Last updated on 9 June 2020
A. Contact data and Controller
1. Name and address of the Controller
The Controller in the sense of the GDPR, national data protection laws of the EU Member States and other data protection regulations is the:
Federal Agency for Civic Education (Bundeszentrale für politische Bildung / bpb)
Adenauerallee 86, 53115 Bonn, Germany
Tel.: +49 (0)228 99515-0
E-mail: E-Mail Link: info@bpb.de
DE-mail: E-Mail Link: de-mail-poststelle@bpb-bund.de-mail.de
Website: Externer Link: www.bpb.de
2. Name and address of the data protection officer
The Controller’s data protection officer is:
Mr Rhaban Schulze Horn
Adenauerallee 131a
53113 Bonn
Germany
Tel.: +49 (0)228 99515-0
E-mail: E-Mail Link: datenschutz@bpb.de
B. General information on data processing
1. Scope of processing of personal data
We only collect and use personal data of users to the extent required to ensure that our website works as intended and to provide content and services. Personal data of users are only collected and used with their consent. Exceptions are only admissible if and when it is impossible to obtain their prior consent for tangible reasons and the use of their data is permitted by law in the cases concerned.
2. Legal basis for processing personal data
To the extent that we obtain the consent of affected individuals for processing their personal data, the legal basis for doing so is point (a) of Article 6 (1) of the GDPR. The legal basis for processing personal data when this is required for performance of a contract to which the affected person is party (e.g. an order placed in the bpb shop) is point (b) of Article 6 (1) of the GDPR. This also applies to data processing which is required for implementing precontractual measures. When personal data must be processed for compliance with a legal obligation to which our agency is subject as the Controller, the legal basis for doing so is point (c) of Article 6 (1) of the GDPR. To the extent that this processing is necessary in order to perform our tasks in the public interest and/or exercise official authority, the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Erasure of data and duration of storage
Personal data of an affected individual are erased or blocked as soon as the purpose for which they were stored has lapsed. Data may also be stored if this is provided for by European or national regulations, laws or other rules to which the Controller is subject, such as the time limits on storing written documents defined by the Registry Directive supplementing the Joint Rules of Procedure of the German federal ministries. Data are also blocked or erased when a time limit prescribed by one of the just-mentioned standards expires, unless it should be necessary to continue storing the data in order to conclude or perform a contract.
C. Data processing when the bpb.de website is visited
I. Provision of the website and generation of log files
1. Description and scope of data processing
Every time that our website is called, our system automatically captures data and information from and on the computer system used to call it.
The following data are collected:
(1) The type and version of the browser used
(2) The user’s operating system
(3) The user’s IP address
(4) The date and time of access
(5) Other websites, if any, from which the user’s system accessed our website
(6) The visited URL
These data are also stored in our system’s log files. The data are not stored together with other personal data of the user. The IP addresses of users are not normally stored as such, being anonymised instead by a proxy server inserted ahead of bpb.de as a privacy shield. In the event of faulty or aborted access to the intervening proxy server, however, the actual IP address is stored. For technical reasons, it is impossible for us to prevent this.
2. Legal basis for data processing
The legal basis for temporarily storing data and log files is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
The system must temporarily store the IP address of the user’s computer in order to make the website available to it. The user’s IP address must remain stored for this purpose during the entire session. It is stored in log files to ensure the proper functioning of the website. We also use the data to improve our website and strengthen the security of our IT systems. The data are not analysed for marketing purposes in this context. Processing of them is required in order for us to perform our tasks in the public interest and/or exercise official authority; the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
4. Duration of storage
Data are erased are soon as they are no longer needed for the purposes for which they had been collected. Regarding data collected for the purpose of making the website available, this is the case when a session ends. When anonymised data are stored in log files, this is the case after five weeks at the latest.
5. Possibility of objecting and requesting erasure
It is essential to collect these data and store them in log files in order to operate the website and make it available to users. Users therefore have no grounds to object to this.
II. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are small text files which are stored in the browser or by the browser on the user’s computer. If a user calls our website, a cookie may therefore be stored in their operating system. This cookie contains a unique sequence of characters which makes it possible to unambiguously identify the browser if and when it subsequently calls our website again.
We use cookies in order to make our website more user-friendly. Some parts of our website also require the ability to continue recognising a browser after it accesses a different page. The following data are stored in the cookies and communicated:
(1) Articles in a shopping cart
(2) Execution of JavaScript
(3) Search terms and results
(4) Use of a mobile device
(5) Consent to the cookie disclaimer
(6) Consent to play third-party content
We also use cookies on our website for analysing how users navigate within it. You can find a list of the stored and communicated data in Section III on Matomo (formerly Piwik) and in Section IV on the Next-Generation Scalable Centralised Measuring System (nGSCMS) of INFOnline GmbH.
