The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Privacy statement

1. Contact

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(The Federal Commissioner for Data Protection and Freedom of Information)

Address:

Graurheindorfer Str. 153, 53117 Bonn

Central telephone number: 0228/997799-0

Central e-mail-address: poststelle@bfdi.bund.de


Data Protection Officer: Mr. Kapsa

Telephone number: 0228/997799-1950

E-mail address: bdsb@bfdi.bund.de

For encrypted communication with the Data Protection Officer (DPO), you can download(e. g. https://keys.openpgp.org) the DPO’s most recent PGP Key from a key server. For checking the key, you will find the associated fingerprint of this public key here: 49C5098DE61A09E0CBFCADABB87A54EEB514D617


2. Introduction and purpose of the processing

When carrying out the tasks conferred upon him by law, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) processes personal data. His tasks include, in particular, the following elements:

  • The monitoring and enforcement of the GDPR (General Data Protection Regulation) and the Federal Data Protection Act (German abbreviation “BDSG”) at data controllers who are subject to his supervision, including the necessary cooperation with data protection authorities of the Federal States [“Länder”] and of the EUMember States
  • The control of compliance with the freedom of information law at data controllers who are subject to his supervision
  • The provision of information about data protection law and freedom of information to a third party or to the public
  • The handling of data subjects’ complaints relating to the topics of data protection and freedom of information about data controllers and processors who are subject to his supervision

As a contracting party subject to civil law and/or as an authority under public law, the BfDI processes personal data. Respective examples include the recruitment and management of personnel, the purchase of office supplies or services. In the pursuit of his own interests, BfDI also processes, if necessary, the personal data of the contracting party’s employees. In this connection, the BfDI’s interest is on the initiation, conclusion and execution of such contractual relationships.

On the basis of consents, the BfDI processes personal data for special services. Examples include the general newsletter and the newsletter for the press.

3. The legal basis of the processing operation

For the data protection law:

Article 6 para. 1 lit. a), b), e), f) GDPR in conjunction with Art. 57, 58 para. 1, 77 GDPR, Sect. 14, 16, 60 and 61 BDSG (Federal Data Protection Act) and Sect. 3 BDSG

For the freedom of information law:

Art. 6 para. 1 lit a), b), e), f) GDPR in conjunction with Sect. 12 IFG (German abbreviation for “Freedom of Information Act”), Sect. 21, 24, 25 and 26 former BDSG

The data subject shall at any time have the right to revoke a given consent on which the processing of his or her personal data is based, without prejudice to the lawfulness of the processing based on consent before its withdrawal.

4. Categories of recipients

When performing his public tasks, the BfDI transfers personal data to other public bodies of the Federal Government or of the Länder (in particular to the supervisory authorities of the Länder) and to the supervisory authorities of other EU-Member States, to representatives of the press, to data subjects, and to contractors of the BfDI. In this connection, it shall always be assessed whether the transfer is necessary to that effect. Therefore, with regard to the scope of the BfDI’s duties, which are referred to separately, the following groups of recipients are generally defined:

a)     Monitoring and enforcement of the GDPR, of the BDSG and other data protection regulations at the data controllers who are subject to the supervision by the BfDI

Public bodies of the Federal Government or of the Länder, and the supervisory authorities of the EU-Member States, data subjects and to contractors of the BfDI for the internal administrative activity of the own office.

In case of necessary communication with supervisory authorities of EU Member States, this will be done using the Internal Market Information System (IMI) operated by the European Commission.

b)    The control of compliance with the freedom of information law at the data controllers who are subject to the supervision by the BfDI

Public bodies of the Federal Government and to contractors of the BfDI for the internal administrative activity of the own office

c)    The provision of information about data protection law and freedom of information to a third party or to the public

Public bodies of the Federal Government or of the Länder for the coordination of information materials, the press for the dissemination of information and to contractors of the BfDI for the internal administrative activity of the own office

d)    The handling of data subjects’ complaints relating to data protection law and to the freedom of information law about data controllers and processors

For the data protection law:
Public bodies of the Federal Government insofar as they are concerned by the subject matter of the complaint (especially as data controller), supervisory authorities of the Länder and the supervisory authorities of the EU-Member States, to the extent that they are competent for the subject matter of the complaint, and to contractors of the BfDI for the internal administrative activity of the own office

For the freedom of information law:
Public bodies of the Federal Government insofar as they are concerned by the subject matter of the complaint (especially as data controller) and to contractors of the BfDI for the internal administrative activity of the own office

e)    Transfer to the Federal Archives

In agreement with the Federal Archives, the BfDI does not in principle transfer any files on complaints and enquiries from citizens to the Federal Archives. This principle will only be departed from in individual cases if the competent section regards such complaints or request as historically valuable issues.

