Version 1.0
As at: June 2018

Responsible handling of personal data is a high priority for the Federal Office for Information Security (BSI). We want you to know when we collect which data and how we use it. We take technical and organisational steps to ensure compliance with the regulations on data protection, both by us and by our external service providers. In the course of further development and implementation of new technologies, changes to this data protection statement may be necessary. We therefore recommend that you re-read this data protection statement from time to time. A current version can be accessed at any time via the link provided.

1. Responsible body

The responsible body for the processing of personal data in the meaning of the Data Protection Basic Regulation and other data protection provisions is the

Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 87
53175 Bonn

Postfach 200363
53133 Bonn

Telefon: 0228 99 9582-0
+49 228 99 9582-0
Telefax: 0228 / 99 10 -9582-0
+49 228 99 10 9582-0
E-Mail: bsi@bsi.bund.de

2. Data Protection Officer in the BSI

The Data Protection Officer in the BSI is

Dominic Kastien
Bundesamt für Sicherheit in der Informationstechnik
Godesberger Allee 87
53175 Bonn

Postfach 200363
53133 Bonn

Telefon: 0228 99 9582-5775
+49 228 99 9582-5775
E-Mail: datenschutzbeauftragter@bsi.bund.de

3. General information on data processing

a) Purposes of processing and legal basis for processing

Personal data are used, electronically stored and processed by the BSI in the context of security consulting for the purpose of managing contacts, sending warning messages and communicating or retrieving IT security-related information from IT security and confidentiality officers of public administration bodies as well as other IT security-related contacts from public administration and the private sector (data subjects).

All processing activities of personal data in this context are carried out on the basis of the legal tasks of the BSI according to Section 3 (1) Sent. 2 Nos. 2, 9 and 14 of the BSI Act in conjunction with Art. 6 (1) (e) of the General Data Protection Regulation (GDPR).

In addition, if the data subject so wishes and the BSI permits the data subject to obtain IT security-related information for the internal area, the contact data of the data subject (in particular name, address, telephone and electronic contact details, office and function) will be collected and stored, and login data (user name and password) will be issued to the data subject by the BSI and stored in order to enable use of the internal area of security consulting.

The processing activity in this context takes place on the basis of consent pursuant to Art. 6 (1) (a) GDPR.

b) Sources and categories of personal data that are processed

For the purposes outlined above, the BSI processes and stores contact information (in particular name, address, telephone and electronic contact details, office and function) as well as login data for the internal area of the security consultation of the data subjects.

This personal data is transmitted to the BSI by the respective employer of the data subject or by the data subject. In addition, the BSI sometimes also receives information about the positions of IT security or confidentiality officers in public administration from third parties or from publicly accessible sources and then enters them into the contact database.

c) Recipients and categories of recipients of personal data

The personal data of data subjects required for the provision and administration of access to the internal area of the security consulting will be transmitted to the service providers who host this area for the BSI for hosting purposes.

Personal data is otherwise only transmitted to third parties (authorities, companies, private individuals) if the BSI is obliged to do so by law or by court decision or if this is necessary for legal or criminal prosecution in the event of attacks on the Internet infrastructure.

Any further transmission to third parties will not take place without the consent of the person concerned.

d) Duration of storage and criteria to determine the duration

The personal data processed for the purpose of providing and managing access to the internal area of the security consulting will be stored by the BSI for as long as the data subject has not revoked their consent and the internal area continues to be made available by the BSI. In addition, personal data will be stored for as long as the contact is still current or for a maximum period of 10 years.

Your other requests to the BSI will be stored in paper or electronic form in accordance with the time limits applicable to the storage of written material in the registration guideline. Your data will only be used for direct correspondence with you.

e) Rights of persons affected

If the BSI processes your personal data, as the data subject you have the following rights in terms of the BSI:

i. Right of access

You have the right to obtain confirmation from the BSI as to whether or not personal data concerning you are being processed. Where that is the case, you can require the BSI to provide the following information:

• the purposes of the processing of the personal data
• the categories of personal data that are processed
• the recipients or categories of recipient to whom the personal data about you has been or will be disclosed
• the envisaged period for which the personal data will be stored, or, if specific information is not possible, the criteria used to determine that period
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing
• the right to lodge a complaint with a supervisory authority
• where the personal data are not collected from the data subject, any available information as to its source
• whether personal data concerning you is transferred to a third country or to an international organisation In this event you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR concerning the transfer;
• the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  

ii. Right to rectification

You have the right to rectification and/or completion by the BSI if the personal data processed that relates to you are incorrect or incomplete. The BSI will make the correction without undue delay.

iii. Right to restriction of processing

Under the following conditions, you can obtain a restriction of processing of personal data concerning you:

• if the accuracy of the personal data is contested by you, for a period enabling the BSI to verify the accuracy of the personal data
• if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of data use instead
• if the BSI no longer needs the personal data for the purposes of the processing, but this data required by you for the establishment, exercise or defence of legal claims
• if you objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether the legitimate grounds of the BSI override your grounds

Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of processing pursuant to the preconditions above, you will be informed by the BSI before the restriction of processing is lifted.

iv. Right to erasure

You have the right to obtain from the BSI the erasure of personal data concerning you without undue delay and the BSI has the obligation to erase this data without undue delay where one of the following grounds applies:

• the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• you withdraw consent on which the processing is based according to Article 6 (1) (a), or Article 9 (2) (a) of the GDPR, and there is no other legal ground for the processing
• you object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) of the GDPR
• the personal data concerning you have been unlawfully processed
• the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the BSI is subject
• the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR

If the BSI has made the personal data public and is obliged pursuant to Article 17 (1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the person affected have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

You do not have the right to erasure of the personal data concerning you to the extent that processing is necessary:

• for exercising the right of freedom of expression and information
• for compliance with a legal obligation which requires processing by Union or Member State law to which the BSI is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the BSI
• for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and 9 (2) (i), as well as Article 9 (3) of the GDPR
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing
• for the establishment, exercise or defence of legal claims
  

V. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) (e) or 6 (1) (f) of the GDPR. The controller will no longer process the personal data concerning you, unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

VI. Right to data portability

You have the right to receive the personal data concerning you which you have provided to the BSI, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the BSI to which the personal data have been provided, where:

• the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the GDPR or on a contract pursuant to Article 6 (1) (b) of the GDPR; and
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons must not be adversely affected by this.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the BSI.

vii. Right to revoke statements of consent under data protection law

You have the right to revoke your statement of consent under data protection law at any time. For this purpose, please send an e-mail to Sicherheitsberatung@bsi.bund.de.

The revocation of consent will not affect the legality of processing carried out on the basis of consent before its revocation.

f) Right to lodge a complaint with the supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority for the Federal Office for Information Security is the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

g) Necessity of providing data

Access to the internal area of the security consulting and the associated data processing is in principle voluntary. However, we would like to point out that access cannot be provided without corresponding information, as providing personal data to be processed in this context is necessary for the provision and administration of this access.

Furthermore, the data processing described above is necessary in order for the BSI to be able to fulfil its duties arising from Section 3 (1) Sent. 2 Nos. 2, 9 and 14 of the BSI Act. In contrast, there is no obligation on the part of the data subject to provide data.