1.1 Data controller and data protection officer

The body responsible for processing personal data (the data controller) is the:

Bundesamt für Wirtschaft und Ausfuhrkontrolle
Frankfurter Straße 29 – 35
65760 Eschborn
Phone: +49 06196 908-0
Fax: +49 06196 908-1800
poststelle@bafa.bund.de

If you have specific questions about the protection of your data at BAFA, please contact the official data protection officer:

Bundesamt für Wirtschaft und Ausfuhrkontrolle
– Datenschutzbeauftragter –
Frankfurter Straße 29-35
65760 Eschborn
datenschutz@bafa.bund.de

1.2  Definitions

“Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly - in particular by reference to an identifier such as a name, an identification number, location data or an online identifier Article 4 No. 1 GDPR.

“Processing” means any process carried out with or without the aid of automated processes or any such series of processes carried out in connection with personal data. Examples of processing operations are the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data, Article 4 No. 2 GDPR.

Personal data collected via the BAFA website is processed and used by BAFA for a specific purpose and in accordance with the statutory provisions.

Whenever a user accesses the website and retrieves a file, data about this process is temporarily stored and processed in a log file. Specifically, the following data is stored for each access/retrieval:

• Date and time of retrieval (time stamp)
• Request details and target address (protocol version, HTTP method, referrer, user agent string)
• Name of the file retrieved and amount of data transferred (requested URL including query string, size in bytes)
• Message indicating whether the retrieval was successful (HTTP status code)

The data stored in the log file in anonymised form is evaluated by BAFA, solely for statistical purposes and to improve the BAFA Internet portal. Personal data is not collected.

When you visit the website, temporary “session” cookies are used and stored on your device to facilitate navigation. These cookies do not contain any personal data and expire at the end of the session.

BAFA also uses the Matomo analysis tool, which similarly uses cookies. Matomo uses these cookies to store the IP addresses in anonymised form. Anonymisation is carried out by removing the last octet from IP addresses in accordance with the resolutions of the Data Protection Conference, a grouping of the data protection authorities of the federal and state governments (DSK). This means that no conclusions can be drawn about the identity of the user. Matomo also collects certain technical information based on the data transmitted by your browser. This information is as follows: browser type and version, operating system used, device type, model and brand, screen resolution, search engine used by your device, websites visited under the domain www.bafa.de including the length of visit, search terms and keywords, date and time of visit, location of visit (continent, country, region, city) and browser language. BAFA evaluates this information for statistical purposes only. The data is not shared with third parties.

3.1  Contact forms

BAFA allows you to make general contact through its website. If you want to use the services offered there, you will be asked to enter the personal data necessary to process your request. In this process, BAFA collects your first and last name and your e-mail address. You decide whether or not to use these services and enter your data. BAFAcollects this data in order to use a personal address when communicating with you and, if necessary, to direct you to the relevant procedures in BAFA. The data you enter will only be saved and processed for the specific purpose of processing your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 of the Federal Data Protection Act (BDSG). If you order publications, your data may be transferred to the service provider tasked with the delivery.

The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.2  Contacting BAFA by e-mail

BAFA publishes e-mail addresses (also on this website) that you can use to contact us. In addition to personal work e-mail addresses for its employees, BAFA uses function mailboxes and central e-mail mailboxes.

If you use BAFA's central e-mail accounts, your request will be forwarded to the appropriate organisational units. The data transmitted by you (for example: surname, first name, address and the information contained in the e-mail) are processed in the organisational units for the purpose of processing your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.3  Contacting BAFA by letter/fax

If you send a letter or a fax to BAFA, the data you have transmitted (for example: surname, first name, address and the information contained in the letter/fax) is processed for the purpose of handling your request. The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The data is only ever stored for as long as is necessary to process your request, provided that there are no retention requirements. The relevant retention and deletion periods depend largely on the particular matter you are pursuing.