f) Acting as a contracting party subject to civil law and in the pursuit of his own interests

Public bodies of the Federal Government for support in procurement procedures and in the financial management of the BfDI’s civil servants and employees remunerated according to collective agreements, other contractors of the BfDI for the mutual assistance in certain projects and to contractors of the BfDI for the internal administrative activities of the office

g)     The sending of newsletters

Contractors of the BfDI for the internal administrative activities of the office

5. Data retention period

The storage shall take place in accordance with the provisions of the Directive for the processing and management of documents in federal ministries. The regulatory content of the Directive is binding pursuant to the IT-Directive of the BfDI.

6. Data subjects’ rights

Within the framework of performing public tasks and as a contracting party subject to civil law, the BfDI is responsible for the processing of personal data. Therefore, the following rights of the GDPR are available to data subjects:

a)   Right of access - Article 15 GDPR--General Data Protection Regulation

The right of access grants the data subject comprehensive insight into the data concerning him or her and into other important criteria, such as the purposes of the processing or the period for which the data shall be stored. The derogations of this right laid down in Sect. 34 BDSG--Federal Data Protection Act are applicable.

b)    Right to rectification - Article 16 GDPR

The right to rectification implies the possibility for the data subject to have inaccurate personal data concerning him or her rectified.

c)    Right to erasure - Article 17 GDPR

The right to erasure entails the possibility for the data subjects to have data erased at the controller. This is, however, only possible if the data concerning him or her are no longer necessary, if they have been unlawfully processed, or a corresponding consent has been withdrawn. The derogations laid down in Sect. 35 BDSG--Federal Data Protection Act are applicable.

d)    Right to restriction of processing - Article 18 GDPR

The right to restriction of processing includes the possibility for the data subject to prevent for the time being any further processing of personal data concerning him or her. A restriction mainly occurs at the stage of examining other exercises of rights by the data subject.

e)    Right to data portability - Article 20 GDPR

The right to data portability implies the right for the data subject to receive from the controller the personal data concerning him or her in a commonly used, machinereadable format in order to have them, if necessary, transferred to another controller. In accordance with Art. 20 para. 3 sentence 2 of the GDPR, that right is not available if the data processing serves the purpose of performing public tasks.

f)     Right to object - Article 21 GDPR

The right to object includes the possibility for data subjects to object, in a particular situation, to the further processing of their personal data as far as this processing is justified by the performance of public tasks or of public and private interests. The derogations laid down in Sect. 36 BDSG are applicable.

7. Necessity of data processing

The processing of personal data by the BfDI is directly connected with the exercise of his public tasks.

In particular, in connection with the monitoring and enforcement of the GDPR at the controllers who are subject to supervision by the BfDI, the provision of personal data can be legally necessary on the grounds of Art. 58 para.1 lit. a) GDPR. In the case of the non-provision of data, the BfDI has corrective powers according to Art. 58 para. 2 GDPR.

When monitoring compliance with the right to freedom of information at controllers who are subject to the supervision of the BfDI, the provision of personal data may be legally necessary on the basis of Section 12(3) of the Freedom of Information Act (IFG) in conjunction with Section 24(4) of the former Federal Data Protection Act (BDSG-alt). In the case of the non-provision of data, the BfDI has the right to lodge a complaint according to Sect. 25 of the BDSG-alt.

8. Other information

With regard to the data processing by the BfDI, there is no right to lodge a complaint with a supervisory authority. Any automated decision-making does not happen.

9. The Homepage of the BfDI

Every time a user accesses the Internet offer of the BfDI and every time a file is retrieved, data about this process will be temporarily stored and processed in a log file. Prior to the storage, each dataset is anonymised by modifying the IP-address.

In particular, the following data are stored about every access/retrieval:

  • anonymised IP address,
  • the operating system used,
  • the device used,
  • the country of origin from where the access was made,
  • date and time,
  • accessed page/name of the retrieved file,
  • the volume of transferred data,
  • notification whether the access/retrieval was successful.

When calling up individual pages, so-called temporary cookies for technical service provision are used. These session cookies do not include any personal data and expire following the completion of the session. Technologies such as Java-Applets or Active-X-Controls which allow to track users' access behaviour are not used.

Our online offer contains links to the websites of other providers. The Federal Commissioner for Data Protection and Freedom of Information has no influence on the compliance of these providers with the statutory data protection provisions. Therefore, you should always check the other providers’ privacy statement.