllers processing your Personal Data may also be mentioned in this Privacy Notice.

IV. For which purposes is Personal Data processed? 

Your Personal Data collected and processed by Lilium might be used for the following purposes:

- to provide the functioning of our Website and/or our Services,
- to implement the Privacy Notices and carrying out our Website and/or our Services,
- to identify and analyze your use of our Website and/or our Services and improve it with our legitimate interests of marketing and fraud prevention,
- to communicate with you, including via email (for example, for our newsletter or respond to your contact via contact form, if applicable),
- to subscribe you to online broadcasted meetings and/or events (incl. webinars),
- to conduct research and analytics on our user base, Website and/or our Services,
- to prevent, investigate, or provide notice of fraud or unlawful or criminal activity,
- to comply with legal obligations, and/or
- as otherwise explained in our applicable Privacy Notices or in any communication by us.

If other categories of Personal Data are required for us to respond to your contact or inquiry, or to enable your participation in online or broadcasted meetings and/or events (incl. webinars), we may provide you with additional data protection related information where the scope and/or purpose fall outside of this Privacy Notice.

V. Origin of Personal Data

You may provide Personal Data directly to us by accessing our Website or by contacting us, including to inquire about our Services, as described in this Privacy Notice. We may also obtain Personal Data from your employer in the context of sales or from third party suppliers, social networks, partners, or other public available sources. To enable collection of Personal Data we might use cookies, web beacons or similar technologies (see additional information provided in our Cookie Notice).

VI. How is my Personal Data processed via the Website?

A. Visiting the Website

If you browse our Website, we will not automatically collect nor store information (that can include Personal Data), including the so-called “server-log-files” that your browser or your mobile device transfer to us. Error logging on the Website is disabled and, only in the case of an error alert issued by the Website, the IP addresses and timestamps are processed for the purposes of investigating and correcting errors or problems on the Website.

If you browse our Investor Website, we will collect the information (that can include Personal Data), including IP address, browser type, version, and operating system version that your browser or your mobile device transfer to us. This information will be then anonymized and kept only in aggregate format for analytical and reporting purposes.

In the case Personal Data is collected or processed via the Website in accordance with the information provided in this Privacy Notice, we use this data only for statistical analysis for the purpose of operation, security, and optimization of our Website. However, we reserve the right to check this data retrospectively if there is a justified suspicion of illegal use based on concrete indications. This data is then stored because this is the only way to prevent the misuse of our Website and, if necessary, allow us to investigate any illegal activity committed. The storage of this data is necessary in order to protect us as the person responsible for processing the data. As a matter of principle, this data will not be passed on to third parties unless it is the website hosting provider as defined in this Notice or there is a legal obligation to pass it on or the transfer of data serves legal prosecution purposes.

We may analyze your Personal Data to maintain the security of our Website and Services, This data processing is based on Art. 6 (1) f. GDPR as we wish to achieve the legitimate interests of stabilizing and improving our Website, quality insurance, and fraud prevention. We store this Personal Data for a maximum period of 7 days.

B. Newsletter

With the newsletter, we inform the user about the Website, our Services and us.

When registering for the newsletter, you must provide an email address. This email address will be transmitted to and stored by us (or a provider as specified below), based on your consent, Art. 6 (1) a. GDPR.

Where required by law, following the registration, you will receive an email to confirm the registration (known as the “double opt-in”). By clicking the registration link you confirm that you have given your consent to the processing of your Personal Data for receiving our newsletter. In case of your registration for the newsletter, we (or our provider as specified below) also store your device name, the mail provider as well as the name and the date of registration. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your Personal Data.

After your confirmation (where required by applicable law), we store your email address solely to provide you with the newsletter. The legal basis for the processing of your Personal Data for sending the newsletter is your consent, Art. 6 (1) a. GDPR.

You can withdraw your consent to the processing of your Personal Data and for the sending of the newsletter at any time by clicking on the unsubscribe link included in each newsletter email, by sending an email to privacy@lilium.com or, if applicable, by sending an email to Zoho, which is identified below. This can be done free of charge or without lowering service levels on our Website. Note that unsubscribing from our newsletter will not prevent you from receiving Service-related email communications when using our Service (e.g., account verification, confirmations of transactions, technical or legal notices), and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.  

We may track your user behavior for analytical and reporting purposes as further described in the description of the provider specified in the following.

C. Contacting us: General

When you contact us via our Website, email, telephone or in any other way, we (or our provider as specified below) process and store your Personal Data for the purpose of managing and responding to your inquiry, based on a pre-contractual or existing contractual relationship in accordance with the legal basis of Art. 6 (1) b. GDPR.

