Da­ta pro­tec­tion state­ment

I. Controller's contact details

The controller for the personal data processed in the use of the website is the

Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (BNetzA)
Tulpenfeld 4
53113 Bonn

represented by its President, Klaus Müller.

Tel.: +49 (0) 228 / 14 - 0
E-Mail: Poststelle@bnetza.de

II. Contact details of the authority's data protection officer

Guido Gesterkamp

Email: bDSB@Bundesnetzagentur.de

III. Data processing

  1. Preamble
    The Bundesnetzagentur wants to make you aware of how it processes your personal data and your data protection rights. When we process personal data, this processing is always directly connected to the performance of our public duties.

  2. Purposes for Processing
    Personal data are processed by the Bundesnetzagentur to the extent necessary for the purpose of performing its legally assigned duties. Information about the Bundesnetzagentur’s work is available at Bundesnetzagentur’s duties and in the organisation chart: Organisation Chart (pdf / 221 KB)

    The Bundesnetzagentur also processes personal data as a contracting party under civil law. Examples of this are for the procurement of office materials or auxiliary services. In this context and in pursuit of its own interests the Bundesnetzagentur may also process personal data of the contracting party’s employees. The Bundesnetzagentur’s interest lies in the initiation, conclusion and execution of such contractual relationships.

    As a public sector employer, the Bundesnetzagentur also processes personal data as part of its personnel recruitment and administration efforts.
    The Bundesnetzagentur processes personal data on the basis of consent for special services such as delivering newsletters.

  3. Legal basis
    Where the processing of your personal data is based on your consent, the legal basis is point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR)
    Where the processing is necessary to fulfil a contract, the contracting party of which is the data subject, or the processing is required in order to carry out pre-contractual measures that are implemented upon the request of the data subject, the legal basis is point (b) of Article 6(1) GDPR.
    Where the processing of personal data is necessary for compliance with a legal obligation to which we are subject, the legal basis is point (c) of Article 6(1) GDPR.

    Where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, the legal basis is point (e) of Article 6(1) GDPR in conjunction with the respective legal task standard.

    Where the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, the legal basis for the processing is point (f) of Article 6(1) GDPR.

  4. Storage period

    The storage period will be in accordance with the Directive on the processing and management of records in Federal Ministries. Your data will be deleted once we have finished dealing with your query, unless we are legally required to keep it for a period of safekeeping. How long we have to store data and when we have to delete it will depend on the reason you contacted us. The data is stored in accordance with the applicable periods for the storage of records under the Directive on the processing and management of records in Federal Ministries.

  5. Visiting our website

    When you visit our website, we process the following computer system data, accessed by the website, as part of our automatic logging
    - IP address, anonymised
    - date and time
    - notification if the access was successful
    - page accessed/name of file accessed
    - data volume transmitted
    - user agent for statistics.
    The legal basis we rely on is point (f) of Article 6(1) GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interest in maintaining the stable functioning of our IT systems and the technology of our website. The data are only evaluated for statistical purposes, to improve our service and to ensure data protection and information security at the Bundesnetzagentur. They are not used for other purposes or passed on to third parties. Where third-party service providers provide services for us, they are subject to agreements on processing on behalf of another party.

  6. Cookies
    Temporary session cookies are used on certain web pages and saved on your device to make navigating the site easier. These cookies do not contain any personal data and expire once the session ends. We do not use any technology to track users' browsing habits.

  7. Contacting the Bundesnetzagentur using an online form or by email
    If you get in touch with us using our online form or by email, the personal data you provide will be processed to deal with your query and to contact you.

    The legal basis for processing your data depends on the reason you contacted us. If we process the data in the course of performing our responsibilities, the usual legal basis is point (e) of Article 6(1) and Article 6(3) GDPR in conjunction with section 3 of the German Federal Data Protection Act (BDSG).

  8. Newsletter
    You can subscribe to a free newsletter on our website. When you subscribe to the newsletter, the data you enter in the user form will be transmitted to us. During the registration process you will be asked for your consent to your data being processed and made aware of this data protection statement. The legal basis for data processing once you have registered for the newsletter and given consent is point (a) of Article 6(1) GDPR. Your email address is collected in order to send the newsletter to you. Other personal data collected during the registration process are used to make sure that services or the email address given are not abused. You can cancel your subscription to the newsletter at any time.

