Data Protection Declaration
The German Federal Institute for Risk Assessment (BfR) attaches great importance to the responsible handling of personal data. We want users to know when which data is collected and used by the BfR.
The BfR operates a website under the domain www.bfr.bund.de/en. On this website, the public is informed about the tasks and the legal mandate of the BfR. In addition, comprehensive information is made available.
We only process personal data to the necessary extent. The basis on which different data is processed depends on the purpose for which the data is required.
1. Who is responsible for data processing and who can I contact?
The German Federal Institute for Risk Assessment is responsible for processing your data in line with Art. 4 No. 7 GDPR. You can find our contact details below:
If you have questions about the processing of your data or about data protection, please contact our Data Protection Officer:
German Federal Institute for Risk Assessment (BfR)
PO Box 12 69 42
Tel +49 30 18412 31002
2. On which legal basis do we process your personal data?
At the BfR, personal data is processed in accordance with the European General Data Protection Regulation (GDPR), the German Telemedia Act (TMG) and the German Federal Data Protection Act (BDSG).
Provided the BfR obtains consent from the person concerned to process their personal data, Art. 6 Para. 1 lit. a GDPR serves as the legal basis. Consent can be revoked at any time with future effect. This also applies to revoking consent that was given to us before the GDPR came into effect, i.e. before 25 May 2018.
If personal data required to fulfil a contract is processed where the contract party is the person concerned, Art. 6 Para. 1 lit. b GDPR serves as the legal basis in the individual case. This also applies to processing that is required to perform pre-contractual measures.
If personal data needs to be processed in an individual case in order to fulfil a legal obligation, Art. 6 Para. 1 lit. c GDPR also serves as the legal basis in conjunction with the relevant legislation from which the legal obligation arises.
In the rare case that vital interests of the person concerned or another individual necessitate processing of personal data, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.
The BfR processes personal data during performance of its tasks in the public interest. The public tasks of the BfR include in particular the tasks and activities assigned to it according to the BfR law (BfRG). The legal basis of the processing here is Art. 6 Para. 1 lit. e of the GDPR in conjunction with the relevant provisions of the BfRG, in particular § 2 BfRG.
Where necessary, we also process your data for protection of our own justified interests or those of third parties. Examples may include enforcement of legal claims and defence in legal disputes, guaranteeing IT security and IT operation of the BfR, PR work of the BfR or the prevention of crimes, etc. In such cases, Art. 6 Para. 1 lit. f GDPR serves as the legal basis.
3. Which personal data is processed in the context of visits to our website?
3.1 Data collection
Each time a user accesses our web pages and each time a file is opened, data on this process is temporarily processed in a log file on the web server.
The following data in particular is saved on each access operation/file opening:
- Browser type and version
- Operating system used
- Website from which you visit our web pages (referrer URL)
- Web page that you visit
- Date and time of access
- Your Internet Protocol (IP) address in anonymised form
The legal basis for temporary saving of data is Art. 6 Para. 1 lit. e and f GDPR. This data is not combined with the user's other personal data.
When using this information, the BfR does not draw conclusions about the person in question. Rather, this information is required to:
- Correctly deliver the contents of our web page
- Optimise the contents of our web page
- Guarantee functionality of our IT systems and the technology of our web page
The log files are deleted after 14 days.
- Saving watch lists
- Checking captcha images in forms
- Newsletter subscription/profile editing
Duration of validity: One browser session
- Newsletter subscription/profile editing
Duration of validity: One browser session
Both cookies are created when the page is loaded and deleted again when the browser is closed.
Cookies which are valid during the time of the visit to the website are used on the pages of our ordering service for publications. This is necessary for technical reasons to ensure the correct functioning of the shopping cart function. This takes place on the basis of Art. 6 Para. 1 lit. e GDPR in conjunction with Art. 3 BDSG in the context of PR work for audience-oriented provision of information. The cookies used are deleted when you end the session. When you close the browser window or access another website, your shopping cart is reset. The shopping cart contents collected up to that point will need to be added again if you end the session but have not yet completed the ordering process.
You can view with any web browser when cookies are set and what they contain. Most browsers are set in such a way that they automatically accept cookies. However, the saving of cookies can be disabled at any time or the browser can be set so that cookies are only saved for the duration of the respective connection to the internet.
If you reject all cookies, the function of the website may be impaired and it may not be possible for the service to be provided in the desired quality.
3.3 Web analysis with the analysis tool AWStats
On the basis of Art. 6 Para. 1 lit. e GDPR in conjunction with Art. 3 BDSG in the context of PR work, the BfR performs statistical evaluation of the user access operations with the AWStats analysis tool (http://www.awstats.org/). The web servers themselves are also operated directly by the BfR and log files produced are anonymised immediately. The data from the log files of the web server is analysed in an anonymised form, i.e. without identification of users based on IP addresses or other personal data. Only a small number of BfR employees have access to this analysis data.
The collection, processing and use of this data as well as its evaluation takes place solely for statistical purposes and to optimise the BfR web page contents. We use these statistics exclusively to measure activity and to improve or adjust our web pages in line with users' requirements.
When individual pages of our website are accessed, the following data is saved:
- The accessed web page
- The website from which the user reached the accessed web page (referrer)
- The subpages opened from the accessed web page
- Amount of time spent on the web page
- Frequency of access to the web page
3.4 Which personal data is processed when contact is established?
Personal data is processed depending on the method of contact. We can distinguish here between contact by e-mail and contact via the contact form.