The Personal Data required to contact us may depend on the nature of your request (e.g., media, sales, supplier and/or general inquiry). For us to be able to contact you regarding your inquiry, we will ask for your full name and business email address. In some cases, we will also need to know your country (region), company and area of expertise to better direct your request to the responsible department at Lilium. Other categories of Personal Data may be provided by you voluntarily. Please note that if you provide Personal Data in an open text format, we will not process this Personal Data to contact you, but this Personal Data may be recorded in our system. We strongly recommend that you do not provide additional Personal Data, especially sensitive Personal Data, unless it is necessary to enable us to contact you.

D. Contact us: Sales & Marketing Activities, incl. Direct Marketing

We may contact you for the purpose of informing you about interesting opportunities regarding our sales efforts, using your contact data (name and email address) made available by you on public business available sources, based on Art. 6 (1) f. GDPR. You can at any time respond to us that you would not like to be further contacted by Lilium by replying to our initial contact, as well as to object to the processing of your Personal Data related for this purpose at any time by sending an email to privacy@lilium.com.

We may use your full name, email address and/or telephone number for direct marketing when we have obtained your email address in the context of the sale of a product or a service or to send you news about similar products or services to the product or service that you inquired about based on our legitimate interests according to the legal basis of Art. 6 (1) f. GDPR. You can opt-out to such direct marketing by selecting the “unsubscribe” link available in each email you receive from us. Additionally, you also have the right to object to the processing of your Personal Data related to direct marketing purposes based on Art.  21 (2) GDPR at any time by sending an email to privacy@lilium.com.

Additionally, we may process your Personal Data for internal reports and follow up of our sales and marketing activities, including from our CRM tool provider (see "Zoho" below). Art. 6 (1) f. GDPR. You can opt-out to such direct marketing by selecting the “unsubscribe” link available in each email you receive from us. Additionally, you also have the right to object to the processing of your Personal Data related for this purpose at any time by sending an email to privacy@lilium.com.

E. To subscribe you to corporate web meeting, event, and webinar

We may process your Personal Data to register you to participate in corporate web meetings, events, and/or webinars, such as business update calls and webcast sessions, including quarterly shareholder webcast updates and other related events, especially through our investor relations page on the Website, based on your consent according to Art. 6 (1) a. GDPR. For your registration, you may need to provide your full name, email address, job title, and company you work for. Also, in the case of an interactive webcast and Q&A sessions (especially with investors and shareholders), we may quote your name and company to refer to your question based on our legitimate interest, according to Art. 6, (1) f. GDPR. We may use third party providers to support us with these activities on our Website.

You can withdraw your consent to the processing of your Personal Data and for the purposes web meetings, events and/or webinars at any time by sending an email to privacy@lilium.com or, if applicable, by sending an email to the provider, which is identified below.

VII. What Third Party Services, Cookies, and Links to Social Networks does the Website use?

A. Third Party Services

We may use third-party services on our website or to provide the Service, such as to provide our newsletter, contact you, and allow us to broadcast our web meetings and corporate events.

  • Newsletter and Customer Relationship Management

We currently use the service Zoho Corporation GmbH, Trinkausstr. 7, 40213 Dusseldorf, Germany (“Zoho”) for the purposes of mail (newsletter), and as a customer relationship management system (CRM). Zoho receives and processes the Personal Data necessary to allow us to respond to your inquiry or to contact you, in particular, your full name and email address.

Personal Data is processed by Zoho on servers in the European Union. We entered into a DPA with Zoho to comply with the requirements under Art. 28 (3) GDPR that defines roles and responsibilities of us as the Data Controller, Zoho (European Union) as the Data Processor and Data Exporter, and Zoho Group Entities (inc. subsidiaries and affiliates), and sub-contractors located in third countries as sub processors and Data Importer. As part of the DPA, Zoho agreed to abide by and process Personal Data that is subject to GDPR and has confirmed that the transfer of Personal Data between Zoho Data Exporter and Zoho Group Entities and sub-contractors as Data Importer is done in compliance with the Standard Contractual Clauses for Data Processors (Processor-to-Processor SCCs) approved by the European Commission (“SCCs”).

Your Personal Data may be accessed by Zoho group entities and sub-processors in other countries without an adequate level of data protection.  Details on Zoho and its privacy policy can be found here Zoho – Privacy Policy.