  9. Video surveillance
    Video surveillance is conducted on the properties of the Bundesnetzagentur on our responsibility.
    As part of the video surveillance, personal data (video recordings) of individuals on the properties of the Bundesnetzagentur are processed on the basis of point (e) of Article 6(1) GDPR.
    Bundesnetzagentur video surveillance is solely for the purposes of safety and meeting the special security needs of the agency.
    The video surveillance serves the legitimate interest of preventing damages to monitored buildings as well as the people and the information located in the buildings (premises security and protection from sabotage), early detection and prevention (physical access control) of entry by unauthorised persons, and to document and preserve evidence of any unauthorised entry.
    Video surveillance may include making video recordings. This can be done on an as-needed basis – where the level of apparent danger makes it necessary – or on a permanent basis. Video recordings will only be shared to the extent necessary in the event of a criminal prosecution or to avert danger. The data must be deleted immediately – but after no more than seven days – if it is no longer necessary for security purposes.

  10. Video conferencing and online meetings via Cisco Webex Meetings

    We use Cisco Webex Meetings for video conferences and online meetings.

    We provide our processor, Cisco International Ltd., with the users' personal data required to use the video conferencing service. A data processing agreement has been concluded with Cisco International Ltd.

    Cisco Webex services have received certification in accordance with the German Federal Office for Information Security (BSI) Cloud Computing Compliance Controls Catalogue (BSI C5). Cisco's internal auditing process ensures that all cloud services conform to BSI C5.

    Both the signalling and the content are encrypted in the video conferences.

    The following types and categories of data undergo processing:

    a) Registration information:
    - name
    - email address
    - password
    - public IP address
    - browser
    - telephone number (if provided)
    - postal address (if provided)
    - avatar (if provided)

    b) Host and usage information:
    - IP address, user agent identifier, hardware type, operating system type and version, client version, IP addresses along the network path, MAC address of the client (as applicable), service version - - meeting session information (title, date and time, frequency, average and actual duration, quantity, quality, network activity, and network connectivity)
    - number of meetings, number of screen-sharing and non-screen-sharing sessions

    - host name

    c) User-generated information:
    - meeting and call recordings, uploaded files (if recordings were made)

    The Bundesnetzagentur has the option to record video conferences using Cisco Webex Meetings; it will inform meeting attendees prior to recording and will only record meetings if the attendees agree. Meeting recordings will be deleted immediately after they have been used for the agreed purpose (for example for meeting reports).

  11. Job applications and process

    The Bundesnetzagentur collects and processes the personal data of job applicants for the purposes of personnel recruitment (Article 6(1)(b) GDPR, section 26(1) first sentence of the Federal Data Protection Act (BDSG).

    The processing usually takes place electronically, for example where the application papers are received via email or via interamt.de, the website of our processor (DVZ Datenverarbeitungszentrum Mecklenburg-Vorpommern GmbH, Lübecker Strasse 283, 19059 Schwerin, contact details: tel. +49 385-4800 0, website: www.interamt.de

    Application papers will be used solely for the purposes of establishing an employment relationship.
    If the application process is followed by an employment relationship, the personal data necessary within the context of employment will be transferred to the personnel records and will continue to be stored (Article 88(1) GDPR, section 26 BDSG).

    If the application process is not followed by an employment relationship and insofar as no longer storage period is necessary for the defence of legal claims, the application papers will be erased six months after the rejection notice has been sent in compliance with data protection legislation.

    If your application is not successful but is to be taken into consideration again for future application processes, we will store your application papers on the basis of a consent to be obtained from you (Article 6(1)(a) GDPR, section 26(1) first sentence BDSG). You may withdraw your consent at any time; your application papers will then be erased without delay in compliance with data protection legislation.

  12. Virtual events using the conference platform vystem
    For virtual events, we use vystem from Isardigital GmbH.

    In order to hold the event, we provide our processor, Isardigital GmbH, with the users' personal data required to use the service. A data processing agreement has been concluded with Isardigital GmbH.
    The following types and categories of data undergo processing:
    - name
    - email address
    - duration of active connection to the servers of Isardigital GmbH
    - IP addresses
    - chat messages, video streams in the break-out sessions, votes on surveys, participation in word clouds

    If individual participants (eg speakers or participants in discussions) make recordings, this will only be with prior consent. The recordings will be deleted by the processor once they have been transmitted to the Bundesnetzagentur. The Bundesnetzagentur will publish them, provided consent has been given for this. They will be deleted after the period of time stated on the consent form.

