The following legal changes concerning data protection and data security occurred in 2015/2016 and affect the Lufthansa Group: Safe Harbor Agreement and EU-US Privacy Shield In its judgment issued on October 6, 2015, the European Court of Justice (ECJ) de- clared the Safe Harbor Agreement between the EU and the USA to be invalid. The ECJ held that the agreement, which was con- cluded in 2000 concerning the exchange of personal data, would violate the right to respect the private sphere and that person- al data of EU citizens would not be suf ci- ently protected from access by US authori- ties. Until now, data transmissions to the USA were only allowed when the US orga- nization held a Safe Harbor Certi cate or speci c contracts to ensure data protection had been concluded. The verdict also affects the Lufthansa Group: All contracts concerning the storage and processing of personal data with US service organizations on the basis of the Safe Harbor Agreement were renewed. On February 2, 2016, the draft for a new agreement “EU-US Privacy Shield” for the data transfer between the EU and the USA was presented. The negotiations concern- ing the further drafting have not yet been concluded. Law concerning the storage of passen- ger data The introduction of a EU-wide regulation for the transmission of Passenger Name Record (PNR) data for ights outside the European Union and optionally for ights within the EU, to so-called Passenger Infor- mation Units in the 28 member states, was accepted by the European Parliament on April 14, 2016. These rules will come into effect in two years at the latest. After pas- sage at the EU level, the implementation of the directive in the national law of the member states is required. In numerous EU countries, including Germany, the Pas- senger Information Units are currently being set up. Some EU countries are already in the process of de ning their requirements vis-à-vis the airlines. For the airline industry, the exchange of passenger data means increased complexity of reser- vations and check-in processes, and implies additional costs for transmitting passenger data, which the airlines have to pay. Agreement concerning the new EU General Data Protection Regulation After negotiations lasting several years, the European Parliament adopted the new EU General Data Protection Regulation on April 14, 2016. It is to replace the existing EU Data Protection Directive, which has been effective since 1995. Following a two-year transition period, the new regula- tion will take effect on May 24, 2018. In this way, standardized regulations will be created in European data protection. They apply to all companies that offer their output to EU citizens. The implementation of the require- ments related to the General Data Protection Regulation means for the Lufthansa Group the adaptation of the existing data protection management system. Careful and secure handling of personal data is the basis for trusting business relationships. Sustainability Report Balance // Issue 2016 // Lufthansa Group // 73