2. Legal basis for data processing
The legal basis for processing personal data with the use of cookies is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
The purpose of these technically required cookies is to make it easier to use websites. Some functionality of our website would be impossible to provide without cookies (e.g. the shopping cart and the mobile website version). These require a means of ensuring that the browser continues to be recognised after it navigates to a different page.
We require cookies for the following purposes:
(1) Remembering content for the shopping cart
(2) Remembering search terms and results
(3) Remembering content for generating PDF and EPUB files
(4) Enabling a website version for mobile devices
(5) Making the cookie disclaimer disappear after it has been acknowledged
(6) Enabling the playing of third-party content
User data collected by technical cookies are not used to generate user profiles.
Analysis cookies are used to improve the quality of our website and its content. They tell us how our website is used so that we can steadily improve our offering. We also use cookies for the following purposes:
(1) Web analysis with Matomo (formerly Piwik), see Section III
(2) Web statistics collected with the Next-Generation Scalable Centralised Measuring System (nGSCMS) of INFOnline GmbH (see Section IV)
We provide opt-out functions for both applications. If you choose to opt out, a cookie is also set for that.
For this purpose, data processing is required in order for us to perform our tasks in the public interest and/or exercise official authority; the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
4. Duration of storage; possibility of objecting or requesting erasure
Cookies are stored on your computer and transferred from there to our website. The technically required cookies are only stored until the end of the current session (‘session cookies’). The cookie for ‘stop showing the cookie disclaimer’ is stored for up to seven days. The cookies for Matomo (formerly Piwik) are stored for up to six months. The cookies for the Next-Generation Scalable Centralised Measuring System (nGSCMS) of INFOnline GmbH are stored for up to ten months. We provide opt-out functions for both applications that let you prevent both types of cookies from being stored.
You have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or limit the transmission of cookies. Already stored cookies may be erased at any time. This process can also be automated. Please keep in mind, however, that once cookies for our website are disabled, you may no longer be able to fully take advantage of its functionality.
III. Web analysis with Matomo (formerly Piwik)
1. Description and scope of data processing
We use Matomo (formerly known as Piwik) on our website. This is an open-source software tool for analysing how our users surf within it. It sets a cookie on your computer (see above for more information on cookies). Each time you visit an individual page of our website, the following data are stored:
(1) Two bytes of your computer’s IP address
(2) The website called (in this case, our website)
(3) The website, if any, from which you access our website (the referring website)
(4) The individual pages you access while visiting our website
(5) The total time you spend on our website
(6) How often you access our website
(7) Your browser’s language setting
(8) Your location
The software runs exclusively on bpb’s servers. Users’ personal data are only stored there, and none of this data is divulged to any third parties.
The software is programmed so that IP addresses are not stored in their entirety. Instead, two of its bytes are masked (e.g. 192.168.xxx.xxx). This makes it impossible for anyone to identify your computer.
2. Legal basis for processing personal data
The legal basis for processing personal data is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
We process personal data of users in order to analyse how they navigate. Evaluating collected data enables us to learn how the individual components of our website are used. This in turn helps us to continually improve our website and make it more user-friendly. This processing of data is necessary in order for us to perform our tasks in the public interest and/or exercise official authority; the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
4. Duration of storage
Data are erased as soon as they are no longer needed for the purposes for which they have been collected, but no later than after three years.
5. Possibility of objecting or requesting erasure
Cookies are stored on the user’s computer and conveyed by it to our website. As a user you therefore have full control over how they are used. By changing the settings in your Internet browser, you can disable or limit the transmission of cookies. Already stored cookies may be erased at any time. This process can also be automated. Please keep in mind, however, that after disabling cookies for our website you may no longer be able to fully take advantage of its functionality.
We allow users of our website to opt out of data analysis. To do so, remove the checkmark in the box below this section. This sets another cookie on your system which tells our system to refrain from storing your data. If you inadvertently erase the opt-out cookie from your system, you will need to reset. For details of the data privacy policy of Matomo Software, visit Externer Link: https://matomo.org/docs/privacy/.
