1 General information

By interacting with the German SAI, you provide us with personal data that we may collect. Processing of your personal data depends on the channel of communication. Personal data means any personally identifiable information, such as your name, your email address or the internet protocol (IP) address of your computer.

As a general rule, we process personal data in accordance with the European General Data Protection Regulation (EU GDPR) and the Federal Data Protection Act.

This privacy policy provides an overview of how we ensure protection of your data, what kind of data we collect for what purposes and how such information is processed.

We process personal data as appropriate and necessary. We hold and keep personal data only as long as provided by applicable retention periods (see also 6.). We comply with the special rules for processing personal data of children (Article 8 paras. 1 and 2 EU GDPR). We do not merge such data with other data sources. As a rule, we do not share personal data with third parties. The only exception to this rule is where we are required to do so by law or where we must provide information to civil or criminal law enforcement officials for legal or criminal proceedings – such as in the case of attacks on federal communications technology.

We have taken technical and organisational steps to ensure compliance with data protection regulations both by us and by our contractors.

We reserve the right to update this privacy policy when further developing our website. Therefore, we encourage you to revisit our privacy policy from time to time.

1.1 Data controller

In line with Article 4, point 7 EU GDPR, the controller responsible for processing personal data is the President of the Bundesrechnungshof, Adenauerallee 81, 53113 Bonn, Germany.

1.2 Data Protection Officer

The German SAI has appointed a Data Protection Officer (Article 37 EU GDPR). You may contact our Officer by email via Postfach.Datenschutz@brh.bund.de or by mail:

Bundesrechnungshof
Data Protection Officer
Adenauerallee 81
53113 Bonn
Germany

1.3 Legal basis for processing personal data

The German SAI shall audit the accounts and examine the performance, regularity and compliance of federal financial management (Article 114 para. 2 Basic Law). Our functions also include public relations work. We also use our website to supply information on our SAI and on our activities to the general public. We process personal data to exercise our statutory functions in the public interest. Article 6 EU GDPR and Section 3 Federal Data Protection Act provide the legal basis for processing personal data.

Data privacy and protection:
Article 6 para. 1(a), (b), (e) EU GDPR, Section 3 Federal Data Protection Act

Contacts and petitions:
Article 6 para. 1(a) EU GDPR, Section 3 Federal Data Protection Act, Article 17 Directive (EU) 2019/1937

For information according to the Whistleblower Protection Act:
Article 6 para. 1 lit. e) EU GDPR, § 10 HinSchG

Provision of information:
Article 6 para. 1(a), (e) EU GDPR, where appropriate, in conjunction with Section 96 para. 4 Federal Budget Code

2 Hosting of our website

2.1 Data processing for visits to our website

Each time you visit our website, we collect data required for security reasons and for providing and improving a functional website as well as our contents and services. The data collected includes:

• your IP address;
• name of the file accessed;
• date and time of access;
• amount of data transmitted;
• notification of whether the file was accessed successfully.

The data is temporarily processed in a log file. Prior to storage, each data record is anonymised by changing the IP address.

The anonymised data is stored on a server at the Federal Information Technology Centre past the time of your visit to our website. We are obliged to do so pursuant to Article 6 para. 1(e) and para. 3(b) EU GDPR in conjunction with Section 5 of the Act on the Federal Office for Information Security (BSI Act) in order to protect against attacks on our internet infrastructure and federal communications technology. This data is analysed and is required in the case of attacks on communications technology.

Data collected from visits to our website and stored in log files is shared with third parties only if we are required to do so by law, or if needed for legal or criminal proceedings in the case of attacks on federal communications technology. Otherwise, this data is not shared with third parties.

When accessing individual pages, we use temporary cookies to facilitate navigation. These session cookies contain no personal data and expire at the end of the session. We do not use technology such as Java applets or ActiveX controls, which allow user access behaviour to be monitored.

2.2 Web analysis

Our website is part of our public relations work. In order to better tailor the information provided to the needs of users, we statistically evaluate access to our website on the basis of your statistics cookie consent pursuant to Article 6 para. 1(a) and Article 7 para. 1 EU GDPR in conjunction with Article 25 para. 1 Telecommunications Telemedia Data Protection Act.

For the collection of session data, we use Matomo (www.matomo.org), the web analytics software provided by the company InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. The software is hosted at the Federal Information Technology Centre and is provided to us from the Centre.

The IP address recognised is already anonymised when collecting information and thus prior to storing information for the first time. Therefore, no personal data is collected and your visit to our website remains anonymous.

When you visit a page of our website, the following information is collected anonymously – if you consented to the statistics cookie:

• web page accessed and date and time of the visit to the page;
• subpages accessed from the web page;
• browser used and operating system;
• frequency of visits to the web page;
• time spent on the web page.

The data collected using Matomo (including your anonymised IP address) is processed on the servers of the Federal Information Technology Centre.

When you visit our website, a cookie banner is displayed. This banner enables you to decide whether or not to accept a statistics cookie. In the default setting, web analysis is disabled.

