The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Privacy statement

1. Contact

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(The Federal Commissioner for Data Protection and Freedom of Information)

Address:

Graurheindorfer Str. 153, 53117 Bonn

Central telephone number: 0228/997799-0

Central e-mail-address: poststelle@bfdi.bund.de


Data Protection Officer: Mr. Kapsa

Telephone number: 0228/997799-1950

E-mail address: bdsb@bfdi.bund.de

For encrypted communication with the Data Protection Officer (DPO), you can download the DPO’s most recent PGP Key from a key server. For checking the key, you will find the associated fingerprint of this public key here: 49C5098DE61A09E0CBFCADABB87A54EEB514D617

 2. Initiation and Purposes of Processing

When carrying out the tasks conferred upon him by law, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) processes personal data. His tasks include, in particular, the following elements:

  • The monitoring and enforcement of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) at data controllers who are subject to his supervision, including the necessary cooperation with data protection authorities of the Federal States [“Länder”] and of the Member States of the European Union (EU)
  • The control of compliance with the freedom of information law at data controllers (in particular under the Freedom of Information Act, IFG ) who are subject to his supervision
  • The provision of information about data protection law and freedom of information to a third party or to the public
  • The handling of data subjects’ complaints relating to the topics of data protection and freedom of information about data controllers and processors who are subject to his supervision

As a contracting party subject to civil law and/or as an authority under public law, the BfDI processes personal data. Respective examples include the recruitment and management of personnel, the purchase of office supplies or services. In the pursuit of his own interests, BfDI also processes, if necessary, the personal data of the contracting party’s employees. In this connection, the BfDI’s interest is on the initiation, conclusion and execution of such contractual relationships.

On the basis of consents, the BfDI processes personal data for special services. Examples include the general newsletter and the newsletter for the press.

3. Legal basis for processing

For data protection law:

Article 6 paragraph 1, subparagraphs a), b), e), GDPR, in conjunction with Articles 57, 58 paragraph 1, Article 77 GDPR, Sections 3, 14, 16, 60 and 61 BDSG

For the freedom of information law:

Article 6 paragraph 1, subparagraphs a), b), e), GDPR in conjunction with Section 3 BDSG, Section 12 IFG, Sections 21, 24, 25 and 26 BDSG (in the old version in force as from 24 May 2018)

The data subject shall at any time have the right to revoke a given consent on which the processing of his or her personal data is based, without prejudice to the lawfulness of the processing based on consent before its withdrawal.

4. Categories of recipients

When performing his public tasks, the BfDI transfers personal data to other public bodies of the Federal Government or of the Länder (in particular to the supervisory authorities of the Länder) and to the supervisory authorities of other Member States of the EU, to representatives of the press, to data subjects, and to contractors of the BfDI. In this connection, it shall always be assessed whether the transfer is necessary to that effect. Therefore, with regard to the scope of the BfDI’s duties, which are referred to separately, the following groups of recipients are generally defined:

a)     Monitoring and enforcement of the GDPR, of the BDSG and other data protection regulations at the data controllers who are subject to the supervision by the BfDI

Public bodies of the Federal Government or of the Länder, and the supervisory authorities of the EU-Member States, data subjects and to contractors of the BfDI for the internal administrative activity of the own office.

In case of necessary communication with supervisory authorities of EU Member States, this will be done using the Internal Market Information System (IMI) operated by the European Commission.

b)    The control of compliance with the freedom of information law at the data controllers who are subject to the supervision by the BfDI

Public bodies of the Federal Government and to contractors of the BfDI for the internal administrative activity of the own office

c)    The provision of information about data protection law and freedom of information to a third party or to the public

Public bodies of the Federal Government or of the Länder for the coordination of information materials, the press for the dissemination of information and to contractors of the BfDI for the internal administrative activity of the own office

d)    The handling of data subjects’ complaints relating to data protection law and to the freedom of information law about data controllers and processors