IV. User statistics collected with the Next-Generation Scalable Centralised Measuring System (nGSCMS) of INFOnline GmbH
1. Description and scope of data processing
We use the Next-Generation Scalable Centralised Measuring System (nGSCMS) of the firm INFOnline GmbH (https://www.infonline.de) to collect statistical data on the use of our website at bpb.de. To permit this, so-called tracking pixels consisting of tiny transparent images are inserted in individual pages. They are used to check whether a user has accessed the corresponding content. The firm of INFOnline takes care of counting the times that the corresponding pages are called. For this purpose, anonymous statistics are gathered and sent to INFOline. The nGSCMS system uses either a cookie with the ID ‘ioam.de’ or ‘ivwbox.de’ or a signature comprising various pieces of information which is automatically generated by your computer. The following data are sent:
(1) Your system’s IP address
(2) The website called
(3) The website, if any, from which you access our website (the referring website)
(4) The individual pages you access while visiting our website
(5) The total time you spend on our website
(6) How often you visit our website
(7) Your browser’s language setting
(8) Your location
IP addresses are not stored in this procedure, and are only processed in anonymised form. This involves masking two of its bytes (e.g. 192.168.xxx.xxx). This makes it impossible for anyone to identify your computer.
The legal basis for processing personal data is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
The goal of traffic measurement is to statistically determine the intensity of use, the number of users visiting a website and how they navigate within it. This approach helps us to continually improve our website and make it more user-friendly. This processing of data is necessary in order for us to perform our tasks in the public interest and/or exercise official authority; the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
4. Duration of storage
The anonymised data are erased as soon as we no longer need them for documentation purposes.
5. Possibility of objecting or requesting erasure
If you do not wish data concerning you to be sent to the firm of INFOnline within the scope of the nGSCMS, you can use this link to opt out: Externer Link: https://optout.ioam.de.
Cookies are stored on your computer and conveyed by it to our website. As a user, you therefore have full control over how they are used. You can disable or limit cookies by changing the relevant settings of your Internet browser. Cookies that have already been placed on your computer can be erased at any time. This process can also be automated. Please keep in mind, however, that once cookies for our website are disabled, you may no longer be able to fully take advantage of its functionality.
D. Collection of personal data in connection with e-mail contacts
1. Description and scope of data processing
The bpb can be contacted by sending e-mails to the addresses of staff or various other addresses including, under ‘Contact’, the main e-mail address info@bpb.de. When you send an e-mail to us, the personal data communicated along with it are stored. These include your e-mail address, name, address etc. as well as any other personal information contained in the e-mail itself. These data are used exclusively for processing the conversation or responding to your request.
Other – external – e-mail addresses are also listed on the bpb’s website, for example project sponsors. These addresses do not include ‘bpb’ after the ampersand. If you contact any of these addresses, the bpb is not responsible for any processing of your personal data that takes place there. If you have any questions regarding how these third parties handle your personal data, please ask them directly.
2. Legal basis for data processing
The legal basis for processing data that are provided in connection with sending an e-mail is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act. If the e-mail is sent with the intention of concluding a contract, it also falls under point (b) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Data are processed for the purposes of responding to your e-mail and dealing with any associated requests or other matters.
4. Duration of storage
The communicated data and information are stored, for the purposes of contacting you and dealing with your wishes, for the period of time applicable to written documents as defined by the Registry Directive supplementing the Joint Rules of Procedure of the German federal ministries.
5. Possibility of objecting and requesting erasure
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your data. Your data will then no longer be processed. In such a case, the conversation can no longer be continued. In this case, all stored personal data concerning you are erased. However, further processing of them by the agency may nevertheless be possible despite your objections if there are compelling and legitimate reasons to do so which override your personal interests, rights and freedoms.
Objections to the processing of your personal data may be submitted formlessly to E-Mail Link: info@bpb.de.
E. Processing of personal data for services of bpb
I. Newsletter subscriptions
1. Description and scope of data processing
You can subscribe to various newsletters on our website free of charge. The e-mail address you provide when subscribing is sent to us together with the date and time.
When subscribing to one or more newsletters, you must give us permission to process your data by clicking on the checkbox. A link to this data protection policy is included. You then receive an e-mail which you must reply to in order to confirm your subscription and grant permission for us to store and process your e-mail address (‘double opt-in’). This prevents third parties from misusing your e-mail address.
No data are forwarded to any third parties in connection with processing them for sending out newsletters. The data you provide are used exclusively for the purpose of sending you the newsletters to which you have subscribed.
2. Legal basis for data processing
The legal basis for processing your data after you have subscribed to a newsletter is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Your e-mail address is collected for the purpose of sending you the newsletters you have subscribed to. For a list of our newsletters, go to www.bpb.de/newsletter.
4. Duration of storage
Data are erased are soon as they are no longer needed for the purposes for which they were collected. Accordingly, your e-mail address is only stored as long as your newsletter subscription is active.
5. Possibility of objecting and requesting erasure
You may cancel newsletter subscriptions at any time with immediate effect; go to www.bpb.de/newsletter to do so. Every newsletter also contains a corresponding link. Your stored e-mail address is erased after you have cancelled all of your subscriptions.
