Data protection statement

1. General information

By interacting with the German SAI, you provide us with personal information that we may collect. Processing of your personal information depends on the channel of communication. Personal information means any personally identifiable information, such as your name, your email address or the internet protocol (IP) address of your computer.

As a general rule, we process personal information in accordance with the European General Data Protection Regulation (EU GDPR) and the Federal Data Protection Act (BDSG).

This privacy statement provides an overview of how we ensure protection of your data, what kind of information we collect for what purposes and how such information is processed.

We process personal information as appropriate and necessary. We hold and keep personal information only as long as provided by applicable retention periods (see also 6.). We comply with the special rules for processing personal information of children (Article 8 para. 1 and 2 GDPR). We do not merge such data with other data sources. As a rule, we do not share personal information with third parties. An exception to this rule is where to perform our obligations or duties under the law, we may provide information to civil or criminal law enforcement officials – such as in the case of attacks to the federal government’s communication technologies.

We have taken technical and organisational steps to ensure compliance with data protection regulations both by us and by our contractors.

We reserve the right to update this privacy statement in the course of further developing our website. Therefore, we encourage you to revisit our privacy statement from time to time.

1.1 Data controller

In line with Article 4 GDPR, the controller responsible for processing personal information is:

President of the Bundesrechnungshof
Adenauerallee 81
53113 Bonn

Germany
Email: poststelle@brh.bund.de

1.2 Data Protection Officer

The German SAI has appointed a Data Protection Officer (Article 37 GDPR). You may contact our officer by email via Postfach.Datenschutz@brh.bund.de or by surface mail:

Bundesrechnungshof
Data Protection Officer
Adenauerallee 81
53113 Bonn

Germany

1.3 Legal basis for processing personal information

The German SAI shall audit the accounts and examine the performance, regularity and compliance of federal financial and commercial management (Art. 114 para. 2 Basic Law). Our functions also include public relations work. We also use our website to supply information on our SAI and on our activities to the general public. We process personal information to exercise our statutory functions in the public interest. Article 6 GDPR and Section 3 Federal Data Protection Act provide the legal basis for processing personal information:

Data privacy and protection:
Article 6 para. 1a), b), e), f) GDPR, Section 3 Federal Data Protection Act

Contacts and petitions:
Article 6 para. 1a) GDPR, Section 3 Federal Data Protection Act

Provision of information:
Article 6 para. 1a), e) GDPR, where appropriate, in conjunction with Section 96 para. 4 Federal Budget Code

2. Hosting of our website

Every time a user visits one of our web pages or accesses files (e.g. available RSS feed or download of a file), data on such access is temporarily stored and processed in a log file. We anonymise your personal information so that it can no longer be associated with you by modifying the IP address of the accessing party prior to storing it.

Each time you interact with our website, the following information is stored:

  • anonymised IP address;
  • date and time;
  • page visited / name of the file visited;
  • volume of downloads;
  • browser and operating system;
  • notification of whether the access requested or download was successful.

Such information is evaluated solely for statistical and service delivery purposes and is subsequently deleted.

When you skip the languages of the web pages (German-English or English-German), a temporary session cookie is generated. This cookie does not store personal information and is removed when you close your browser session. We do not use cookies for any other purpose.

We do not use any software such as Java applets or Active-X controls, to track browser actions and usage patterns.

3. Contacting and petitions

You may provide information and suggestions (petitions) directly to us. You can contact us by email, contact form, letter, fax or telephone. When contacting us, you voluntarily and knowingly provide personal information to us to process your request. Article 6 para. 1a) GDPR in conjunction with Section 3 Federal Data Protection Act provide the lawful basis for processing your data.

Depending on the type and scope of the contact or your petition, we may collect the following personal information:

  • title;
  • first and last name;
  • email address;
  • street, house number;
  • postal code (zip code), city or town;
  • telephone number;
  • subject matter of request/petition;
  • your message;
  • if applicable, IP address.

Your personal information is used only for the purpose of processing your petition or request and for providing you with a (full) response. The personal information you voluntarily submit to us is deleted, once the data is no longer needed for the intended purpose of processing but at the latest at year-end after final processing of your request (see also 6.).

4. Provision of information

The kind of information we make available has an impact on how we process your personal information.

4.1 Requests to access information

You may request us in writing to have access to final audit findings. To enable us to process and respond to your request, you provide us with your personal information. This processing is governed by the requirements of Article 6 para. 1e) GDPR in conjunction with Section 3 Federal Data Protection Act.

We need the following personal information to process your request:

  • subject matter;
  • first and last name;
  • street, house number;
  • postal code (zip code) and city or town;
  • and/or email address.

Your personal information is processed only for the purpose of processing your request. After we have completed processing your request, your personal information is kept on file. Usually, the retention period is five years (see also 6.).

4.2 Order of printed materials

If you request printed materials, we need to process personal information for the delivery. This processing is governed by the requirements of Article 6 para. 1e) GDPR in conjunction with Section 3 Federal Data Protection Act.