  • Newsletter

Zoho is a service with which the dispatch of newsletters can be organized and analyzed. With the help of Zoho we can analyze our newsletter campaigns. When you open an email sent with Zoho, a file contained in the email (so-called web beacon) connects to the Zoho services. This allows us to determine whether a newsletter message has been opened and which links have been clicked on. For more information, see Section Tracking Technologies Used in our Emails in our Cookie Notice.  If you do not want Zoho to analyze your Personal Data, you must unsubscribe from the newsletter. For this purpose, we provide a respective link in every newsletter. You can also unsubscribe from the newsletter at any time by sending an email to privacy@lilium.com. The Personal Data stored for the purpose of newsletter subscription will be stored by us and Zoho until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of Zoho after you unsubscribe from the newsletter. Personal Data stored by us for other purposes remain unaffected.

  • Customer Relationship Management

Additionally, Zoho offers a customer relationship management system to support us in maintaining leads, customers, and commercial-related information. When you send us an inquiry via “Contacting us” (see above) your Personal Data will be processed and stored in the Zoho servers in the European Union. Depending on the channel you contact us, or in case your contact data was available on public sources, your Personal Data may be manually entered into Zoho and will also be stored for the purposes described in this Website Privacy Notice. Zoho may also send you direct marketing information in the context of similar products and/or services you have inquired us. You can exercise your Rights under applicable data protection law at any time, including object to direct marketing as described in this Privacy Notice.

B. Cookies

In order to offer you a convenient online service featuring numerous functions, our Website uses cookies and similar technologies such as pixels and Local Storage Objects (LSOs) like HTML5 (“Cookies”). Cookies help us to distinguish you from other users of our Website. They are usually saved on your device. Cookies facilitate the transfer of specific content, such as entering Personal Data, which has already been supplied, and help us identify popular sections of our Website. Please note that some of the Cookies will have access to your browser and, where applicable, to your end device.

If you are located in the EU, the processing of Personal Data when using Cookies is based either on our legitimate interests to be able to run and operate our Website properly according to Art. 6 (1) f. GDPR (necessary Cookies), or on your consent (Opt-in) according to Art. 6 (1) a. GDPR (optional Cookies), depending on the category of the relevant Cookies. The provision of relevant detailed information about the Cookies on our Website and your voluntary Opt-in is processed by our Cookie consent management layer upon your initial visit to our website. You can find detailed information about our use of Cookies within our Cookie Notice. You can also change your Cookies preferences at any time via the Cookie preference tool - [show Cookie preference tool]

You can withdraw your consent by deactivating the use of individual or all optional Cookies in the settings of your browser at any time. To find out how to change the settings, please consult the help function of your browser. You may also deactivate and manage many of your online Cookies by different businesses on the US-website WebChoices: Digital Advertising Alliance’s Consumer Choice Tool for Web US (aboutads.info) or the EU-website Your Online Choices | EDAA. However, without Cookies, the use and comfort of use of our Website may be restricted.

C. Website Hosting

We use the service by Amazon Web Services, Inc., 410 Terry Avenue North Seattle WA 98109, USA (“AWS”) for the purpose of hosting your Personal Data provided through the Website (lilium.com). The Personal Data processed is hosted within the EU, however, the Personal Data might still be processed in the USA, which currently is a country deemed as not adequate in terms of data protection. AWS complies with data protection standards applicable in the European Union by agreeing to abide by and process Personal Data subject to GDPR in compliance with SCCs that are incorporated by reference and form an integral part of the DPA, which was signed with us and complemented by the updated version of the DPA, including the updated SCCs, that can be found at New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers | AWS Security Blog (amazon.com). For further information please refer to https://aws.amazon.com/compliance/eu-data-protection/ and https://aws.amazon.com/compliance/germany-data-protection/.

We use the service by Notified from Intrado Digital Media AB, Hallenborgsgatan 1A, 201 20 Malmo, Sweden for the purpose of hosting your Personal Data provided through the Website (investors.lilium.com and https://ir.lilium.com). The Personal Data processed is hosted in the EU. Notified agreed to abide by and process Personal Data that is subject to GDPR in compliance with SCCs, which are incorporated by reference and form an integral part of the agreed DPA by and between us and Intrado. Note that Intrado may use Personal Data for its own analytics and reporting purposes, in accordance with its policies. Additional information pertaining to Notified privacy program can found at Legal & Privacy | Intrado.