For the data protection law:


Public bodies of the Federal Government insofar as they are concerned by the subject matter of the complaint (especially as data controller), supervisory authorities of the Länder and the supervisory authorities of the EU-Member States, to the extent that they are competent for the subject matter of the complaint, and to contractors of the BfDI for the internal administrative activity of the own office

For the freedom of information law:

Public bodies of the Federal Government insofar as they are concerned by the subject matter of the complaint (especially as data controller) and to contractors of the BfDI for the internal administrative activity of the own office

e)    Transfer to the Federal Archives

In agreement with the Federal Archives, the BfDI does not in principle transfer any files on complaints and enquiries from citizens to the Federal Archives. This principle will only be departed from in individual cases if the competent division regards such complaints or request as historically valuable issues.

f) Acting as a contracting party subject to civil law and in the pursuit of his own interests

Public bodies of the Federal Government for support in procurement procedures and in the financial management of the BfDI’s civil servants and employees remunerated according to collective agreements, other contractors of the BfDI for the mutual assistance in certain projects and to contractors of the BfDI for the internal administrative activities of the office

g)     The sending of newsletters

Contractors of the BfDI for the internal administrative activities of the office

5. Data retention period

The storage shall take place in accordance with the provisions of the Directive for the processing and management of documents in federal ministries. The regulatory content of the Directive is binding pursuant to the IT-Directive of the BfDI.

6. Data subjects’ rights

Within the framework of performing public tasks and as a contracting party subject to civil law, the BfDI is responsible for the processing of personal data. Therefore, the following rights of the GDPR are available to data subjects:

a)   Right of access - Article 15 GDPR--General Data Protection Regulation

The right of access grants the data subject comprehensive insight into the data concerning him or her and into other important criteria, such as the purposes of the processing or the period for which the data shall be stored. The derogations of this right laid down in Section 34 BDSG--Federal Data Protection Act are applicable.

b)    Right to rectification - Article 16 GDPR

The right to rectification implies the possibility for the data subject to have inaccurate personal data concerning him or her rectified.

c)    Right to erasure - Article 17 GDPR

The right to erasure entails the possibility for the data subjects to have data erased at the controller. This is, however, only possible if the data concerning him or her are no longer necessary, if they have been unlawfully processed, or a corresponding consent has been withdrawn. The derogations laid down in Section 35 BDSG--Federal Data Protection Act are applicable.

d)    Right to restriction of processing - Article 18 GDPR

The right to restriction of processing includes the possibility for the data subject to prevent for the time being any further processing of personal data concerning him or her. A restriction mainly occurs at the stage of examining other exercises of rights by the data subject.

e)    Right to data portability - Article 20 GDPR

The right to data portability implies the right for the data subject to receive from the controller the personal data concerning him or her in a commonly used, machine-readable format in order to have them, if necessary, transferred to another controller. In accordance with Article 20 paragraph 3 sentence 2 of the GDPR, that right is not available if the data processing serves the purpose of performing public tasks.

f)     Right to object - Article 21 GDPR

The right to object includes the possibility for data subjects to object, in a particular situation, to the further processing of their personal data as far as this processing is justified by the performance of public tasks or of public and private interests. The derogations laid down in Section 36 BDSG are applicable.

7. Necessity of data processing

The processing of personal data by the BfDI is directly connected with the exercise of his public tasks.

In particular, in connection with the monitoring and enforcement of the GDPR at the controllers who are subject to supervision by the BfDI, the provision of personal data can be legally necessary on the grounds of Article 58 paragraph 1, subparagraph a GDPR. In the case of the non-provision of data, the BfDI has corrective powers according to Article 58 paragraph 2 GDPR.

When monitoring compliance with the right to freedom of information at controllers who are subject to the supervision of the BfDI, the provision of personal data may be legally necessary on the basis of Section 12 paragraph 3 of the Freedom of Information Act (IFG) in conjunction with Section 24 paragraph 4 of the former version of the BDSG. In the case of the non-provision of data, the BfDI has the right to lodge a complaint according to Section 25 of the former version of the BDSG.