We need the following personal information for processing your request:

  • first and last name;
  • street, house number;
  • postal code (zip code) and city or town.

This information is processed within the scope of your request. Additional information such as title, first name and/or company or email address are not mandatory for the processing but help to better serve your request. Processing is governed by the requirements of Article 6 para. 1a) GDPR in conjunction with Section 3 Federal Data Protection Act.

Your personal information is deleted either immediately after shipment but at the latest at year-end after final processing of your request (see also 6.).

4.3 Visitors

We regularly receive visiting delegations and study groups and also individual visitors both for day-to-day purposes and differing events. Prior to granting access to our premises, we need to collect first and last names of visitors for physical security reasons. This is part of exercising our functions (public relations or technical work) pursuant to Article 6 para. 1e) GDPR in conjunction with Section 3 Federal Data Protection Act.

Further optional data serves to help us better arrange for the visit to our premises. Such information includes: organisation, type of school, grade level, association or mobility requirements. Processing such information for the purpose of the expert or information visit is based on your consent pursuant to Article 6 para. 1a) GDPR in conjunction with Section 3 Federal Data Protection Act. You have the right to withdraw your consent at any time. Please note that the withdrawal of your consent will not affect the lawfulness of processing conducted prior to the withdrawal.

Your data is deleted at the latest at year-end after the year following the final processing (see also 6.).

5. Information for media representatives

The information collected on media enquiries depends on the nature of the request (e.g. for information or for inclusion in our media mailing list).

We need the following personal information (or more) to process your request:

  • first and last name;
  • email address;
  • telephone number;
  • type of media;
  • where appropriate, street, house number, postal code (zip code) and city or town;
  • subject matter of the enquiry (optional).

Processing of this information for the purpose of providing information is governed by the requirements of Article 6 para. 1 lit. e) EU GDPR in conjunction with Section 3 Federal Data Protection Act. Your personal information transferred to us is deleted once it is no longer required for the purposes of processing but at the latest after year-end of the year following final processing (see 6.).

If you wish to be included in the media mailing list, you give your consent and your information is processed in accordance with the requirements set by Article 6 para. 1a) EU GDPR. You have the right to withdraw your consent at any time. Please note that the withdrawal of your consent does not affect the lawfulness of processing conducted prior to the withdrawal. When you withdraw your consent, you are removed from our press mailing list.

6. Retention periods

To store your personal information, as a rule, we rely on the retention deadlines set by the Directive on Processing and Management of Records in Federal Ministries and the Joint Rules of Procedure of the Federal Ministries.

Depending on the type of request, the following retention periods are set:

  • requests to gather information: 5 years
  • petitions: 5 years
  • events, visitor groups, information processing and making information available to the media and the general public (ephemeral matters) : 1 year.

The periods shall commence after the year has elapsed in which processing of your respective request has been concluded.

7. Data subject access requests

In interacting with our SAI, you have the following rights in relation to your personal data:

  • Right to request access, Article 15 EU GDPR You have the right to full access to your personal information and insight into some key aspects such as the purposes of the processing or the retention period. This right shall not apply in cases specified under Section 34 Federal Data Protection Act.
  • Right to request correction, Article 16 EU GDPR This enables you to have the personal information we hold about you to be corrected where such data is inaccurate.
  • Right to request erasure, Article 17 EU GDPR You have the right to ask us to erase your personal information. However, this is only possible where holding your personal information is no longer necessary, where your data has been processed unlawfully or where you have withdrawn consent to processing. This right shall not apply in cases specified under Section 35 Federal Data Protection Act.
  • Right to request restriction of processing, Article 18 GDPR You have the right to restrict processing, which includes the option to suspend further processing of personal information for the time being. Processing is restricted in particular if you want us to verify other the legitimate interests for processing it.
  • Right to object to data collection, processing and/or use, Article 21 GDPR You have the right to object, inter alia, to further processing of your personal information in a particular situation, where such processing is necessary for the exercise of a public function or of public or private legitimate interests. This right shall not apply in cases specified under Section 36 Federal Data Protection Act.
  • Right to transfer data, Article 20 GDPR You have the right to obtain a portable copy of the personal information collected by a controller in a commonly-used, machine-readable format and to transfer such data to another controller, as appropriate. Pursuant to Article 20 para. 3 sentence 2 EU GDPR, that right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Right to withdraw consent, Articles 13 and 14 GDPR Where we process personal information for a specific purpose based on your consent, you shall have the right to withdraw consent at any time for the specific processing agreed to. Please note that the withdrawal of your consent will not affect the lawfulness of processing conducted prior to the withdrawal.

If you wish to make the claims set out above, please make a request in writing to the contacts stated in item 1.1.

Pursuant to Art. 77 DSGVO, you also have the right to lodge a complaint with the oversight body on data privacy and data protection, the Federal Commissioner for Data Protection and Freedom of Information.