Privacy Policy

As an authority of the Federal Republic of Germany without legal capacity, the Federal Ministry of the Interior and Community (BMI) operates a website (the ‘Website’) under the domain https://en.e-rechnung-bund.de, which it uses to make information on e-invoicing available to the public.

The BMI interacts with the public via the website. This Privacy Policy describes BMI’s practices with respect to collection, use and disclosure of information collected from visitors to the website.

In its role as data controller, the BMI may process information about you. This information is called ‘personal data’. Personal data refers to any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics. These characteristics are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data is either collected directly from you, internally or in some instances by third parties. We only process personal data to the extent necessary. Which data is processed for which purpose and on which basis depends largely on the type of service you are using or on the purpose for which the personal data is needed.

We have taken technical and organisational measures to ensure that the data protection regulations are observed by us and by our external service provider.

Personal data at the BMI is processed in accordance with the European General Data Protection Regulation (‘GDPR’) and the Federal Data Protection Act (‘FDPA’).

 

1. Data controller and data protection officer

The data controller responsible for the processing of personal data is the

Federal Ministry of the Interior and Community
Alt-Moabit 140, 10557 Berlin, Germany
Telephone: +49-(0)30 18 681-0
Fax: +49-(0)30 18 681-12926
Email: poststelle@bmi.bund.de

If you have specific questions about the protection of your data, please contact the Data Protection Officer (DPO) at the BMI:

Federal Ministry of the Interior and Community
Alt-Moabit 140, 10557 Berlin, Germany
Telephone: +49-(0)30 18 681-0
Email: bds@bmi.bund.de

You can also contact the BMI by email via this central email address: poststelle@bmi.bund.de. The personal data sent to the central address and stored in the organisational unit responsible for central message distribution will be deleted after one year following forwarding to the competent organisational divisions of the BMI. You can contact the Citizen Service via the email address buergerservice@bmi.bund.de.

Order processor is

Nortal AG
Knesebeckstr. 59-61/61a, 10719 Berlin
Telefon: +49 (0)30-318 05 09-00
E-Mail: erechnung.bund@nortal.com

Nortal AG acts on behalf of the BMI.

 

2. Types of personal data processed by us

The BMI processes your personal data in the following categories:

  1. Personal data: Your first and last name (e.g. when contacting us by email, letter or telephone).
  2. Contact details: Address, postal address, telephone number, email address (e.g. when contacting us by email, letter or telephone).
  3. User information: Each time the website is accessed, two bytes of the IP address of the user’s accessing system (anonymous); the accessed website; the website from which the user accessed the website (‘referrer’); the subpages accessed from the retrieved website; the time spent on the website and the frequency of accessing the website are recorded.
  4. Automatically collected data: Every time a user accesses the website and every time a file is retrieved, data about this process are temporarily processed in a log file. Specifically, the following data are stored for each access/retrieval: Date and time of the retrieval (time stamp), as well as the IP address of the accessing device or server; query details and destination address (protocol version, HTTP method, referrer, user agent string); name of the retrieved file and amount of data transferred (requested URL incl. query string, size in bytes) as well as notification of whether the retrieval was successful (HTTP status code).

 

3. Sources of personal data processed by us

The BMI collects your personal data from various sources. This includes in particular:

  1. Data that you provide to us directly: Your personal data will be collected when you provide it to us (electronically, in writing or verbally). We may also ask you for data and information (e.g. personal and contact details) when you contact us.
  2. Data collected internally or via third party providers: We process information about you that we obtain through your use of our website or your interaction with us (e.g. by contacting us). We and third parties use cookies to collect information about your computer or device and your use of the website. For more information about our use of cookies, please see section 5. ‘Use of cookies on the website’.

 

4. Legal basis and purposes of the processing of personal data

The Federal Ministry of the Interior and Community (BMI) processes personal data whenever it is performing the tasks incumbent upon it in the public interest. Specifically, the constitutional tasks of the BMI include public relations work and, within this context, provision of information to the public through this website.

The legal basis for processing in this case is Article 6(1)(e) GDPR in conjunction with the relevant national or European task standard or in conjunction with Section 3 FDPA.

Insofar as the processing of personal data should be necessary in individual cases for fulfilment of legal obligations, Art. 6(1)(c) GDPR, in conjunction with the corresponding legal provision from which the legal obligation arises, serves as the legal basis.

