Data Protection Declaration – BfR Academy
This text version is a translation of the original German text which is the only legally binding version.
The German Federal Institute for Risk Assessment (BfR) attaches great importance to the responsible handling of personal data. We would like users to know when certain data is collected and used by the BfR.
The BfR operates a website under the domain www.bfr-akademie.de. The activities of the BfR are announced and archived on this website. It is also possible to register for BfR events via this website.
We only process personal data to the necessary extent. The basis on which different data is processed depends on the purpose for which the data is required.
1. Who is responsible for data processing and who can I contact?
The German Federal Institute for Risk Assessment is responsible for processing your data in line with Article 4(7) GDPR. You can find our contact details below:
German Federal Institute for Risk Assessment (BfR)
Max-Dohrn-Str. 8 – 10
Tel: +49 (0)30-18412-22405
Fax: +49 (0)30-18412-622405
Should you have any questions concerning the processing of your data and data protection, please contact our officially assigned Data Protection Officer:
Data Protection Officer
German Federal Institute for Risk Assessment
Max-Dohrn-Straße 8 – 10
2. What is the legal basis for us to process your personal data?
At the BfR, personal data is processed in accordance with the European General Data Protection Regulation (GDPR), the German Telemedia Act (TMG) and the Federal Data Protection Act (BDSG).
Provided the BfR obtains consent from the data subject to process their personal data, Article 6(1)(a) GDPR shall serve as the legal basis. Any consent granted can be revoked at any time with effect for the future. This shall also apply to revoking any declarations of consent that were given to us before the GDPR came into effect, i.e. before 25 May 2018.
If personal data required to fulfil a contract is processed where the contracting party is the data subject, Article 6(1)(b) GDPR shall serve as the legal basis in the individual case. This shall also apply to processing that is required to perform pre-contractual measures.
If personal data needs to be processed in an individual case in order to fulfil a legal obligation, Article 6(1)(c) GDPR shall also serve as the legal basis in conjunction with the relevant legislation from which the legal obligation arises.
In the rare event that the vital interests of the data subject or another natural person necessitates the processing of personal data, Article 6(1)(d) GDPR shall serve as the legal basis.
The BfR shall process personal data within the process of performing duties incumbent upon it for the benefit of the public. The public tasks of the BfR include, in particular, the tasks and activities assigned to it in accordance with the BfR law (BfRG). The legal basis for processing here shall be Article 6(1)(e) GDPR in conjunction with the relevant provisions of the BfRG, in particular Section 2 BfRG.
Where necessary, we shall also process your data for the protection of our own legitimate interests or those of third parties. Examples may include: Asserting legal claims and pleas in legal disputes, verifying the IT security and IT operations of the BfR, BfR public relations or preventing criminal offences (and others). In such cases, Article 6(1)(f) GDPR shall serve as the legal basis.
3. What personal data is processed in conjunction with a visit to our website?
3.1 Data collection
Each time a user accesses our web pages and each time a file is retrieved, data on this process is temporarily processed in a log file on the web server.
Amongst this stored data is the name of the page accessed, date and time of the request, the IP address, the volume of data transferred and the requesting provider.
The legal basis for temporarily storing the data shall be Article 6(1)(e) and (f) GDPR. Other personal data relating to the user shall not be combined.
When using this information, the BfR shall not draw conclusions about the data subject. Rather, this information is required to
• correctly deliver the content of our website,
• optimise the content of our website,
• guarantee the functionality of our IT systems and the technology of our website.
The use of our cookies does not mean that we obtain new personal data about you. The cookies used by our website generally lose their validity after one hour.
Most internet browsers automatically accept cookies. You can configure your browser in such a way that no cookies are stored on your computer or a notification appears if you receive a new cookie. Deactivating cookies may mean that you are unable to use all of the functions on our website.
3.3 What personal data is processed within the course of establishing contact?
Personal data is processed depending on the means of contact.
3.3.1 Contact via email
Contact with the BfR via email can be made via
Provided that you use one of the above-mentioned means of contact, the data submitted by you (e.g.: surname, first name, address, or similar), however no less than the email address and the information contained in the email (including, where applicable, the personal data submitted by you) will be processed for the purposes of establishing contact and handling your request. We advise you that data processing takes place on the basis of Article 6(1)(e) GDPR in conjunction with Article 3 BDSG. It is necessary to process the personal data submitted by you for the purpose of handling your request.
3.3.2 Registering on the website
Data is collected on the basis of Article 6(1)(b) GDPR, performance of contract.
Mandatory information when registering on the website
• email address
• name (first name, surname)
• address (street, house number, postcode, city, country)
Voluntary information when registering on the website
• academic title
• telephone number
• fax number
Mandatory information is collected and stored
• to provide information on who our contracting party is, that is, to whom we are providing services and invoicing
• for processing an order
• for transmitting the order confirmation
• to contact with you with any queries
Voluntary information is collected to make contacting you easier.
3.3.3 Ordering and registering for events
You can register yourself and other participants for an event. Confirmation is automatically sent to the email address that was entered when registering for the event or that is linked to the registered user account. Data is processed on the basis of Article 6(1)(b) GDPR, performance of contract.