You can decide here again whether the statistics cookie mentioned above may be stored in your browser. Please select “Disable web analytics on this website” to deactivate the statistics cookie again after you have accepted the cookie. Please note that your consent can only be withdrawn with future effect.

3 Contacts and petitions

You may provide information and suggestions (petitions) directly to us. You can contact us by email, letter, fax or telephone. When contacting us, you voluntarily and knowingly provide personal data to us to process your request.

Depending on the type and scope of the contact or your petition, we may collect the following personal data:

• title;
• first and last name;
• email address;
• street, house number;
• postal code (zip code), city or town;
• telephone number;
• subject matter of request/petition;
• your message;
• if applicable, IP address.

Your personal information is used only for the purpose of processing your petition or request and for providing you with a (full) response. The personal information you voluntarily submit to us is deleted, once the data is no longer needed for the intended purpose of processing (see also 6.).

4 LinkedIn

For the web-based social networking service provided here, we use LinkedIn in order to maintain a company profile and to share posts. Please note that you use the LinkedIn networking service provided here and its functions at your own discretion and risk. This applies in particular to the use of interactive functions (e.g. follow, repost, like, comment).

We actively use LinkedIn to present ourselves as an employer and to inform about our work and impact. If desired, you may directly communicate with us via LinkedIn at your own discretion and risk. Our LinkedIn channel complements our website and provides an alternative option to contact us via whichever platform you prefer. Should you not wish LinkedIn to process the personal data you provided to us, please do not use LinkedIn to contact us.

When you access our LinkedIn profile, the user agreement and the privacy policy of LinkedIn apply. We process user data only if you contact us and communicate with us via comments or direct messages, for example.

www.linkedin.com/company/bundesrechnungshof

4.1 Legal basis

The legal basis for processing data following users’ interaction with our LinkedIn profile is Article 6 para. 1(e) EU GDPR in conjunction with Section 3 Federal Data Protection Act, and Article 6 para. 1(a) EU GDPR if users have given their consent. LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

4.2 Processing of personal data by LinkedIn

We are not able to conclusively assess the extent to which LinkedIn provides its services in accordance with European data protection regulations. Any users of the LinkedIn network must carefully consider for themselves what personal data they share with us via LinkedIn. This also applies to the use of our profile. Please note in particular that LinkedIn stores its users’ data (e.g. personal information, IP addresses) in accordance with its privacy policy and also uses this data for business purposes.

We do not collect any personal data from visitors to the LinkedIn page. We therefore ask you to carefully consider what personal data you provide and disclose to LinkedIn.

LinkedIn describes what data is processed and the purposes for which the data is used in its privacy policy.

We do not have any information on the extent to which, where and for how long the data is stored, on the extent to which LinkedIn complies with existing obligations to erase data, on the analyses and links for which the data is used and on those with whom the data is shared. In detail:

By using LinkedIn, your personal data will be collected, transferred, stored, disclosed and used by LinkedIn Ireland Unlimited Company and transferred to, and stored and used in, Ireland and any other country in which LinkedIn Ireland Unlimited Company does business, regardless of your country of residence. In this respect, please note that user data might be processed outside the European Union, in particular in the USA. This may lead to increased risks for users because it may be more difficult to access the user data at a later point in time, for example. We also do not have access to this user data. Only LinkedIn has access to this data.

LinkedIn shares personal data with affiliates and uses others’ services. We do not have any information on the kind of data provided in this context and on the location of these affiliates and third parties. This data might also be processed outside the European Union, in particular in the USA. This may also lead to increased risks for users because it may be more difficult to access the user data at a later point in time, for example. We also do not have access to this user data. Only LinkedIn has access to this data.

Please note that the terms and conditions of these services and their providers are not subject to our control.

Note: We do not know how your data is protected after you have transferred the data. By using LinkedIn, you give your consent to LinkedIn using your data.

Please consider very carefully what personal data you share with us via our LinkedIn profile.

We also ask you to carefully consider what personal data you disclose as a social media user. Please regularly check your privacy settings.

4.3 Privacy settings

You have options to restrict the processing of your data in the general settings of your LinkedIn profile. In addition to that, you may restrict LinkedIn’s access to contact and calendar information, pictures, location data etc. in the settings of your mobile devices (smartphones, tablet computers). However, this depends on the operating system used.

For further information, in particular on the personalisation and data privacy settings, please see the privacy policy of LinkedIn.

5 Provision of information

The kind of information we make available has an impact on how we process your personal data.

5.1 Requests to access information

You may request us in writing to have access to final audit findings. In order to enable us to process and respond to your request, you provide us with your personal data. This processing is governed by the requirements of Article 6 para. 1(e) EU GDPR in conjunction with Section 3 Federal Data Protection Act.

We need the following personal data to process your request:

• subject matter;
• name;
• street, house number;
• postal code (zip code) and city or town; and/or
• email address.

Your personal information is used only for the purpose of processing your request. After we have completed processing your request, your personal information is kept on file. Usually, the retention period is five years (see also 6.).

5.2 Order of printed materials

If you request printed materials, we need to process personal data for the delivery. This processing is governed by the requirements of Article 6 para. 1(e) EU GDPR in conjunction with Section 3 Federal Data Protection Act.