We use the service by Say Technologies LLC, 85 Willow Rd Menlo Park, CA 94025, United States, for the purpose of offering web corporate meetings and business update calls.  The Personal Data is hosted in the USA, which currently is a country deemed as not adequate in terms of data protection. Say agreed to abide by and process Personal Data that is subject to GDPR in compliance with SCCs, which are incorporated by reference and form an integral part of the agreed DPA by and between us and Say. Additional information pertaining to Say privacy policy can found at Say (saytechnologies.com)

D. Third Party Cookies and similar technologies

We may use Cookies and services of third parties such as Google, Vimeo, and YouTube. These services include, among others, internet-based advertising services, tracking technologies and social media functionalities. Please find further information about these third parties in our Cookie Notice and Social Media Privacy Notice.

We use the service Google Analytics of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, respectively Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland if you are visiting from the EU, EEA or Switzerland for the purposes of analytics and marketing on the Website. For further information please refer to Privacy Policy – Privacy & Terms – Google.

We use the Vimeo service of the company Vimeo, Inc., 555 West 18th Street, 10011 New York, United States of America, for the purpose of integrating videos from the Vimeo platform into our Website. For additional information please see Privacy Policy on Vimeo.

We use the YouTube service of the company Google LLC, D/B/A YouTube, 901 Cherry Ave., San Bruno, CA 94066, USA, for the purpose of integrating videos from the YouTube platform are integrated into our Website. For more information, please access Privacy Policy – Privacy & Terms – Google.

If you are located in the EU, the processing of Personal Data when using Cookies is based either on legitimate interests to be able to run and operate our Website properly according to Art. 6 (1) f. GDPR (necessary Cookies), or on your consent (Opt-in) according to Art. 6 (1) a. GDPR (optional Cookies), depending on the category of the relevant Cookies. The provision of relevant detailed information about the third-party Cookies and similar technologies on our Website and your voluntary Opt-in is processed by our Cookie consent management layer upon your initial visit to our website. You can find detailed information about our use of Cookies within our Cookie Notice. You can also change your Cookies preferences at any time via the Cookie preference tool:

[show Cookie preference tool]

You can withdraw your consent by deactivating the use of individual or all third-party Cookies and similar technologies in the settings of your browser at any time.

If you are located in the EU, please note the processing described in this section may also take place in a third country for which there is no adequacy decision by the European Commission. Therefore, the level of protection customary for the GDPR cannot be guaranteed during transmission, as it cannot be ruled out that in third countries, e.g., authorities can access the Personal Data collected. We do not have influence over such access and any further processing by third parties. The legal basis for the transfer of this Personal Data is Art. 6 (1) a., and 49 (1) a. GDPR, we will inform you and request for your consent accordingly. In this case, you can revoke your consent at any time as described in this Privacy Notice with effect for the future. Upon request and in case required by applicable law, we can provide you with additional information regarding the transfer mechanism concerning the transfer of your Personal Data.

E. Links to Social Networks

The Website is connected via links and/or plugins to the social networks such as Facebook, X (Twitter), Instagram, TikTok, YouTube, and LinkedIn. For further information on the use of Personal Data via social networks please refer to our Cookie Notice and Social Media Privacy Notice.

VIII. Is my Personal Data transferred or disclosed to Third Parties?

We will transfer your Personal Data to a third party (i) due to our legitimate interest acc. to Art. 6 (1) f. GDPR, (ii) within the scope of legal provisions, i.e., if we are obliged to transfer the Personal Data due to a government or court order, if applicable, legal provisions authorize the transfer acc. to Art 6 (1) c. GDPR, or (iii) if you give your explicit consent (where required by applicable law) acc. to Art. 6 (1) a. GDPR. This might, in particular, include the transfers as described in the following.

  • Transfer to our Subsidiaries

We might transfer Personal Data you have provided to us on our Website or due to the Service, such as email and country, to our subsidiaries for their own business purposes, including sales and marketing activities (e.g., direct marketing or invitations to events).

  • Transfer based on legal obligations or for the protection of legitimate interests

To the extent we are obliged to do so by law, court order, or by an enforceable official order, based on Art. 6 (1) c. GDPR, or if we consider it necessary due to our own legitimate interests, based on Art. 6 (1) f. GDPR, for example in connection with the commission of criminal offences, we will transmit your Personal Data to authorities entitled to receive information.