Obligatory information when ordering and registering for an event
• the chosen event (event title, item number)
• where applicable, number of places for the event
• title, surname, first name and institution of the participants registered by you
• where applicable, the type of certificate of attendance you wish to receive
• where applicable, your involvement in other parts of the programme, such as the evening event
Voluntary information when registering for an event
• your affiliation to a BfR target group
• remarks on your involvement, such as possible contributions made by you
Mandatory and voluntary information is collected for the purpose of organising the event including special programmes, preparing event materials, arranging meeting spaces and greeting and registering you at the event. We print name badges and compile and store various participant lists on which the event title, event date, amount paid, your certifications and your involvement in particular programmes, such as evening events, are visible. We store your association to a BfR target group – if specified by you – for statistical evaluations and for the opportunity to invite you to further events if you give consent (see Section 3.4 Data for newsletter distribution).
Where appropriate, we compile participant lists with names and institutions and display this list at the relevant event. Your data will only be listed on this if you expressly consent to this publication. Using an additional message which contains a link to confirm your consent (double opt-in), we ensure that only the data of persons who explicitly want it is published in this list.
If the event is being evaluated, we will send an email after the event with a link to an anonymous survey to the email address that was entered when registering for the event or that is linked to the registered user account. Participation in the evaluation is voluntary. You will be informed about the evaluation at the event. Contacting you for the purpose of the event evaluation is based on Article 6(1)(e) GDPR.
The relevant payment data (billing address, the amount to be paid, type of payment, credit card or bank details) is used or passed on to payment service providers solely for the purpose of executing the payment process. The basis for data collection is Article 6(1)(b) GDPR, performance of contract.
3.4 Data for newsletter distribution
If you register for the BfR Academy newsletter mailing list, your email address and date and time of registering with us will usually be stored on a server. The data is processed on the basis of your consent in accordance with Article 6(1)(a) GDPR. We only use this data for sending the newsletter. We do not forward the data to any third parties.
The registration system, with an additional confirmation message containing a link to the final registration (double opt-in), ensures that you explicitly wish to receive the newsletter.
Upon registration, your data is stored on our server and a confirmation message with a link to the final registration is sent to the given email address.
Your data for newsletter distribution is only stored for the duration of use of our newsletter service once you confirm the link in the email.
If you no longer agree to your data being stored for this purpose and therefore no longer wish to use our service, you can unsubscribe from our newsletters at any time. At the end of every newsletter you will find a link which you can use to unsubscribe from the newsletter. You can also unsubscribe from the newsletter at any time via email to firstname.lastname@example.org. The data provided by you will then be deleted.
4. Recipients of personal data
Personal data of those registered for events will be passed on to the relevant event co-organising institutions, should the situation arise. Co-organising institutions are specified in the description of the relevant event. The responsible party and your point of contact for any queries concerning the processing of your data for events you registered for at www.bfr-akademie.de shall be the German Federal Institute for Risk Assessment (see Section 1. Who is responsible for data processing and who can I contact?). Data is processed on the basis of Article 6(1)(b) GDPR, performance of contract.
Should one of the co-organising institutions be located in a third country, with regards to which no adequacy decision on the basis Art. 45 GDPR has been issued, we will assure that appropriate safeguards in accordance with Art. 46 GDPR are put in place.
Personal data is passed on to payment service providers as a part of the payment process (see Section 3.3.4. Payment).
We will not sell or otherwise pass on your data to third parties. An alternative shall only apply in the event of a legal obligation or if this is required to exercise our rights, in particular to assert claims from the contractual relationship with you.
5. What data protection rights do I have?
You have the following rights towards the BfR with regard to your personal data:
• the right of access in accordance with Article 15 GDPR
• the right to rectification in accordance with Article 16 GDPR
• the right to erasure in accordance with Article 17 GDPR
• the right to restriction of processing in accordance with Article 18 GDPR
• the right to object from Article 21 GDPR
• the right to data portability from Article 20 GDPR
The restrictions in accordance with Articles 34 and 35 BDSG apply to the rights of access and to erasure.
You can revoke consent given to us to process personal data at any time with future effect. This shall also apply to revoking any declarations of consent that were given to us before the GDPR came into effect, i.e. before 25 May 2018.
You may assert the aforementioned rights at email@example.com or by post using the BfR address stated at the beginning of this data protection declaration.
Furthermore, you have the right to lodge a complaint with the supervisory authority for data protection (German Federal Commissioner for Data Protection and Freedom of Information), cf. Article 77 GDPR in conjunction with Article 19 BDSG.
You can also contact the Data Protection Officer at the BfR (firstname.lastname@example.org) with any queries and complaints.
6. Amendments to the data protection declaration
The BfR reserves the right to modify this data protection declaration so that it always adheres to current legal requirements. We recommend that you read our data protection declaration regularly in order to stay up to date regarding the protection of the personal data that we collect.
Last updated: 17th September 2019
This text version is a translation of the original German text which is the only legally binding version.