We need the following personal data for processing your request:

• name;
• street, house number;
• postal code (zip code) and city or town.

This information is processed within the scope of your request. Additional information such as title, first name, company (if applicable) or email address are not mandatory for the processing but help to better serve your request. Processing is governed by the requirements of Article 6 para. 1(a) EU GDPR in conjunction with Section 3 Federal Data Protection Act.

Your personal information is deleted either immediately after shipment but at the latest at year-end after the year following final processing of your request (see also 6.).

5.3 Visitors

We regularly receive visiting delegations and study groups and also individual visitors both for day-to-day purposes and various events. Prior to granting access to our premises, we need to collect first and last names of visitors for physical security reasons. This is part of exercising our functions (public relations or technical work) pursuant to Article 6 para. 1(e) EU GDPR in conjunction with Section 3 Federal Data Protection Act.

Further optional data serves to help us better arrange for the visit to our premises. Such information includes: organisation, type of school, grade level, association or mobility requirements. Processing such data for the purpose of the expert or information visit is based on your consent pursuant to Article 6 para. 1(a) EU GDPR in conjunction with Section 3 Federal Data Protection Act. You have the right to withdraw your consent at any time. Please note that the withdrawal of your consent will not affect the lawfulness of processing conducted prior to the withdrawal.

Your personal information is deleted at the latest at year-end after the year following final processing (see also 6.).

6 Information for media representatives

The data collected on media enquiries depends on the nature of the request (e.g. for information or for inclusion in our media mailing list).

We need the following personal data (or more) to process your request:

• name;
• email address;
• telephone number;
• type of media;
• where appropriate, street, house number, postal code (zip code) and city or town;
• subject matter of the enquiry (optional).

Processing of this data for the purpose of providing information is governed by the requirements of Article 6 para. 1(e) EU GDPR in conjunction with Section 3 Federal Data Protection Act. Your personal information transferred to us is deleted once it is no longer required for the purpose of processing but at the latest at year-end after the year following final processing (see 6.).

If you wish to be included in the media mailing list, you give your consent and your data is processed in accordance with the requirements set by Article 6 para. 1(a) EU GDPR. You have the right to withdraw your consent at any time. Please note that the withdrawal of your consent does not affect the lawfulness of processing conducted prior to the withdrawal. When you withdraw your consent, you are removed from our press mailing list.

7 Retention periods

In order to store your personal data, as a rule, we rely on the retention deadlines set by the Directive on the Processing and Management of Records in Federal Ministries and the Joint Rules of Procedure of the Federal Ministries.

Depending on the type of request, the following retention periods are set:

• requests to gather information: 5 years
• petitions: 5 years
• events, visitor groups, information processing and making information available to the media and the general public (ephemeral matters): 1 year
• information pursuant to Directive (EU) 2019/1937: 3 years
• requests for information in accordance with Article 15 EU GDPR: 1 year

The periods shall commence after the year has elapsed in which processing of your respective request has been concluded.

8 Data subject rights

When interacting with our SAI, you have the following rights in relation to your personal data:

• Right of access, Article 15 EU GDPR. You have the right to full access to your personal data and insight into some key aspects such as the purposes of the processing or the retention period. This right shall not apply in cases specified under Section 34 Federal Data Protection Act.
• Right to rectification, Article 16 EU GDPR. This right enables you to have the personal data we hold about you to be corrected where such data is inaccurate.
• Right to erasure, Article 17 EU GDPR. You have the right to ask us to erase your personal data. However, this is only possible where holding your personal data is no longer necessary, where your data has been processed unlawfully or where you have withdrawn consent to processing. This right shall not apply in cases specified under Section 35 Federal Data Protection Act.
• Right to restriction of processing, Article 18 EU GDPR. You have the right to restrict processing, which includes the option to suspend further processing of your personal data for the time being. Processing is restricted in particular if you want us to verify other legitimate interests for processing it.
• Right to object to data collection, processing and/or use, Article 21 EU GDPR. You have the right to object, inter alia, to further processing of your personal data in a particular situation, where such processing is necessary for the exercise of a public function or of public or private legitimate interests. This right shall not apply in cases specified under Section 36 Federal Data Protection Act.
• Right to data portability, Article 20 EU GDPR. You have the right to obtain a portable copy of the personal data collected by a controller in a commonly-used, machine-readable format and to transfer such data to another controller, as appropriate. Pursuant to Article 20 para. 3 sentence 2 EU GDPR, that right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Right to withdraw consent, Articles 13 and 14 EU GDPR. Where we process your personal data based on your consent, you shall have the right to withdraw consent at any time for the specific processing agreed to. Please note that the withdrawal of your consent will not affect the lawfulness of processing conducted prior to the withdrawal.

If you wish to make the claims set out above, please make a request in writing to the data controller stated in item 1.1.

Pursuant to Article 77 EU GDPR, you also have the right to lodge a complaint with the oversight body on data privacy and data protection, the Federal Commissioner for Data Protection and Freedom of Information.