II. Use of social media plugins
1. Description and scope of processing of personal data
bpb.de uses ‘social plugins’. These enable sharing of content via Facebook, Twitter, Google+ and WhatsApp. They are typically used to communicate data, including personal data, to service providers.
To prevent users’ data from being shared without their knowledge or consent, bpb.de uses the ‘Shariff’ solution developed by the German technical magazine c’t magazine für computer technik published by Heise Medien GmbH & Co. KG. Shariff replaces the standard share buttons used in social networks so that users can surf the Web securely without being visible to prying eyes. Ordinary share buttons send a user’s data to the social network’s operator every time they call a page, thus allowing it to track their activity even when they neither belong to the network nor are logged into it. A Shariff button blocks direct contact between the social network and the user unless the user actively clicks on the share button. Shariff acts as a buffer: instead of the user’s browser, the website operator’s server queries the relevant information (e.g. number of likes on Facebook) from the service provider while keeping the user anonymous. Detailed information on Shariff is available here (in German only): Externer Link: https://heise.de/-2467514.
bpb does not process or store any personal data in this context. When you click on the button, data are processed and stored by the relevant service provider instead. To find out exactly which data a given service provider saves and processes, please consult its data privacy policy. Here is a selection:
Facebook’s data policy: Externer Link: https://www.facebook.com/about/privacy/update?ref=old_policy
Twitter’s privacy policy: Externer Link: https://twitter.com/en/privacy
Google’s privacy policy: Externer Link: https://policies.google.com/privacy/update?hl=en
WhatsApp’s privacy policy: Externer Link: https://www.whatsapp.com/legal/?eea=1#privacy-policy
2. Legal basis for data processing
The legal basis for transmitting data is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
The provision of data to social media operators allows users to share content of bpb.de with others via social networks. Many users take advantage of this ability, which has become a standard feature of a large number of websites. This processing of data is necessary in order for us to perform our tasks in the public interest and/or exercise official authority; the legal basis for doing so is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act. The use of Shariff adequately responds to users’ legitimate interest in having their personal data protected.
4. Duration of storage
No data are stored by bpb. When buttons are used, data are processed and stored by the corresponding service providers. The service providers indicate in their privacy policies which data are collected, processed and stored.
5. Possibility of objecting and requesting erasure
As neither processing or storage of data by bpb nor automatic transfer of data to service providers takes place, users can only object to the processing and storage of their data by contacting individual service providers. The possibilities for objecting to these and requesting the erasure of data are explained by these in their respective privacy policies.
III. Commenting function on bpb.de
1. Description and scope of processing of personal data
bpb.de lets users comment on selected content (e.g. in blog entries). When a commenting box is used for this purpose, the following personal data are conveyed to us:
(1) E-mail address
(2) Name (pseudonyms are possible)
When you register, your consent to the processing of these data is obtained and you are referred to this data protection policy. Any comments entered are stored in our content management system along with your name and published after review by our editorial team. Your e-mail address is not published, but the name you have provided appears together with the published comment. Data collected in connection with the commenting function are used exclusively for this purpose and not divulged to any third parties.
2. Legal basis for data processing
The legal basis for processing your data after you have subscribed to a newsletter, provided that you have given your consent, is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Data are processed to allow users to comment on content on bpb.de. E-mail addresses are collected in order to prevent the commenting function from being abused. Users’ names are additionally collected so that comments by different users can be distinguished.
4. Duration of storage
Data are erased are soon as they are no longer needed for the purpose for which they were collected. Accordingly, your e-mail address and the name you provide are only stored until you retract your consent for us to publish your comment and/or request us to erase it.
5. Possibility of objecting and requesting erasure
You may at any time retract your consent for us to process your personal data and request us to erase your comments. To do so, please send an e-mail to the responsible editor at E-Mail Link: dialog@bpb.de.
IV. Ordering of media and printed materials (in the bpb Shop)
1. Description and scope of data processing
The Federal Agency for Civic Education sells media and print products (including books, magazines and DVDs). Users can order these online in a webshop in writing by sending a letter or e-mail or by submitting an order form. The order form has the following data fields:
(1) Salutation
(2) Name (given name and surname)
(3) Address (street, house number, postcode, town or city, country)
(4) E-mail address
(5) Telephone number (optional)
The bpb also offers the option of delivering ordered items to a DHL Packstation or post office. The following additional data are conveyed for this purpose:
(6) DHL customer number
(7) Number of the DHL Packstation or post office
These data are required for processing the order. Additional data may also be voluntarily provided if you consent to their processing:
(8) Age
(9) Occupation
(10) Social activities
These customer data, as well as any voluntarily provided information, are relayed to an external service provider (IBRo Versandservice GmbH, Kastanienweg 1, D-18184 Roggentin, Externer Link: www.ibro-versandservice.de) which is responsible for processing orders, dispatching ordered merchandise, invoicing, debt collection and responding to customer requests.
