Skip to main content
Newsletter
News from DigitalService – subscribe to the DigitalService newsletter Newsletter
Deutsch

Data protection policy

DigitalService GmbH of the Federal Government would like to use this Data Protection Policy to explain to you what data is processed and in what form when you visit our website. This also fulfils our obligation to inform you in accordance with Article 13 of the General Data Protection Regulation (GDPR).

I. Data controller and contact information for the data protection officer

DigitalService GmbH of the Federal Government
Prinzessinnenstraße 8-14
10969 Berlin
Commercial Register: HRB 212879 B
Court of Registry: Charlottenburg

Represented by:
Christina Lang
Anja Theurer

E-mail: datenschutz@digitalservice.bund.de

II: Personal data, purposes and legal basis for data processing
1. Personal data
According to the GDPR, personal data are "any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. General usage of the website
When you call up this website, we process the data for your request, such as the specific page called up, your IP address, your browser and similar metadata on our server for a short time in order to deliver the website correctly. We store this data in log files only in anonymised form, i.e. in particular we do not log IP addresses or other data that could be traced back to you as an individual.

In order to understand the use of our website and to improve it regularly, we use the web analysis tool Plausible Analytics. Plausible does not set any cookies or store any information in the browser. Plausible Analytics does not collect any personal data, either. More information about the data protection policy of Plausible Analytics can be found here. Service provider: OÜ Plausible Insights, Västriku tn 2, Tartu 50403, Estonia.

The software runs exclusively on the servers of our website. Personal data of users is only stored there. The data is not passed on to third parties. The software is set in such a way that IP addresses are not stored completely, with 2 bytes of the IP address being masked (e.g.: 192.168.xxx.xxx). This makes it is no longer possible to assign the abbreviated IP address to the calling computer.

The legal basis for the processing of the users' personal data is Art. 6 para. 1 lit. f of the GDPR. By anonymising the IP address, users' interest in the protection of their personal data is sufficiently taken into account. The data is deleted as soon as it is no longer required for our recording purposes. All personal data is automatically deleted after 90 days. Beyond this, only daily totals are archived, which can no longer be assigned to individual persons.

Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. Please note that the complete deactivation of cookies may impair the functionality of the website.

We offer you the option of opting out of the analysis process on our website. To do this, you must follow the link in the following paragraph. This will set another cookie on your system, which signals to our system not to save the user's data. If the user deletes the corresponding cookie from their own system in the meantime, they must set the opt-out cookie again.

Notwithstanding the foregoing basic conditions, however, the web server of our hoster automatically registers accesses to the websites and, in particular, your IP address. Your IP address is not stored, however.
In addition, our hoster creates so-called log files to maintain system security. These log files contain the following information:

  • Date of access
  • The URL
  • Contents which can be accessed and
  • Information that is transferred

This information remains anonymous for us. It is therefore not possible to draw conclusions about an individual.

If you contact us at the e-mail address provided on our website, you will at a minimum provide us with your e-mail address and, if applicable, other information that you disclose in your e-mail. We need to process this data so that we can deal with your request.

Data protection information for applicants
The processing of applicants’ personal data is based on the consent given in this privacy policy.

Access to your documents is limited to the human resources and recruiting managers of DigitalService GmbH of the Federal Government.

The data is processed with the support of Greenhouse Software, Inc., a company based in the USA. The provider meets high security standards, including ISO certifications. DigitalService GmbH of the Federal Government has concluded a data processing agreement with Greenhouse Software, Inc. in accordance with data protection requirements.

The personal data stored by applicants will be deleted automatically at the earliest four months and at the latest six months after the applicant has been informed that the position will not be filled by them, provided that no further legal obligations require otherwise.

Personal data may be stored by DigitalService GmbH of the Federal Government for consideration in future job postings. This storage is carried out only with the express consent of the applicant.

Data protection information for bidders in the context of a procurement procedure
We process the personal data you provide to us in the context of a procurement procedure. This includes in particular:

  • Personal contact details and names of bidders, insofar as they are natural persons or partnerships, as well as contact details of their contact persons and references (e.g., first and last name, business address, email address, telephone number)
  • Information on the qualifications and suitability of the bidder and the bidder’s employees
  • References for comparable services provided in the past

The processing of personal data is carried out for the purpose of conducting the procurement procedure and is based on Art. 6 (1) (b), (c) and (f) GDPR.

As part of the procurement procedure, personal data is mainly processed in the course of the suitability assessment. For example, we may ask applicants and bidders to provide references with CVs, names and addresses of employees, or information on technical specialists who are to be deployed in connection with the provision of services. The legal basis for this is, depending on the type of procedure, Section 6a VOB/A, Section 6a VOB/A EU, Section 46 of the German Public Procurement Regulation (VgV), and other relevant provisions of public procurement law.

Furthermore, self-declarations may be requested that require information on criminal convictions or subsequent self-cleaning measures. The legal basis for this is Sections 123 to 125 of the Act against Restraints of Competition (GWB).

According to Section 147 of the Fiscal Code (AO), we are required to retain your data for ten years.

Access to your documents is restricted to employees of the legal, finance and procurement departments of DigitalService GmbH of the Federal Government.

Your data will not be transferred to third countries.