  • Other transfers

If you have given us a separate consent to use and transfer your Personal Data, your Personal Data may be passed on to the recipients named therein. As part of the provision of third-party services on our Website or Service, Personal Data may be passed on to third parties, for example, vendors helping us with the collection and distribution of informational materials for investors or investor candidates. In addition, no Personal Data will be transferred on to third parties unless, in individual cases, there is either a specific legal obligation requiring us to do so or if there is a specific legal justification for the transfer, and your interests or fundamental rights and freedoms do not prevail.

  • Transfers outside of the EU

For jurisdictions outside the EU, any transfer of your Personal Data (including transfers to companies affiliated to us) shall be made in compliance with and, if applicable, on the relevant legal bases as set out in the data protection laws of your jurisdiction.

IX. Children’s privacy

We do not knowingly collect Personal Data from individuals who are under the minimum required ages specified herein. You must be at least 16 years old or the age of majority in your jurisdiction, whichever is greater, to use our Website. Individuals under the applicable age may use our Website and/or Service only through a parent or legal guardian’s account and with their knowledge of the use of the Website.

X. Access and Changes to this Privacy Notice

This Privacy Notice is accessible via our website at https://www.lilium.com/privacy-policy.html and may be downloaded and printed anytime.  We reserve the right to adapt this Privacy Notice as well as our additional Privacy Notices at any time, considering the currently applicable data protection provisions. We will publish the updated Privacy Notice on our website.

XI. Contact

For any inquiries and additional questions about processing Personal Data please contact privacy@lilium.com.

XII. EU-Specific Disclosures

The following disclosures (“EU Privacy Disclosures”) apply to our processing of Personal Data in connection with our EU services or individuals located in the EU.

A. Is my Personal Data transferred outside the EU?

If you are located in the EU, note that for some Services, we may transfer your Personal Data (including transfers to companies affiliated to us) to countries outside the EU-jurisdiction where we collected your Personal Data (so-called third countries).

In the course of a transfer of Personal Data to a third country, we will regularly provide appropriate guarantees to maintain an appropriate level of data protection, for example, by concluding SCCs to ensure that the transfer of Personal Data takes place with the same level of data protection that is equivalent with the GDPR.

The SCCs will be entered into between Lilium, as Data Controller, and the Data Exporter of Personal Data, with the Data Processor as Data Importer of Personal Data (SCCs Controller-to-Processor); or, between Lilium, as Data Controller, and Data Processor as the Data Exporter, considering in these cases that any transfers to the sub processor as Data Importer only will occur when the Data Processor (Data Exporter) has completed Processor-to-Processor SCCs with the sub-processor (Data Importer).

In compliance with these requirements, we transmit Personal Data to service providers who assist us in the performance of our contractual obligations or our Services and who are bound by our instructions in the context of a DPA. If not publicly available, upon request, we will grant you a copy of the respective appropriate guarantees regarding your Personal Data, if legally or contractually permitted, or provide further information where they have been made available.

B. Use of Services on the Website that process Data outside the EU

When visiting the Website, Personal Data may be transferred to countries outside the EU where the services by Google (see Google Analytics) as well as other social networks operate (see Cookie Notice and Social Media Privacy Notice). The third-party parties, that are U.S. companies providing the services e.g., Facebook, Instagram, Google, YouTube, Vimeo, X, TikTok, and LinkedIn comply with data protection standards applicable in the European Union by agreeing to abide by and process Personal Data subject to GDPR in compliance with the SCCs that are incorporated by reference and form an integral part of the respective DPA.

C. Further Third-Party Providers that process data outside the EU

Personal Data is transferred outside the European Union due to the integration of cloud and hosting services who work on our behalf and assist us in carrying out our Website and/or Service, as described in this Privacy Notice.

On a case-by-case basis, we may also use other vendors for the collection and distribution of materials, in particular, but not limited to, materials for investors or potential investors.

For more information, please contact privacy@lilium.com.

D. Does automated processing, including “Profiling”, take place?

In general, we do not process any Personal Data via automated processing including “profiling” when making contact via the Website. However, such profiling may happen by third party providers through the further use of the Website. If possible, we will inform you about this fact.

Profiling means any automated processing of Personal Data consisting in the use of such Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of that natural person. Examples of such profiling include the analysis of Personal Data (e.g., based on statistical methods) with the aim of displaying personalized advertising or giving shopping tips. You shall not be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against You or significantly affects You in a similar manner. This shall not apply where the decision (i) is necessary for the conclusion or performance of a contract between you and Lilium, as the Data Controller, (ii) is admissible under the laws of the European Union or its member states to which Lilium, as Data Controller is subject and where such laws contain appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject or (iii) is taken with your express consent. In such exceptional cases, Lilium shall take appropriate measures to safeguard your rights, freedoms, and legitimate interests, including at least the right for you to state your own position and to challenge the decision.