2. Legal basis for data processing
The legal basis for processing customer data collected for concluding a purchase contract (nos. 1-7) is point (b) of Article 6 (1) of the GDPR.
The legal basis for processing voluntarily provided data (nos. 8-10) with the user’s consent is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
The mandatory data (nos. 1-7) are collected, conveyed, processed and stored for processing the order and fulfilling the contract. The additional, voluntarily provided information (nos. 8-10) are collected, conveyed, processed and stored for statistical purposes as well as for optimising bpb’s offering.
4. Duration of storage
The customer data (nos. 1-7) required for processing orders are erased after 90 days in the case of items which are completely free of charge (except for a fixed service fee and shipping costs). The voluntary information (nos. 8-10) is then stored in anonymised form.
In the case of purchase orders, all data are kept for up to ten years by the shipping service provider (IBRo Versandservice GmbH) in compliance with commercial and tax law.
5. Possibility of objecting and requesting erasure
You have the right to withdraw from the contract within 14 days after concluding it. The data processed for executing your order (nos. 1-7) are erased subsequent to your legally effective withdrawal. More information on your right of withdrawal is included in our terms and conditions of business (in German only): Externer Link: www.bpb.de/shop/186122/#widerruf
You may at any time revoke your consent for us to process the information which you have voluntarily provided (nos. 8-10) and request its erasure. To do so, please send an e-mail to the shipping service provider at E-Mail Link: bestellungen@shop.bpb.de.
V. bpb:magazin subscriptions
1. Description and scope of data processing
The German Federal Agency for Civic Education offers free subscriptions to the bpb:magazin (currently available in German only). You can subscribe to it online at bpb.de, by writing a letter or by completing and submitting an order form. It is also possible to change or cancel an existing subscription online. The following data are collected with the order form:
(1) Salutation
(2) Name (given name and surname)
(3) Address (street, house number, postcode, town or city, country)
(4) E-mail address
These data are required for processing the order. Additional data may also be voluntarily provided if you consent to their processing:
(5) Telephone number (optional)
(6) Fax number (optional)
(7) Additional address details (optional)
These customer data, as well as any voluntarily provided additional information, are relayed to two external service providers (IBRo Versandservice GmbH in Roggentin and Druckerei Ernst Kaufmann GmbH und Co KG in Laar) for further processing. These are responsible for processing orders, dispatching ordered merchandise and, in cooperation with the public service of bpb, replying to customer requests. Druckerei Ernst Kaufmann GmbH und Co KG works with Deutsche Post AG, to which it provides the addressed magazines in palleted bundles. The addresses for the shipping labels are processed and printed using the program Dialogpostmanager; the labels are then attached to the individual magazine copies. All address data are ‘masked’, in other words rendered illegible, by a data protection module integrated in Dialogpostmanager.
2. Legal basis for data processing
The legal basis for processing the customer data collected for concluding the purchase contract (nos. 1-4) is point (b) of Article 6 (1) of the GDPR. The legal basis for processing the voluntarily provided data (nos. 5-7), provided that the user consents to it, is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Customer data are collected, conveyed, processed and stored for providing the contractually agreed services. The provision of additional information is also voluntary and serves to identify and address the customer faster and more precisely and/or permit alternative forms of contact; if wished, this information is also collected, conveyed, processed and stored for the indicated purposes.
4. Duration of storage
The customer data required for ordering and the optional information are erased upon termination of the subscription or in the event that delivery proves impossible or magazines are returned.
5. Possibility of objecting and requesting erasure
You have the right to terminate the contract at any time. The data processed for executing your subscription request will then be erased. You may also retract your consent to the processing of the personal data you have voluntarily provided and have them erased. To do so, you may contact bpb, for example by e-mail to E-Mail Link: info@bpb.de.
VI. Registration for events and activities
1. Description and scope of data processing
The bpb holds various kinds of events for which interested individuals can register to attend. As a rule, this can be done by completing a registration form on our website or by directly contacting us, e.g. by e-mail. Depending on the event and how you contact us, different personal data are collected and conveyed. For example:
(1) Salutation
(2) Name (given name and surname)
(3) Address (street, house number, postcode, town or city, country)
(4) Contact data (e-mail address, telephone number)
We require these data in order to ensure problem-free participant registration and administration for events. Depending on the event, additional information may also be collected and conveyed for taking participants’ interests and needs into account.
