Privacy statement

The Federal Office of Economics and Export Control (BAFA) is committed to the responsible handling of personal data.  We want users to know which data is collected and used by BAFA, and when.

We only process personal data to the extent necessary. Which data is required and processed for what purpose and on what basis mainly depends on the type of service you choose and for what purpose the data is needed.

We have put technical and organisational measures in place to ensure that we and our external service providers comply with data protection and privacy regulations.

At BAFA, personal data is processed in accordance with the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

1. General

1.1 Data controller and data protection officer

The body responsible for processing personal data (the data controller) is the:

Bundesamt für Wirtschaft und Ausfuhrkontrolle
Frankfurter Straße 29 – 35
65760 Eschborn
Phone: +49 06196 908-0
Fax: +49 06196 908-1800
poststelle@bafa.bund.de

If you have specific questions about the protection of your data at BAFA, please contact the official data protection officer:

Bundesamt für Wirtschaft und Ausfuhrkontrolle
– Datenschutzbeauftragter –
Frankfurter Straße 29-35
65760 Eschborn
datenschutz@bafa.bund.de

1.2  Definitions

“Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly - in particular by reference to an identifier such as a name, an identification number, location data or an online identifier Article 4 No. 1 GDPR.

“Processing” means any process carried out with or without the aid of automated processes or any such series of processes carried out in connection with personal data. Examples of processing operations are the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data, Article 4 No. 2 GDPR.

2. Visiting this website

Personal data collected via the BAFA website is processed and used by BAFA for a specific purpose and in accordance with the statutory provisions.

Whenever a user accesses the website and retrieves a file, data about this process is temporarily stored and processed in a log file. Specifically, the following data is stored for each access/retrieval:

  • Date and time of retrieval (time stamp)
  • Request details and target address (protocol version, HTTP method, referrer, user agent string)
  • Name of the file retrieved and amount of data transferred (requested URL including query string, size in bytes)
  • Message indicating whether the retrieval was successful (HTTP status code)

The data stored in the log file in anonymised form is evaluated by BAFA, solely for statistical purposes and to improve the BAFA Internet portal. Personal data is not collected.

When you visit the website, temporary “session” cookies are used and stored on your device to facilitate navigation. These cookies do not contain any personal data and expire at the end of the session.

BAFA also uses the Matomo analysis tool, which similarly uses cookies. Matomo uses these cookies to store the IP addresses in anonymised form. Anonymisation is carried out by removing the last octet from IP addresses in accordance with the resolutions of the Data Protection Conference, a grouping of the data protection authorities of the federal and state governments (DSK). This means that no conclusions can be drawn about the identity of the user. Matomo also collects certain technical information based on the data transmitted by your browser. This information is as follows: browser type and version, operating system used, device type, model and brand, screen resolution, search engine used by your device, websites visited under the domain www.bafa.de including the length of visit, search terms and keywords, date and time of visit, location of visit (continent, country, region, city) and browser language. BAFA evaluates this information for statistical purposes only. The data is not shared with third parties.

3. Contacting BAFA

3.1  Contact forms

BAFA allows you to make general contact through its website. If you want to use the services offered there, you will be asked to enter the personal data necessary to process your request. In this process, BAFA collects your first and last name and your e-mail address. You decide whether or not to use these services and enter your data. BAFAcollects this data in order to use a personal address when communicating with you and, if necessary, to direct you to the relevant procedures in BAFA. The data you enter will only be saved and processed for the specific purpose of processing your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG). If you order publications, your data may be transferred to the service provider tasked with the delivery.

The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.2  Contacting BAFA by e-mail

BAFA publishes e-mail addresses (also on this website) that you can use to contact us. In addition to personal work e-mail addresses for its employees, BAFA uses function mailboxes and central e-mail mailboxes.

If you use BAFA's central e-mail accounts, your request will be forwarded to the appropriate organisational units. The data transmitted by you (for example: surname, first name, address and the information contained in the e-mail) are processed in the organisational units for the purpose of processing your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.3  Contacting BAFA by letter/fax

If you send a letter or a fax to BAFA, the data you have transmitted (for example: surname, first name, address and the information contained in the letter/fax) is processed for the purpose of handling your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.4  Contacting BAFA by telephone

If you contact BAFA by telephone via one of our hotlines, personal data transmitted by you (for example: name, first name, telephone number, time of call, selected menu option, process number) are processed for identification and service purposes within the framework of the hotline dialogue system. With the help of the dialogue system, you can, for example, make a thematic preselection for the upcoming call and also (optional) enter a process number which is transmitted to the BAFA hotline agent. Furthermore, in the event of a follow-up call within a shorter period of time, the procedure of selecting a topic or entering a procedure number (optional) can be skipped. It is also possible to be informed of the processing status of the submitted funding application after entering a valid process number and the corresponding postcode.
The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The aforementioned data is stored temporarily and locally on a separate database for 72 hours and then deleted. The data will not be linked to any other personal data within the system."
In addition, there is the possibility - subject to your explicit consent - to record and evaluate incoming calls in the hotline of the Energy Info Centre. Due to the very high call volume, this serves the purpose of improving the existing service and better meeting the needs of callers. The legal basis for this data processing is your consent pursuant to Article 6 (1) Sentence 1 (a) GDPR. The data is stored on a local database for a period of 90 days and is then deleted.