3.4.1 Contact by e-mail
Contact with the BfR by e-mail can be made via
- The individual work e-mail addresses of the employees
- The e-mail address for the specific role
- The central e-mail address (firstname.lastname@example.org)
If you use one of the methods of contact listed above, the data transmitted by you (e.g. first name, surname, address etc.), but at least the e-mail address, as well as the information contained in the e-mail (including any personal data provided by you) will be processed for the purposes of contacting you and handling your issue. We advise you that data processing takes place on the basis of Article 6 Paragraph 1 lit. e GDPR in conjunction with Art. 3 BDSG. It is necessary to process the personal data transmitted by you in order to handle your issue.
3.4.2 Contact via the contact form
You can also use the contact form on our website to send your query to the BfR.
The contents of the contact form are transmitted via an encrypted https connection.
If a user makes use of this possibility, the data entered in the input form is transmitted to us and saved. This data comprises:
- First name and surname
- E-mail address
If you use the contact form for communication, you need to enter your title, first name, surname and e-mail address. Without this information, the issue outlined in the contact form cannot be handled. To order information material to be sent by post, you need to enter your address (see item 3.6.2). We process the personal data described above in accordance with the provisions of the GDPR and the BDSG on the basis of your consent (Art. 6 Para. 1 lit. a GDPR).
Your data is processed internally at the BfR exclusively by the responsible employees. Your data is not passed on to any third parties. Processing only takes place in Germany. Through technical and organisational measures, we ensure that your data is protected against accidental or intentional manipulation as well as unauthorised access. Your transmitted data is saved until revoked to process your request, and for any inquiries. It is generally deleted after 12 months. Other periods may apply in the context of legal retention periods. If you wish to change or delete your data, you can notify us of this at any time using the method most convenient for you.
3.5 Which personal data is processed in the context of the use of social networks?
The BfR is active on the social networks Twitter, YouTube and Instagram. The BfR website only provides links to our Institute's presence on the respective platforms. The BfR does not save any data relevant to data protection for this purpose.
3.6 Which personal data is processed in the context of information provision?
The processing of personal data depends on the type of information provision, e.g. if you subscribe to a newsletter or order publications from us.
3.6.1 Data for newsletter distribution
If you register on one of the BfR newsletter mailing lists, we generally save your e-mail address, the date and time of registration, and the newsletter type you have selected on a server. The data is processed on the basis of your consent according to Article 6 Paragraph 1 lit. a GDPR. We only use this data for sending the relevant newsletter. We do not forward the data to any third parties.
The registration system with an additional confirmation message containing a link to the final registration (double opt-in) ensures that you explicitly wish to receive the newsletter.
On registration, your data is saved on our server and a confirmation message with a link to final registration is sent to the given e-mail address.
Your data for newsletter distribution is only saved for the duration of use of our newsletter service when you confirm the link in the e-mail.
If you no longer agree to the saving of your data for this purpose and therefore no longer wish to use our service, you can unsubscribe from our newsletters at any time. The data provided by you is then deleted. Please use this link to deregister. You will need the e-mail address that you gave when you registered.
3.6.2 Ordering BfR publications
If you order brochures, flyers or other printed documents via our website, processing of your personal data according to Article 6 Paragraph 1 lit. b GDPR is necessary in order to carry out pre-contractual measures and fulfil the contract (providing the relevant publication).
The following personal data must be specified to process the order:
- Street address
- Post code and town/city
- E-mail address
This data is processed in the context of the order. The data that you provide is processed by the BfR or forwarded to a service provider commissioned with sending the publication. The service provider who works for us is obliged contractually and legally according to Art. 28 GDPR to ensure performance of technical and organisational measures in such a way that processing takes place in accordance with the requirements of the GDPR and protection of your rights is guaranteed.
If the data specified above is not available, it is not possible for the order to be processed.
The data transmitted by you will be deleted after the order is complete or after the expiry of legal retention periods.
4. Is data transferred to a third country or an international organisation?
Transfer of data to countries outside of the EU or the EEA (so-called third states) only takes place if this is contractually required, prescribed by law or in the context of order data processing. If order data processors in a third country are used, these processors are contractually obliged to comply with the data protection regulations of the EU.
5. What data protection rights do I have?
The BfR guarantees you the following rights with respect to your personal data:
- The right to information according to Art. 15 GDPR
- The right to rectification according to Art. 16 GDPR
- The right to erasure according to Art. 17 GDPR
- The right to restriction of processing according to Art. 18 GDPR
- The right to object from Art. 21 GDPR
- The right to data portability from Art. 20 GDPR
The restrictions according to Arts. 34 and 35 BDSG apply to the rights to information and erasure.
You can revoke consent given to us to process personal data at any time with future effect. This also applies to revoking consent that was given to us before the General Data Protection Regulation came into effect, i.e. before 25 May 2018.
You can assert the rights specified above to the BfR under email@example.com or by post to the postal address of the BfR given at the beginning of this data protection declaration.
Furthermore, you have the right to complain to the regulatory authority for data protection (German Federal Commissioner for Data Protection and Freedom of Information), cf. Art. 77 GDPR in conjunction with Art. 19 BDSG.
You can also contact the Data Protection Officer at the BfR (firstname.lastname@example.org) with questions or complaints.
6. Changes to the data protection declaration
The BfR reserves the right to modify this data protection declaration so that it always adheres to the current legal requirements. We recommend that you read our data protection declaration regularly in order to stay up to date regarding the protection of the personal data that we collect.
Valid as of: 1 September 2018