(5) Occupational data (field of work, institution or organisation, position, work-related contact information)
(6) Age/year of birth
(7) Food preferences and incompatibilities (e.g. for catering)
(8) Accessibility requirements (e.g. wheelchair-friendly access)
(9) Language skills (e.g. for interpreters)
Users must consent to the processing of their data. All provided data are conveyed to the event organisers within the bpb or to external event service providers, depending on the event, for processing and storage. Data may also be made available to third parties, e.g. when required for booking accommodation or transport.
2. Legal basis for data processing
The legal basis for processing your data, provided that you have given your consent, is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Data are conveyed, processed and stored for the purposes of registering for, planning and holding events and follow-up activities.
4. Duration of storage
Data are erased are soon as they are no longer needed for the purpose for which they were collected. In the present case, this means that collected data are erased once all processing activities related to the participants have been completed, e.g. payments and refunds. Above and beyond this, data may be stored within the time limits on keeping written documents as defined by the Registry Directive supplementing the Joint Rules of Procedure of the German federal ministries.
5. Possibility of objecting and requesting erasure
You may at any time retract your consent for us to process your personal data and request us to erase them. One way of doing this is to send an e-mail to the bpb at info@bpb.de. If you request the erasure of your data prior to an event, it will no longer be possible to ensure your registration for or attendance of the event.
VII. Registration for digital events and online conferences of the bpb
1. Description and scope of data processing
The bpb holds digital events for which interested parties may register. It only makes sense for you to register for these events if you agree to participate in them while using the corresponding service and an Internet browser or other required software on your personal device. Responsibility for collecting and processing personal data rests exclusively with the external services and the operator of the browser you use. As a rule, you can register by completing a registration form on our website or by directly contacting us, e.g. by e-mail. Regarding the personal data stored in connection with registering for events, please refer to section VI of this data protection policy.
For holding digital events, the bpb makes use of the external technical services and offerings of the following providers:
Edudip GmbH, Jülicher Strasse 306, 52070 Aachen, Germany
Microsoft Corporation, One Microsoft Way, Remond, WA 98052-6399, USA
Remo Holdings Limited, Fortune Terrace 4-16 Tak Shing St., Jordan, Kowloon, Hong Kong
ZOOM Video Communications Inc. San Jose, California, USA
EventInsight B.V., Kraneweg 13-3, 9718JC Groningen, The Netherlands
Depending on the type of digital event, it may be necessary for participants to open an account with the organiser. If this is the case, the personal data required to create the account are processed by the organiser. If no account is set up, personal data are not processed by the organiser until after participants actively join the digital event of their own accord.
Please note that participants of digital events use online services at their own risk. We would also like to call your attention to the fact that organisers store the data of users in accordance with their own data privacy guidelines. The bpb has no influence on the type or scope of data processed by them or the ways in which the data are processed, used or made available to third parties. Even in the case of contract processing in the sense of Article 28 of the GDPR, the bpb has no means at its disposal for exhaustively monitoring this. For detailed information on the ways in which organisers process data, please refer to their respective data privacy policies and other documents:
- Externer Link: https://www.edudip.com/en/privacy
- Externer Link: https://privacy.microsoft.com/en-gb/privacystatement
- Externer Link: https://remo.co/privacy-policy/
- Externer Link: https://zoom.us/privacy
- Externer Link: https://www.eventinsight.io/en/privacy-policy
2. Legal basis for data processing
The legal basis for processing data after registration to an event is point (a) of Article 6 (1) of the GDPR. For the use of external services, the legal basis indicated in each case applies to the provision of your consent in accordance with point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
Data are conveyed, processed and stored for the purposes of registering users for an event and for planning, holding and conducting follow-up activities for events. External services are involved in holding digital events, which are indispensable for this purpose.
4. Duration of storage
No data are stored by the bpb. When you register with a service provider, it processes and stores your data. Precisely which data are conveyed and the duration of their storage vary depending on the provider. To obtain information on the purpose and scope of data collection, further processing, usage and storage, you must contact the individual provider in each case. We have provided links to their respective data privacy policies above.
5. Possibility of objecting and requesting erasure
As bpb does not process, store or automatically transfer data to service providers, users can only object to the processing and storage of their data by directly contacting the responsible service provider in each case. The possibilities for objecting to these and requesting the erasure of data are explained by in their respective privacy policies. We have provided links to them above.
VIII. Integration of external content and services in bpb.de
1. Description and scope of data processing
The Federal Agency for Civic Education integrates some content in its website at bpb.de via external services. In this connection, data can be transferred from bpb.de to external services which may also place cookies. The bpb uses these services to make multimedia content available to users.
To give users control over which data are conveyed, bpb.de inserts an activation window before each set of integrated external content. Unless users actively provide their consent for the external content to be displayed, no data are conveyed and no content is played.