Insofar as we obtain the data subject’s consent for processing operations of personal data, Art. 6(1)(a) GDPR serves as the legal basis. You can revoke this consent at any time with effect for the future.

The purposes of processing personal data while visiting the website specifically include the following:

  1. Protection against attacks on the Internet infrastructure of the BMI and the communication technology of the Federal Government: Based on Article 6(1)(e) GDPR in conjunction with Section 5 BSI Act, the BMI is obliged to store data to protect against attacks on the Internet infrastructure of the BMI and the Federal Government’s communication technology beyond the time of your visit. These data are analysed and required to initiate legal and criminal prosecution in the event of attacks on the communication technology. The data are deleted as soon as they are no longer required for the fulfilment of tasks. Data logged during access of the BMI’s website are only passed on to third parties if we are legally obliged to do so or if the transfer is necessary for legal or criminal prosecution in the event of attacks on the Federal Government’s communication technology. Data will not be passed on in other cases. The BMI does not combine the data with other data sources.
  2. Web analysis: Based on Art. 6(1)(e) GDPR in conjunction with Section 3 FDPA, the BMI evaluates usage information for statistical purposes as part of its public relations work and to provide information on the tasks to be performed by the BMI in line with requirements. This is done by using a cookie in cooperation with the web analysis service Matomo/PIWIK. For more details, please refer to section 5: ‘Use of cookies on the website’.
  3. Contacting us by email: When you contact us by email, your email will initially be forwarded to the responsible organisational division of the BMI. In the organisational divisions, the data transmitted by you (e.g. last name, first name, address), at the very least the email address as well as the information contained in the email (including any personal data transmitted by you) are stored so that we may contact you and process your request. This is done in accordance with the time limits applicable to the storage of documents in the Registry Directive, which supplements the Common Rules of Procedure of the Federal Ministries (GGO). We would like to point out that the data are processed on the basis of Art. 6(1)(e) GDPR in conjunction with Section 3 FDPA. Processing of the personal data transmitted by you is necessary for processing your request.
  4. Contact via contact form: If you use the contact form for communication, it is necessary to provide your name and first name as well as your e-mail address and authority/company. Without this data, your request transmitted via the contact form cannot be processed. In addition, the date and time of your request will be transmitted to us. If we receive a message from you via the contact form or an e-mail, we assume that we are entitled to reply by e-mail. Otherwise, we ask you to explicitly refer us to another form of communication (such as letter post or fax). The transmission of the contents of the contact forms of the BMI takes place via the Jotform Online Forms plugin. Jotform Online Forms is a service for creating contact forms. The Jotform Online Forms plug-in is only used to forward entered form data to the applicable e-mail addresses: erechnung.bund@nortal.com, erechnung@zrb.bund.de and sendersupport-xrechnung@bdr.de. Additional storage in our database does not take place. Further information and the applicable privacy policy of Jotform Online Forms can be found at https://www.jotform.com/gdpr-compliance/. Communication between the browser and the server takes place exclusively through HTTPS (SSL/TLS) encryption. The processing of the data transmitted with the contact form and the content (which may also contain personal data transmitted by you) is based on Article 6 paragraph 1 lit. a DSGVO for the purpose of processing your request. When using the contact form, the content of the data fields is transmitted to the agents of the BMI for the purpose of responding to requests. In detail, these are the Bundesdruckerei, the Central Accounting Office of the Federal Government and Nortal AG. Consultants from these companies act on behalf of the BMI. The IP address of the sender is recorded. In principle, this also occurs when a conventional e-mail is sent to one of the stored addresses. Processing and temporary storage of personal data serve to answer your request. The processing of your request, which you have communicated to us via the contact form, is carried out by the employees of the above-mentioned companies. They will store your data for the purpose of processing your request and in accordance with legal and contractual requirements. If your request cannot be processed by the employees, it will be forwarded to the office otherwise responsible in the BMI.
  5. Contact by letter: If you write a letter to the BMI, the data you provide (e.g. last name, first name, address) and the information contained in the letter (if applicable, personal data provided by you) will be stored so that we may contact you and process your request. This is done in accordance with the time limits applicable to the storage of documents in the Registry Directive, which supplements the Common Rules of Procedure of the Federal Ministries (GGO). We would like to point out that the data are processed on the basis of Art. 6(1)(e) GDPR in conjunction with Section 3 FDPA. Processing of the personal data transmitted by you is necessary for processing your request.
  6. Telephone contact: If you contact the Citizen Service via the telephone numbers +49 (0)228 99681-0 or +49 (0)30 18681-0, no personal data will be collected. Personal data are only collected when you request a call-back or a written message. In these cases, storage is regulated by the time limits applicable to the storage of documents in the Registry Directive, which supplements the Common Rules of Procedure of the Federal Ministries (GGO).

