GDPR Infringement? Lufthansa Passengers Have to Take a Selfie to Prove they Are Real and Get a Refund
Quietly and without any mention in their Terms and Conditions, the German national carrier now requires its passengers to provide a selfie of themselves holding their ID next to their face before issuing a refund for a delayed, cancelled or overbooked flight.
In the above email, Lufthansa’s Customer Relations writes:
“in order to finalize the payment, please provide a photo of your client holding their valid government issued ID next to their face (e.g. passport, ID card, driver’s license) with the face and ID clearly visible.”
This is an official response to a claim for two passengers whose flight from Frankfurt to Sao Paulo - LH506 on 18th of July 2019 - was delayed by 10 hours.
The new requirement has gotten people talking on Flyertalk with one person writing:
“All of this is clearly laid out to discourage people from claiming compensation by making them jump through loops”.
Right to Compensation
Under Regulation EC261/2004, if the carrier is at fault and the delay is not the result of extraordinary circumstances, then each passenger is entitled to 600 EUR compensation - no questions asked.
In fact, the burden of proof falls on the airline and not the passenger.
However, introducing the above requirement seems like yet another obstacle which passengers need to overcome in order to receive the compensation to which they are legally entitled.
While Lufthansa ranked 17th of our Airline Ratings 2019 in terms of claims processing performance, the German air carrier seems headed for a lower spot in the rankings this year.
Is Lufthansa in Violation of GDPR?
When a claim is submitted to Lufthansa via ClaimCompass, it contains the passenger names, the flight and booking numbers, the complete itinerary of the passenger(s), the flight schedule and the disruption, an official ID as well as a signed and dated Power of Attorney for each passenger in the claim. The latter clearly states the scope of representation and the ClaimCompass mandate.
So, based on the above, Lufthansa can without any doubt identify the passenger and issue the payment under EC261/2004.
Under Article 4(14) of GDPR, facial images are considered as “biometric data”, which is subject to even stricter requirements for compliance with the Regulation.
By default, processing such data is prohibited unless the data subject - i.e. the passenger - has given explicit consent. We could not find anything on the above in the Data Protection Information section of Lufthansa’s website.
There is however, something more.
Even if the passenger has granted the above consent, article 7 of GDPR has imposed even stricter conditions for its validity.
Under Article 7(4), such consent is invalid if performance of the contract is made strictly dependent on the provision of such personal data, despite the fact that it is not necessary for the contract to be carried out.
By definition, delayed flight compensation under EC261 is due as compensation for the improper compliance with contractual obligations of the carrier - i.e. for not getting passengers to their destination on time.
In other words, a selfie of the passenger holding their ID next to their face is not needed in order for Lufthansa to meet its contractual obligations.
So, Why the Hassle?
It is clear that Lufthansa is fully capable of verifying the identity of its passengers by simply requesting a copy of a national ID in addition to a signed Power of Attorney.
This is confirmed by European Commission’s Information Notice to Air Passengers dated 9th of March, 2017, which states:
“If so requested, a signed power of attorney together with a copy of ID or passport (for verification of signature) should be provided by claim agencies”.
There is no mention of photographs or any further personal data required and one is left to wonder whether or not this additional requirement isn’t just another unjustified burden on passengers to avoid paying compensation.