3.4  Contacting BAFA by telephone

If you contact BAFA by telephone via one of our hotlines, personal data transmitted by you (for example: name, first name, telephone number, time of call, selected menu option, process number) are processed for identification and service purposes within the framework of the hotline dialogue system. With the help of the dialogue system, you can, for example, make a thematic preselection for the upcoming call and also (optional) enter a process number which is transmitted to the BAFA hotline agent. Furthermore, in the event of a follow-up call within a shorter period of time, the procedure of selecting a topic or entering a procedure number (optional) can be skipped. It is also possible to be informed of the processing status of the submitted funding application after entering a valid process number and the corresponding postcode.
The legal basis for data processing is Article 6 (1) Sentence 1 (c) GDPR in conjunction with Section 3 BDSG. The aforementioned data is stored temporarily and locally on a separate database for 72 hours and then deleted. The data will not be linked to any other personal data within the system."
In addition, there is the possibility - subject to your explicit consent - to record and evaluate incoming calls in the hotline of the Energy Info Centre. Due to the very high call volume, this serves the purpose of improving the existing service and better meeting the needs of callers. The legal basis for this data processing is your consent pursuant to Article 6 (1) Sentence 1 (a) GDPR. The data is stored on a local database for a period of 90 days and is then deleted.

BAFA allows you to order newsletters through its website. If you want to make use of this service, you will be asked to enter your e-mail address, which will be saved and processed solely for the purpose of dispatching the newsletter. The legal basis for data processing is your consent, in accordance with Article 6 (1) Sentence 1 (a) GDPR.

Each newsletter contains information on how to unsubscribe from the newsletter service. Saved e-mail addresses are deleted as soon as users unsubscribe from the newsletter or will be deleted if the newsletter service is discontinued by BAFA. If the confirmation link sent during the initial registration is not activated, the data is deleted just two days after registration. If, after the confirmation link has been activated, attempts to deliver the newsletter fail, the data will be deleted after six failed delivery attempts.

As part of its press and public relations work, BAFA has its own accounts on the social networks X, YouTube, LinkedIn and Bluesky.

The data processing associated with the social media platforms enables a direct and rapid exchange with users. BAFA restricts the use of its accounts - also to protect personal data - to content relating to BAFA's press and public relations work. Administrative services or communication beyond aforementioned purpose of use are not offered, processed or answered via these services.

Please do not actively share any personal data via our social media channels, e.g. in posts, comments or retweets, and always use our direct communication channels to contact us. All interactions with social media accounts (sharing, retweeting, liking, commenting on or quoting posts) are displayed publicly. This applies both to actions by third parties in relation to posts by BAFA accounts and to actions by BAFA accounts in relation to posts by third parties.

Further information on social networks and how you can protect your data can be found on the website of the German Federal Office for Information Security (BSI).

5.1 Technical information: Forwarding via hyperlinks

From our website, you can access aforementioned networks via links. A hyperlink activated by clicking opens the external destination in a new window of your browser. No data is transferred to third parties before this activation.

5.2 General note: Responsible use of social networks

We expressly draw your attention to the fact that these services store their users' data (e.g. personal information, IP address, etc.) in accordance with their own data usage guidelines and also use it for business purposes. BAFA has no influence on the collection of data and its further use by the social networks. For example, there is no reliable information about the extent to which, where and for how long the data is stored, the extent to which the respective networks comply with existing deletion obligations, which analyses and links are made with the data and to whom the data is passed on.

We would like to point out that the vast majority of the platforms mentioned carry out their data processing worldwide and in particular in the USA. This so-called third country transfer outside EU carries risks with regard to the possible assertion of your data protection rights. Please do not contact us via social networks if you wish to avoid this. You use these services and their functions on your own responsibility. This applies in particular to the public use of interactive functions (e.g. commenting, sharing, rating) of the US platforms. 