If users consent to the integration of content from a particular external service, a cookie is placed indicating this permission (see the section on ‘Use of cookies’). The content is then played and data can be transferred. The cookie is automatically erased after the end of the session.
As a rule, transmitted data contain a reference to the fact that data integrated in bpb.de are being accessed. These can also be personal data (e.g. an IP address). Exactly which data are transferred in a given case cannot always be determined. You are therefore advised to contact the provider in a given case to obtain information on how they collect, store and use data.
Services of the following providers (among others) are currently integrated in bpb.de:
Google (e.g. YouTube Player, Google Maps, Google Spreadsheets): Google services are operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’). Please consult Google’s privacy policies to learn about the purpose and scope of data collection, processing and use as well as your rights and choices: Externer Link: https://policies.google.com/privacy?hl=en
Twitter (Twitter Widgets/Feed): Twitter is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA (‘Twitter’). You can get information on how Twitter uses collected data at: Externer Link: https://twitter.com/en/privacy
Facebook (video player): Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’). Please consult Facebook’s privacy policies to learn about the purpose and scope of data collection, processing and use as well as your rights and choices: Externer Link: https://www.facebook.com/about/privacy/update
SoundCloud (audio player): Soundcloud is operated by SoundCloud Limited, Rheinsberger Str. 76/77 10115 Berlin, Germany. You can learn about the purpose and scope of data collection and use by Soundcloud here: Externer Link: https://soundcloud.com/pages/privacy/05-2018
Vimeo (video player): Vimeo is operated by Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA. You can learn about the purpose and scope of data collection and use by Vimeo here: Externer Link: https://vimeo.com/privacy
2. Legal basis for data processing
The legal basis for transferring data is point (e) of Article 6 (1) of the GDPR in conjunction with Section 3 of the German Data Protection Act.
3. Purpose of data processing
External services are integrated in bpb.de in order to provide content, functionality and information which would otherwise not be available to users.
4. Duration of storage, possibility of objecting and requesting erasure
Which data are transferred and how long they are stored varies depending on the service. In order to learn the purpose and scope of data collection, how data are processed, used and stored, and your rights to object and request erasure, you must therefore consult each individual service provider. We have provided links to their privacy policies above.
VIIII. Timer prize draw
1. Description and scope of data processing
The Federal Agency for Civic Education is holding a prize draw in which a copy of the bpb calendar for schoolchildren, called ‘Timer’, can be won. Users are invited to submit the solution using an online form. In order to participate in the prize draw, you must also provide the following personal information:
(1) Name (given name and surname)
(2) Address (street, house number, postcode, town or city, country)
(3) E-mail address
(4) Telephone number (optional)
Items 1 to 3 are required for matching submitted solutions to participants, notifying the winners and sending the copies they have won to them. You may also voluntarily provide your telephone number if you wish.
These data and the voluntarily provided information are relayed to three external service providers: IBRo Versandservice GmbH, Kastanienweg 1, 18184 Roggentin, Externer Link: www.ibro-versandservice.de; Externer Link: www.kdv.de; and GLAMUS Gesellschaft für moderne Kommunikation mbH, Gartenstrasse 24, 53229 Bonn, Externer Link: www.glamus.de. They are responsible for recording the data submitted via the form, determining the winners and dispatching prizes. To do so, they work with Deutsche Post AG, which provides the addressed calendars inserted in mailers for distribution. The addresses for printing the address labels are processed with the program Dialogpostmanager and printed onto the labels, which are then attached to the mailers. Ninety days after they are sent, the address data are masked, i.e. replaced with modified content, using the data protection module integrated in Dialogpostmanager.
2. Legal basis for data processing
The legal basis for processing the customer data (items 1 to 3) collected for concluding the contract (entering the prize draw automatically concludes a contract for sending the calendar, provided that the prerequisites are met) is point (b) of Article 6 (1) of the GDPR. The legal basis for processing the voluntarily provided data (item 4) with the user’s consent is point (a) of Article 6 (1) of the GDPR.
3. Purpose of data processing
The customer data (items 1 to 4) are collected, transferred, processed and stored for the purpose of holding the prize draw, including sending of prizes, as a contractually agreed service.
4. Duration of storage
As soon as the business purpose for which the prize draw is held is fulfilled, the customer data required for processing the order (items 1 to 3) and the voluntarily provided information (item 4) are erased at the latest 90 days after the end of the prize draw, i.e. after the prizes have been dispatched.
5. Possibility of objecting and requesting erasure
Users have the right to revoke at any time their consent to processing of their personal data (items 1 to 4) and request their erasure. They may contact the bpb by e-mail or letter for this purpose. If a user requests the erasure of their data before the calendar has been dispatched, however, they will be excluded from further participation in the prize draw. After a contract has been revoked with legal effect, the data processed for the purpose of executing it are erased.