4. Newsletters

BAFA allows you to order newsletters through its website. If you want to make use of this service, you will be asked to enter your e-mail address, which will be saved and processed solely for the purpose of dispatching the newsletter. The legal basis for data processing is your consent, in accordance with Article 6 (1) Sentence 1 (a) GDPR.

Each newsletter contains information on how to unsubscribe from the newsletter service. Saved e-mail addresses are deleted as soon as users unsubscribe from the newsletter or will be deleted if the newsletter service is discontinued by BAFA. If the confirmation link sent during the initial registration is not activated, the data is deleted just two days after registration. If, after the confirmation link has been activated, attempts to deliver the newsletter fail, the data will be deleted after six failed delivery attempts.

5. Use of social networks

BAFA is active on the social networks Twitter, YouTube and LinkedIn.

To carry out editorial tasks on these social networks, BAFA processes data belonging to people who interact with BAFA. The data is processed on the legal basis of Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. Personal data transmitted by you is processed for the purpose of press and public relations work.

5.1 Twitter

For the short message service provided here, BAFA uses the technical platform and services offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. (www.twitter.com). If you live outside the United States, the data controller for processing your data is: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.

Please note that you use the Twitter short message service offered here and its functions at your own risk. This applies in particular to the use of the interactive functions (e.g. sharing content, rating). Please also note that the providers save the data of their users (e.g. personal information, IP address, etc.) in accordance with their data usage guidelines and use this data for business purposes. BAFA has no influence on the type and scope of the data processed by Twitter, the type of processing and use or the transfer of this data to third parties. BAFA also has no effective control options in this regard.

For a detailed description of the relevant types of processing and the opt-out options, see the privacy statements and information provided by the operator Twitter Inc.: https://twitter.com/en/privacy

5.2  YouTube

BAFA uses the technical platform and services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (www.youtube.com) to provide video content. As in the case of Twitter, BAFA has no influence on data collection by YouTube (Google) and the further use of this data by social networks. BAFA also has no effective control options in this regard.

For a detailed description of the relevant types of processing and the opt-out options, see the privacy statements and information provided by the operator Google Ireland Limited: https://policies.google.com/privacy?hl=en

5.3  LinkedIn

BAFA uses the LinkedIn platform as an additional employer and news service.

The data controller is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For a detailed description of the data processing by LinkedIn and the possibilities to object (opt-out), we refer to the data protection information of LinkedIn: https://www.linkedin.com/legal/privacy-policy.

BAFA has no influence on the data processing by LinkedIn. BAFA also has no effective control options in this respect. If joint responsibility should nevertheless exist, you will find further information here: https://legal.linkedin.com/pages-joint-controller-addendum.

6. Video surveillance

The BAFA premises at Frankfurter Straße 29 – 35, 65760 Eschborn, Germany, are monitored by a video surveillance system in order to safeguard the rights of the premises and for the purposes of danger prevention and law enforcement in the outdoor area. The video surveillance system is in operation 24 hours a day, 7 days a week. It is recorded without sound. The date and time of the recording can be seen in the recording. The video data is temporarily stored for a period of seven days and then automatically overwritten. The processing is based on Article 6 (1) Sentence 1 (c) DSGVO in conjunction with § 4 BDSG.

If there is an initial suspicion (for example burglary), the data can be exported by authorized persons and an overwriting can be prevented. The collected data will only be transferred to law enforcement authorities if this is requested within the scope of a justified police measure or by judicial order for the above-mentioned purposes. The transfer will be documented. The transfer of data to a law enforcement agency is usually made to the police station or public prosecutor's office responsible for the request.

7. Defense against malware and threats to the communications technology of the Federal Government

Pursuant to Sections 5 and 5a of the Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG), the Federal Office for Information Security (BSI) has been authorized to collect, evaluate, store, use and process log data and data generated at the interfaces of the Federal Government's communications technology. This enables signs of IT attacks to be detected and combated in a targeted manner.

Sections 5, 5a BSIG are implemented at the Federal Information Technology Center (ITZBund) in cooperation with the BSI via the DaaS (Detection as a Service).

Information on what personal data is processed in this context is available on the BSI website at the following link: https://www.bsi.bund.de/EN/Service/Datenschutz/datenschutz_node.html#doc923476bodyText5 (2. Protection against malware and threats to federal communications technology).

8. Your rights

As a data subject, you are entitled to the rights under Article 15 et seq. as well as Article 77 of the GDPR. The competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI), based in Bonn.

Seitenfunktionen und -Informationen

Subnavigation of all website sections

Service

Englisches Cookiebanner

Cookies erleichtern die Bereitstellung unserer Dienste. Mit der Nutzung unserer Dienste erklären Sie sich damit einverstanden, dass wir Cookies verwenden. Weitere Informationen zum Datenschutz erhalten Sie über den folgenden Link: Datenschutz

Auswahl bestätigen