5.3 Our activities in social networks

In order to fulfil editorial tasks in social networks, in particular live management of comments and enquiries, BAFA necessarily processes data of persons who interact with BAFA there. Publicly accessible data such as profile and account name, profile picture, content of the enquiry, number of followers and profiles followed by the profile, as well as the latest posts, may be visible to BAFA employees.

We would like to point out that the data is processed on the basis of Article 6(1)(e) GDPR in conjunction with Section 3 BDSG. Processing of the personal data transmitted by you is necessary for the purpose of processing your communication.

In the following, we would like to inform you about the social networks we use. 

5.4 X (formerly Twitter)

BAFA uses the services and technical platform of the short message service X Corp, 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. Twitter Inc, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for data processing of persons living outside the United States.

The data collected about you, when you use the service, is processed by Twitter Inc. and may be transferred to countries outside the European Union. This includes your IP address, the application used, information about the device you are using (including device ID and application ID), information about websites accessed, your location and your mobile phone provider. This data is assigned to the data of your existing X account or your X profile. You can prevent this by logging out of your member account before visiting our website.

We have no influence on the type and scope of the data processed by X, the type of processing and use or the disclosure of this data to third parties. Information about which data is processed by X and t purposes for which it is used can be found in X's privacy policy. Here you have the option of viewing the personal data collected by X and making settings regarding the use of your data. In addition, on mobile devices (smartphones, tablets) you can restrict X's access to contact and calendar data, photos, location data, etc. in the settings options there. However, this depends on the operating system used.

You also have the option of requesting information via the X data protection form.

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policy and information provided by the operator Twitter International Unlimited Company (https://twitter.com/en/privacy).

5.5. YouTube

BAFA operates an account on the video portal ‘YouTube’ of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to distribute its video content.

When you visit our presence on YouTube, Google processes your personal data and places cookies on your end device. You can find more information on this at https://policies.google.com/privacy?hl=en

At this address, Google also informs you that the company transfers its data to the parent company Google Inc. based in the USA, to other Google companies and to external Google partners, each of which may be located outside the European Union. Google is certified with the ‘EU-US Data Privacy Framework’ (DPF).

If you are logged in to Google at the same time, the information stored there will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.

Even if you use YouTube without logging in, personal data may be processed.

We have no influence on type and scope of the data processed by YouTube, the type of processing and use or the transfer of this data to third parties. We also have no effective control options in this respect.

You can find further information on the data protection settings on YouTube at https://policies.google.com/privacy?hl=en.

5.6 LinkedIn

On the LinkedIn platform of the provider LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (‘LinkedIn’), BAFA operates a company page under joint responsibility with LinkedIn, on which we provide information about BAFA.

As a provider of an online presence on the LinkedIn social media platform, we process personal data when you write to us directly via the platform (in a personal message or via the public comment function). The data that is collected depends on the information you provide and the contact details you provide or authorise. If possible, please refrain from sending personal data when using LinkedIn.

LinkedIn also collects information via cookies and similar technologies (e.g. web beacons, pixels, ad tags and device identifiers) that enable LinkedIn to recognise users and comprehensively analyse user behaviour. LinkedIn provides us with corresponding information to analyse user behaviour on our online presence in anonymised form. This enables us to statistically analyse the use of our LinkedIn page and thus to manage our activities in a targeted manner.

LinkedIn can also use the data collected in this way to create user profiles. This enables LinkedIn to display interest-based advertising to the user within and outside the respective social media presence. If you are logged into your social media account when you visit our LinkedIn page, LinkedIn can also assign this visit to your account. The processing of personal data collected by us via the platform is based on Art. 6 para. 1 lit. e GDPR. If you are asked by LinkedIn for consent to the data processing described above, the legal basis for this processing is Art. 6 para. 1 lit. a; Art. 7 GDPR.