F. Rights of Affected Persons
If personal data of yours are processed, you are a data subject in the sense of the GDPR and have the following rights vis-à-vis the Controller (the natural or legal person, public authority, agency or other body which determines how and for which purposes your personal data are processed: in this case, the Federal Agency for Civic Education):
1. Right of access (Art. 15 GDPR)
You have the right to receive confirmation from the Controller as to whether or not personal data concerning you are processed by us. If this is the case, you may obtain information from the Controller regarding:
(1) the purposes for which your personal data are processed;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which personal data concerning you will be stored or, if no specific information can be provided on this, the criteria used to determine that period;
(5) the existence of the right to request from the Controller rectification or erasure of personal data concerning you, the right to the restriction of processing of your personal data by the Controller or the right to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) and, when personal data are not collected from you, any available information as to their source.
You have the right to receive information on whether personal data concerning you are transferred to a third country or an international organisation. If this is the case, you have the right to be informed of the appropriate safeguards stipulated by Article 46 of the GDPR relating to the transfer of your data. The exceptions to this right pursuant to Article 34 of the German Data Protection Act apply.
2. Right to rectification (Art. 16 GDPR)
You have the right to obtain from the Controller the rectification and/or completion of the processed personal data concerning you if these are inaccurate or incomplete. The Controller must do so without undue delay.
3. Right to restriction of processing (Art. 18 GDPR)
You have the right to a restriction of processing of personal data concerning you if one of the following applies:
(1) if you contest the accuracy of personal data concerning you, for a sufficient period of time for the Controller to verify them;
(2) if the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead;
(3) if the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
(4) if you have objected to processing pursuant to Art. 21 (1) of the GDPR, pending verification of whether the Controller’s legitimate grounds override yours.
If processing of personal data concerning you has been restricted, these data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If processing has been restricted due to any of the above conditions, you have the right to be informed by the Controller before the restriction of processing is lifted.
4. Right to erasure (Art. 17 GDPR)
a) Obligations to erase data
You have the right to obtain from the Controller the erasure of personal data concerning you without undue delay, and the Controller has the obligation to erase these personal data without undue delay if any of the following grounds applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You withdraw the consent on which the processing is based in accordance with point (a) of Art. 6 (1) or point (a) of Art. 9 (2) GDPR when there is no other legal ground for the processing.
(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) The personal data concerning you must be erased in order to comply with a legal obligation in Union or Member State law to which the Controller is subject.
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR. The exceptions to this right covered by Art. 35 of the German Data Protection Act apply.
b) Provision of information to third parties
If the Controller has made the personal data concerning you public and is obliged by Art. 17 (1) GDPR to erase them, the Controller, while taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform those responsible for processing the personal data that you, as the affected person, have requested the erasure of all links to and copies and replications of the personal data concerned.
c) Exceptions
No right to erasure exists to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for complying with a legal obligation which requires processing by Union or Member State law to which the control is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2), points (h) and (i) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) in so far as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to notification (Art. 19 GDPR)
If you have exercised your right to request rectification or erasure of personal data or restriction of processing from the Controller, the Controller is obliged to communicate this rectification or erasure of personal data or restriction of processing to every recipient to whom personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the Controller about those recipients.
6. Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you which you have provided to the Controller, in a structured, commonly used and machine-readable format. Furthermore you have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data had been provided, where:
(1) the processing is based on consent pursuant to point (a) of Art. 6 (1) or point (a) of Art. 9 (2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one Controller to another as far as this is technically feasible.
The right to data portability does not apply to processing of personal data which is necessary for performing a task in the public interest or to the exercise of official authority vested in the Controller.
7. Right to object (Art. 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Ar. 6 (1) GDPR.
The Controller must then cease processing the personal data concerning you unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, right and freedoms or if it serves the establishment, exercise or defence of legal claims.
If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing.
If you object to processing for direct marketing purposes, the personal data concerning you may no longer be processed for such purposes.
In the context of the use of information society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. The exceptions to this right set forth in Art. 36 of the German Data Protection Act apply.
8. Right to withdraw consent (Art. 7 GDPR)
You have the right to withdraw your consent at any time. This withdrawal does not affect the lawfulness of processing based on consent you provided prior to its withdrawal.
9. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if in your opinion the processing of personal data concerning you violates the GDPR.
The supervisory authority with which the complaint is lodged must then inform you of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The supervisory authority responsible for the Federal Agency for Civic Education is:
the Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Str. 153
53117 Bonn, Germany
(Externer Link: https://www.bfdi.bund.de/EN/Home/home_node.html).