IV. Your rights as a data subject

You have legal rights concerning the processing of your personal data. These include:

  1. Right to information
    Article 15 GDPR gives you the right to information about your personal data processed by the Bundesnetzagentur free of charge. In particular:
    - the purposes of the processing of your personal data,
    - the categories of personal data that are being processed,
    - the recipients or categories of recipients to whom the personal data have been or will be disclosed,
    - the envisaged period for which the personal data will be stored, or the criteria used to determine that period,
    - the source of the data if we did not collect the data from you.
    The exceptions to this right laid down in section 34 BDSG apply.
  2. Right to rectification
    Article 16 GDPR gives you the right to have inaccurate personal data corrected without undue delay and, where appropriate, the right to have incomplete personal data completed.
  3. Right to erasure
    Article 17 GDPR gives you the right to have your personal data erased, provided the grounds laid down in Article 17(1) GDPR apply. However, according to paragraph 3 there is no such right when the processing of data is necessary for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims. In addition, the exceptions to this right laid down in section 35 BDSG apply.
  4. Right to restriction of processing
    Article 18 GDPR on the right to restriction of processing gives you the option to temporarily prevent the further processing of your personal data provided the grounds laid down in Article 18(1) apply; for example, for a period enabling your opposing rights to be verified.
  5. Right to data portability
    Article 20 GDPR gives you the right to receive the personal data concerning you, which you have provided to the Bundesnetzagentur, in a structured, commonly used and machine-readable format, where the Bundesnetzagentur processes this data based on your consent and the processing is carried out by automated means. In accordance with Article 20(3) second sentence GDPR, this right does not apply to processing necessary for the performance of a task carried out in the public interest.
  6. Right to object
    Where the Bundesnetzagentur processes your personal data for the performance of a task carried out in the public interest or for the purposes of legitimate interests (points (e) and (f) of Article 6(1) GDPR), you have the right to object, on grounds relating to your particular situation, to this processing (Article 21 GDPR). If you exercise your right to object, the Bundesnetzagentur will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims. In accordance with section 36 BDSG, the right to object does not apply if there is an urgent public interest in the processing that outweighs the interests of the person concerned or if processing is required by law.
  7. Right to lodge a complaint with a supervisory authority
    .Article 77 GDPR gives you the right, without prejudice to any other legal remedy, to lodge a complaint with the competent supervisory authority if you consider that the processing of personal data relating to you is unlawful. The competent supervisory authority for the Bundesnetzagentur is

    Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information)
    Graurheindorfer Str. 153, 53117 Bonn

V. Information in accordance with section 55 BDSG:

a) Purposes for processing (section 55 para 1 BDSG)
The Bundesnetzagentur is also responsible for preventing, investigating, taking action against and penalising certain regulatory breaches. The Bundesnetzagentur is entitled to process personal data in order to perform these tasks.
b) Data subjects' rights (section 55 para 2 BDSG)
In accordance with section 57 BDSG, the Bundesnetzagentur must inform the data subject upon request whether the data concerning them is being processed. The data subject also has the right to receive the information in accordance with section 57(1) BDSG.
Furthermore, the data subject has the right to rectification, erasure and limitation of the processing in accordance with section 58 BDSG.
c) Right to appeal with the Federal Commissioner for Data Protection and Freedom of Information (section 55 paras 4 and 5 BDSG)
In accordance with section 60 BDSG, the data subject can, at any time, contact the Federal Commissioner for Data Protection and Freedom of Information. The contact information is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Str. 153, 53117 Bonn
Telephone: +49 (0)228 99 7799-0
Fax: +49 (0)228 99 7799-5550
Email: poststelle@bfdi.bund.de

Data protection in social media

The Bundesnetzagentur is active on Twitter, Mastodon and has its own YouTube channel. More specific information is available at:
Datenschutzinformationen zum Twitter-Kanal (pdf / 15 KB)(in German)
Datenschutzinformationen zum YouTube-Kanal (pdf / 14 KB)(in German)
The Bundesnetzagentur also operates a grid expansion fan page on Facebook and uses SlideShare.
More specific information is available at: https://www.Netzausbau.de/datenschutz (in German)

Mastodon