LinkedIn has undertaken within the framework of Art. 26 GDPR to fulfil a large part of the obligations under data protection law, such as the fulfilment of the rights of data subjects pursuant to Art. 12 et seq. GDPR, the obligation to provide suitable technical and organisational measures to protect the security of personal data and the reporting and notification obligations in the event of a data breach. If you contact us regarding your rights as a data subject, we will forward your enquiry to LinkedIn immediately.

Further information on the agreement between us and LinkedIn can be found at:

https://linkedin.com/help/linkedin/answer/124838?lang=de and https://legal.linkedin.com/pages-joint-controller-addendum

 5.7 Bluesky

BAFA uses the services and technical platform of the short message service Bluesky Social, PBC, Delaware, U.S.A. (https://bsky.social/about).

The data collected about you when you use the service is processed by Bluesky Social, PBC and may be transferred to countries outside the European Union.

When you use the Bluesky app services, personal data such as IP address, user settings, cookie identifiers, mobile operator, browser or device information and Internet Service Provider (ISP) are automatically processed. Personal information about your use of the Bluesky app service may also be processed, such as the posts you view in the Bluesky app, the links you click on in the Bluesky app, the frequency and duration of your activities and other similar information. Bluesky and third parties that provide content or other features on the Websites and the Bluesky App may use cookies, pixel tags and other technologies to automatically collect information when you use the Websites. Cookies can be blocked by setting your internet browser to block some or all cookies.

Bluesky may use analysis tools for evaluation purposes. We have no influence on the use of such tools by Bluesky and have not been informed of such potential use. If tools of this type are used by Bluesky for our account, we have neither commissioned nor agreed to this nor supported it in any other way. We are also not provided with the data obtained during the analysis.

We have no influence on the type and scope of the data processed by Bluesky, the type of processing and utilisation or the forwarding of this data to third parties. We also have no effective control options in this respect.

Information about what data is processed by Bluesky and for what purposes it is used can be found in Bluesky PBLLC's privacy policy at: https://bsky.social/about/support/privacy-policy#privacy-choices%20 and https://bsky.social/about/support/network-services-privacy-policy.

You have the option of restricting the processing of your data. Information on this can be found in the general settings of your Bluesky account under “Privacy and Security” and under “7. Your Privacy Choices and Rights” in the data protection information.

The BAFA premises at Frankfurter Straße 29 – 35, 65760 Eschborn, Germany, are monitored by a video surveillance system in order to safeguard the rights of the premises and for the purposes of danger prevention and law enforcement in the outdoor area. The video surveillance system is in operation 24 hours a day, 7 days a week. It is recorded without sound. The date and time of the recording can be seen in the recording. The video data is temporarily stored for a period of seven days and then automatically overwritten. The processing is based on Article 6 (1) Sentence 1 (c) DSGVO in conjunction with § 4 BDSG.

If there is an initial suspicion (for example burglary), the data can be exported by authorized persons and an overwriting can be prevented. The collected data will only be transferred to law enforcement authorities if this is requested within the scope of a justified police measure or by judicial order for the above-mentioned purposes. The transfer will be documented. The transfer of data to a law enforcement agency is usually made to the police station or public prosecutor's office responsible for the request.

Pursuant to Sections 5 and 5a of the Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG), the Federal Office for Information Security (BSI) has been authorized to collect, evaluate, store, use and process log data and data generated at the interfaces of the Federal Government's communications technology. This enables signs of IT attacks to be detected and combated in a targeted manner.

Sections 5, 5a BSIG are implemented at the Federal Information Technology Center (ITZBund) in cooperation with the BSI via the DaaS (Detection as a Service).

Information on what personal data is processed in this context is available on the BSI website at the following link: https://www.bsi.bund.de/EN/Service/Datenschutz/datenschutz_node.html#doc923476bodyText5 (2. Protection against malware and threats to federal communications technology).

As a data subject, you are entitled to the rights under Article 15 et seq. as well as Article 77 of the GDPR. The competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI), based in Bonn.