8. Other information

There is no right of appeal to a supervisory authority with regard to the data processing of the BfDI. Automated decision-making does not take place.

9. The Homepage of the BfDI

9.1 Processing of information within the framework of the technical provision of the BfDI’s Internet offer

The infrastructure of the Internet requires the technical exchange of information between your device (e.g. computer, tablet or mobile phone) and so-called servers, in particular servers making websites available for retrieval. This is necessary to establish communication between your device and the website. The following data are processed for the technical processing:

·         Date and time of retrieval

·         IP address

·         Request details and destination address

·         Name of the retrieved file

·         Amount of data transmitted

·         Notification of whether the access/retrieval was successful

Every time users access the BfDI’s website and every time a file is retrieved, data about this process are temporarily stored and processed in a log file. The log file is retained for a period of 30 days.

In detail, the following data are stored about every access/retrieval:

·         Date and time of retrieval,

·         Request details and destination address,

·         Name of the retrieved file,

·         Amount of data transmitted,

Notification of whether the access/retrieval was successful.
The log data are processed for the proper operation of the websites, i.e. in order to detect, limit or eliminate disruptions or errors.

This processing for technical communication and of log data shall be carried out on the basis of Article 6(1), first subparagraph, subparagraph e GDPR in conjunction with Article 57 GDPR, Sections 3, 14 BDSG.

In addition, the log data are processed for technical security, in particular to protect against and defend against cyber attacks. This is done on the basis of Article 6 paragraph 1 subparagraph e GDPR in conjunction with Section 5 BSI Act [Act on the Federal Office for Information Security].

When accessing our websites, temporary cookies (so-called session cookies) are also used to provide technical services. Cookies are small text files that are stored on the users’ devices when they access the website. They contain a so-called session ID, i.e. an identification code that is unique for each device for the respective session. They help to distinguish between the different devices accessing the website. This identification code is read out during the session in order to distinguish between devices. These session cookies expire after the end of the session, i.e. they are regularly automatically deleted from your device as soon as you close your Internet browser.

Two such cookies are used on our websites: The cookie called “JSESSIONID” is used to recognise users within a session. This ensures the usability of the forms and the shopping cart.

Finally, we use a cookie called “AL-SESS-S” or “AL_LB”. This cookie is required for so-called load balancing: It is intended to assign a specific request (i.e. access to a website) by a  device to a specific server. This allows the requests to be distributed to our servers in such a way that they are not overloaded.

The use of these cookies is technically necessary according to Section 25 paragraph 2 Telecommunications Telemedia Data Protection Act (TTDSG).

Technologies, such as Java applets or Active X controls, which make it possible to track the users’ access behaviour, are not used.

We are supported by the service provider Federal Information Technology Centre (ITZBund) in processing data as part of the technical provision of the Internet offer.

9.2 Contact form

The contact form provides the opportunity for general contact. In this context, identity and contact data as well as the topic and content of the message to us are collected and forwarded internally to the organizational unit having the specialist competence for the matter. The purposes, legal basis, recipients and storage period depend on the deadlines relevant to the specialist tasks (see above). Communication that is not relevant to the file will not be registered in a file and will be deleted after the correspondence has been completed. In the case of file relevance, general requests are retained for a five-year period after completion, in the case of administrative proceedings (e.g. if the request leads to a supervisory procedure) for a ten-year period. In the case of historically valuable facts, a transfer is exceptionally made to the Federal Archives for further storage (see above).

9.3 Links to websites of other providers

Our online offer contains links to the websites of other providers. The Federal Commissioner for Data Protection and Freedom of Information has no influence on the compliance of these providers with the statutory data protection provisions. Therefore, you should always check the other providers’ privacy statement.

to the top