 

5. Use of cookies on the website

The BMI uses two types of cookies on its website to implement important user functions and to collect statistical, anonymised data for web analysis. This is based on Art. 6(1)(e) GDPR in conjunction with Section 3 FDPA as part of the public relations work for the demand-oriented provision of information on tasks assigned to the BMI.

When accessing the website, information is stored via a cookie as to whether active consent has been given by the user in accordance with Art. 6 (1)(a) GDPR with regard to the Privacy Policy.

As part of web analysis, another cookie is used to collect anonymised usage data, which is processed in cooperation with web analysis service Matomo/PIWIK. In this context, the collected data is passed on to Matomo/PIWIK as a third party if you agree to the web analysis through the cookie via the opt-in option. If you do not agree to the completely anonymous storage and analysis of the data from your visit, you can object to the storage and use at any time via a mouse-click. In this case, a so-called opt-out cookie will be stored in your browser, which means that Matomo/PIWIK will no longer collect any session data.

Show Cookie-Settings

Please note that deleting cookies in your browser will also delete the opt-out cookie and you may have to reactivate it.

In any Internet browser, you can view whether cookies have been set and what data they process. Detailed information is available on the websites of the Federal Commissioner for Data Protection and Freedom of Information and the Federal Office for Information Security.

Most browsers are set to accept cookies automatically. However, the storage of cookies can be deactivated or the browser can be set so that cookies are only stored for the duration of the respective connection to the Internet.

 

6. Protection of minors

Persons under the age of 16 should not transmit any personal data to us without the consent of their parents or legal guardians.

 

7. Your rights as a data subject

You have the following rights vis-à-vis the BMI with regard to your personal data:

  1. The right to gain access to the stored personal data pursuant to Art. 15 GDPR: The right of access provides the data subject with comprehensive insight into the personal data processed concerning him or her and some other important criteria such as the processing purposes or the storage duration. The exceptions to this right, as regulated in Section 34 FDPA, apply.
  2. The right to rectification pursuant to Art. 16 GDPR: The right to rectification includes the possibility for the data subject to have inaccurate personal data concerning him or her corrected.
  3. The right to erasure pursuant to Art. 17 GDPR: The right to erasure of personal data includes the possibility for the data subject to have his or her personal data deleted by the controller. However, this is only possible if the personal data in question are no longer necessary, are being processed unlawfully or if consent in this regard has been revoked. The exceptions to this right, as regulated in Section 35 FDPA, apply.
  4. The right to restriction of processing pursuant to Art. 18 GDPR: The right to restriction of processing includes the possibility for the data subject to prevent further processing of personal data concerning him or her for the time being. A processing restriction occurs primarily in the review phase of other rights exercised by the data subject.
  5. The right to object to collection, processing and/or use pursuant to Art. 21 GDPR: The right to object includes the possibility to object to further processing of your personal data. The exceptions to this right, as regulated in Section 36 FDPA, apply.
  6. The right to data portability pursuant to Art. 20 GDPR: The right to data portability includes the possibility for the data subject to receive his or her personal data in a common, machine-readable format from the controller in order to have it forwarded to another controller, if necessary. Pursuant to Art. 20(3)(2) GDPR, this right is not available if the data processing serves the performance of public tasks.
  7. The right to withdraw consent pursuant to Art. 13 and 14 GDPR: Insofar as the processing of personal data is based on consent, the data subject may revoke such consent for the relevant purpose at any time. The lawfulness of the processing based on the provided consent remains unaffected until receipt of the revocation.

You can assert the aforementioned rights in writing to the data controller (section 1. of this Privacy Policy). Pursuant to Art. 77 GDPR, you also have the right to lodge a complaint with the data protection supervisory authority: The Federal Commissioner for Data Protection and Freedom of Information, Graurheindorfer Str. 153, 53117 Bonn, Germany.

You can also contact the BMI or the data protection officer at the BMI directly with questions and complaints.