Data protection information for the use of our newsletters
If you subscribe to our newsletters, we will only process the following personal data from you (name, email address) that is necessary to provide the newsletter. The processing is based on Art. 6 para. 1 lit. a) GDPR.

Your personal data will be processed exclusively for the provision of the content you have selected. You can unsubscribe from the newsletter at any time. Please use the link in your email to do so.

To provide the newsletters, we use the service provider HubSpot, Inc., a company based in the USA. The provider has high security standards in the form of ISO standard certifications. For the processing, the German Federal DigitalService GmbH (DigitalService GmbH des Bundes) has concluded a corresponding Data Processing Agreement (DPA) with Hubspot, Inc. in accordance with data protection requirements. Your data is processed exclusively within the EU and is not transferred to third countries. You can find more information on data protection at Hubspot here.

Data protection information regarding the use of YouTube
Our website uses the YouTube service to embed videos. The provider is Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland.

YouTube content is embedded in “extended data protection mode.” This means that YouTube does not initially store any cookies on your device. As a result, no information about visitors is stored unless they play the video.

The legal basis for processing is your consent in accordance with Art. 6 (1) (a) GDPR. As part of processing via YouTube, data may be transferred to the USA, in particular to Google LLC and Alphabet Inc.

Further information on YouTube’s privacy policy can be found at: https://policies.google.com/privacy

Privacy policy regarding the use of Google Fonts
Our website uses the Google Web Fonts service as part of YouTube. The provider is Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. Google Web Fonts is used to load and display external fonts on our website. Google Web Fonts is integrated locally on our site, which means that the fonts are not loaded from Google servers.

3. Purposes and legal basis of data processing
Your IP address is processed during the connection process so that we can provide you with our website. It is based on Art. 6 para. 1 lit. f) of the GDPR. Our legitimate interest lies in the aforementioned purpose.
Processing in the context of contacting you takes place so that we can process and answer your enquiry. The legal basis is Art. 6 para. 1 lit. f) of the GDPR. Our legitimate interest lies in the purpose mentioned above.

If you participate in one of our events, we process your data (first and last name, title, address, telephone number, email address, position and company) in order to stage the event and enable you to participate. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b of the GDPR. The legal basis for taking and storing photographs and videos at the events is Art. 6 (1) sentence 1 lit. f of the GDPR based on our legitimate interest in reporting on the event. Further information on our handling of your data and your rights at our events can be found here.

Furthermore, we only process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) on the basis of your corresponding consent (Art. 6 para. 1 lit. a of the GDPR).

III. Recipients of data
Within our company, the departments that have access to your data are those that are responsible for processing the requests. In addition, we use external service providers if we cannot or are unable to reasonably perform services ourselves. These external service providers are primarily providers of IT services and telecommunication services, with each of which we have concluded an order processing agreement (AVV). Wherever possible, we prefer to use European service providers that are directly covered by the scope of the European General Data Protection Regulation (GDPR).

No transfer to third countries takes place in principle and only if it is necessary for the execution of your orders, is required by law or you have given us your consent to do so.

IV. Storage period
Our log files are stored for 14 days. We store your emails and contacts for as long as is necessary to process your enquiry and then store these for a maximum period of 12 months in case you contact us again in relation to your original question.

V. Data subjects' rights
The General Data Protection Regulation guarantees you certain rights that you can assert against us – insofar as legal requirements are met.
The data subject's right to information (Art. 15 of the GDPR): You have the right to request confirmation from us as to whether personal data relating to you are being processed and, if so, what these data are and the circumstances in which they are being processed.

Right to rectification (Art. 16 of the GDPR): You have the right to demand that we correct any inaccurate personal data relating to you without delay. In doing so, you also have the right to request the completion of incomplete personal data – including by means of a supplementary declaration – taking into account the purposes of the processing.

Right to erasure (Art. 17 of the GDPR): You have the right to demand that we delete personal data concerning you without delay. Please note the exception described under II. 4 herein.

Right to restriction of processing (Art. 18 of the GDPR): You have the right to demand that we restrict processing.

Right to data portability (Art. 20 of the GDPR): You have the right, in the event of processing based on consent or for the performance of a contract, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and to transfer this data to another controller without hindrance from us or to have the data transferred directly to the other controller, insofar as this is technically feasible.

Right to object (Art. 21 of the GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary on grounds of a legitimate interest on our part or for the performance of a task carried out in the public interest, or which is carried out in the exercise of official authority. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. Insofar as we process your personal data for the purpose of direct marketing, you have the right to object to the processing at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

Right to lodge a complaint with a supervisory authority (Art. 77 of the GDPR in conjunction with Section 19 of the BDSG): You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State in which you have your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates applicable law.

To exercise these rights, please contact datenschutz@digitalservice.bund.de or contact us by telephone or post (see our Legal Notice).

VI. Obligation to provide data
You have no contractual or legal obligation to provide us with personal data. However, we are unable to provide you with our services without the data you provide.

VII. Existence of automated decision-making (including profiling)
We do not use automated decision-making that has legal repercussions for you or affects you.

If you have any comments or questions:
We take all possible precautions to protect and secure your data. We welcome your questions and comments about data protection; just send an email to datenschutz@digitalservice.bund.de.