E. What are my Rights?

In accordance with the GDPR, you have the following rights in respect of your Personal Data that we hold:

- According to Art. 15 GDPR, you have the right to obtain confirmation from us as to whether or not Personal Data concerning you is being processed by us. Where that is the case, you have a right to access Personal Data and obtain further information. You may request a copy of your Personal Data undergoing processing. For any further copies requested by you, we may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise reasonably requested by you, the information shall be provided in a commonly used electronic form.

- According to Art. 16 GDPR, you may have the right to obtain the rectification of inaccurate Personal Data concerning you without undue delay.

- According to Art. 17 GDPR, you may have the right to obtain erasure of Personal Data concerning you if (i) it is no longer necessary in relation to the purpose for which it is collected, (ii) you have withdrawn your consent on which the processing is based, (iii) you have objected to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Art. 21 (2) GDPR, (iv) your Personal Data has been unlawfully processed, (v) the Personal Data has to be erased for compliance with a legal obligation to which Lilium is subject, or (vi) the Personal Data has been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.

- According to Art. 18 GDPR, you may have the right to obtain the restriction of processing. Such right shall exist if (i) you contested the accuracy of the Personal Data, (ii) the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of its use instead, (iii) the Personal Data is no longer needed for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims, or (iv) you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification of whether our grounds legitimately override yours.

- According to Art. 19 GDPR, you have the right to obtain information about the recipients of Personal Data to whom the rectification, erasure, or restriction of processing has been communicated.

- According to Art. 20 GDPR, you have the right to obtain Personal Data concerning you in a structured, commonly used, and machine-readable format and to transmit the Personal Data to another Data Controller. Insofar as this is technically feasible, you can request that we transfer the Personal Data directly to another Data Controller.

- You also have the right, without prejudice to any other administrative or judicial remedy, to object to the processing of your Personal Data or a decision taken by us in respect of any of the rights you have exercised and to complain to a supervisory authority, in particular in the European Union member state of your usual residence, place of work or place of the alleged infringement. An overview of the Data Protection Authorities may be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html or http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

 

OBJECTION ON GROUNDS OF YOUR PARTICULAR SITUATION

ACCORDING TO ARTICLE 21 (1) GDPR, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION AT ANY TIME; TO PROCESSING OF PERSONAL DATA CONCERNING YOU, WHICH IS BASED ON YOUR LEGITIMATE INTERESTS, INCLUDING PROFILING (AS DEFINED ABOVE). WE SHALL NO LONGER PROCESS THE PERSONAL DATA UNLESS WE DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE THE INTERESTS, RIGHTS, AND FREEDOMS OF YOU, OR FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS.

OBJECTION ON GROUNDS OF YOUR PARTICULAR SITUATION

ACCORDING TO ARTICLE 21 (2) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSES OF DIRECT MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT TO THE PROCESSING FOR DIRECT MARKETING PURPOSES, YOUR PERSONAL DATA WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES.

To exercise your Rights, you can contact us without any formality by post or email at the points of contact listed in Section III above.

F. Duration of Personal Data Processing and Deletion Periods

This Privacy Notice as well as our other Privacy Notices contain specific periods for Personal Data storage.

Criteria for the storage period include whether the Personal Data is still up to date, whether the contractual relationship with us still exists, whether an inquiry has already been processed, whether a process has been completed or not, and whether legal retention periods for the Personal Data concerned are relevant or not.

As a rule, we only store your Personal Data for as long as it is necessary for the execution of the contract or the respective purpose and limit the storage period to a necessary minimum.

In the case of long-term contractual relationships, these storage periods may vary, but are generally limited to the duration of the contractual relationship or, with regard to the inventory data, to the maximum legal retention periods (e.g., in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO)).

G. Data Security

We have installed technical and organizational measures in order to safeguard our Website and/or Services against loss, destruction, access, changes, or the distribution of your Personal Data by unauthorized persons.

The Website is operated through a safe SSL-connection. If an SSL-connection is activated third parties are prevented from reading any Personal Data that is transferred by you to us.

We will use our best efforts to store your Personal Data on servers that are located within the European Union and/or located in countries deemed adequate in terms of data protection by the European Commission. In case your Personal Data is transferred to a country without an adequate level of data protection, technical and organizational measures will be implemented, including supplementary measures to protect the Personal Data, if applicable.  

 

Last Modified: October 2023.