Privacy Policy for the Federal Portal

1. Preliminary remarks

The Federal Portal is provided by the Federal Ministry of the Interior and Community (BMI). It offers a single point of access to digital government services provided by the Federation and the Länder.

When you use the Federal Portal, your personal data are processed (Article 4 no. 1 of the General Data Protection Regulation – GDPR). The information below provides details of the type of personal data processed, the purposes and legal basis of the processing, and your rights.

2. Controller and data protection officer

The Federal Ministry of the Interior and Community is responsible for operating the Federal Portal in accordance with data protection law (Article 4 no. 7 of the GDPR).

Note: When you use an online application form to request or use a government service within the Federal Portal, responsibility under data protection law for processing any data collected or temporarily stored in the Federal Portal within the scope of your request or use lies with the authority providing this online government service. In this context, the Federal Ministry of the Interior and Community processes your data only on behalf of the responsible authority. Additional information and explanations concerning data processing for each process are available in the Privacy Policy to which each online form has a link.

You can reach us at the following address:

Bundesministerium des Innern und für Heimat
Alt-Moabit 140
10557 Berlin, Germany
Phone: +49-(0)30 18 681-0
Fax: +49-(0)30 18 681-12926
Email: poststelle@bmi.bund.de 
De-Mail: poststelle@bmi-bund.de-mail.de 

You can reach the Data Protection Officer at the Federal Ministry of the Interior and Community at the following address:

Bundesministerium des Innern und für Heimat
Datenschutzbeauftragte/r
Alt-Moabit 140
10557 Berlin, Germany
Phone: +49-(0)30 18 681-0
Email: bds@bmi.bund.de 

Note: End-to-end encryption is not used as standard for the transmission of emails (not De-Mail), which means that unauthorised persons could potentially access and manipulate the information transmitted. For information that requires protection, we therefore recommend that you contact us using one of the following methods:

3. Where is the Federal Portal hosted, and by whom?

The Federal Ministry of the Interior and Community has outsourced the hosting of the Federal Portal to Bundesdruckerei GmbH. The data centres of the Bundesdruckerei are located in Germany. No data processing related to the Federal Portal takes place outside of Germany.

4. What are personal data?

Personal data means any information relating to an identified or identifiable natural person. Natural persons are considered identifiable if they can be identified directly or indirectly, in particular by linking them to an identifier such as a name, an identification number, location data or an online identifier (Article 4 no. 1 of the GDPR).

5. Data processing when you visit the Federal Portal website

5.1. Which data do we collect when you visit the Federal Portal website?

Every time you visit the Federal Portal website, the following data, which are technically necessary to display the website and its functions and to ensure the stability and security of this service, are collected on our servers:

  • the date and time of access,
  • the name and URL of the files retrieved,
  • the website from which access was made (“referrer”),
  • the operating system of your computer and the browser you use,
  • the preferred language of your browser (accept language),
  • your IP address,
  • the name of your internet service provider.

The data are automatically written in what are known as log files (technical log files), where they are stored for a period of 90 days. After that time, the data are automatically deleted. Technical and organisational safeguards ensure that only a defined group of suitably instructed administrators have access to these data. These data are not combined with other data sources.

Data traffic between your web browser and the Federal Portal servers is going through an encrypted HTTPS connection. HTTPS is a secure version of the HTTP communication protocol which is used for exchanging data (such as Federal Portal websites, your form input data) via the internet between the web browser and server, preventing unauthorised persons from accessing the information transmitted.

Processing is carried out in compliance with Article 6 (1) (e) of the GDPR in conjunction with section 3 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and section 5 of the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG).

To improve the terms suggested by the Federal Portal’s search function (“autosuggest”), we process the search terms entered by you in anonymous statistics if your search was successful. A search is considered successful if the user views a description of services within the Federal Portal immediately after the search. For this purpose, we analyse the referrer transmitted by your browser to the Federal Portal server. We will not create user profiles, i.e. we will not link the results of this analysis with other data sources.

The legal basis for processing personal data to improve the Federal Portal’s search function is Article 6 (1) (e) of the GDPR in conjunction with section 3 of the Federal Data Protection Act.

5.2. What are cookies and similar technologies?

Cookies are small pieces of data that a website can place locally in the memory of your web browser on your computer. They contain identifiers (randomly generated identification numbers), which the server can use to clearly identify requests coming from your device. In this way, a request can also be clearly attributed to a specific user.

JavaScript is a script language for implementing dynamic content on websites and is executed in your browser. This makes it possible to interpret user actions, and to create, update or adapt content on an ad-hoc basis.

The local storage is a file database of your browser, which stores data and settings beyond a browser session.

The session storage is a file database of your browser, which stores data and settings as long as your browser tab is open.

5.3. Which cookies and similar technologies do we use?

The Federal Portal website uses cookies and similar technologies as follows:

Technically necessary session cookies:

  • Session cookie: SESSION
    Purpose / application: Session cookies are created when you identify yourself to access your user account to ensure that the session for which you have logged in or identified yourself remains associated with you for the duration of your activity. The value is the session ID. 
    Validity period: Until you log out or close the browser
  • Session cookie: lb_document_access_token
    Purpose / application: A token consisting of 219 characters, which is stored in a session cookie after an online request has been sent so that you can download the application form as a PDF file.
    Validity period: 30 minutes
  • Session cookie: KC_RESTART
    Purpose / application: Set when accessing the user account.
    This cookie contains an encrypted value (token) with client information so that if the connection is lost, authorisation can be restarted using the client information.
    Validity period: End of session
  • Session cookie: AUTH_SESSION_ID and AUTH_SESSSON_ID_LEGACY
    Purpose / application: Set when accessing the user account.
    This cookie is used to identify the current session (session ID) for authorisation in the user account. The *_LEGACY cookie is set so that older devices will be supported as well.
    Validity period: End of session
  • Session cookie: KEYCLOAK_IDENTITY and KEYCLOAK_IDENTITY_LEGACY
    Purpose / application: Set after accessing the user account.
    Contains a token with the authenticated user ID of the account. The *_LEGACY cookie is set so that older devices will be supported as well.
    Validity period: End of session
  • Session cookie: KEYCLOAK_SESSION and KEYCLOAK_SESSION_LEGACY
    Purpose / application: Set when accessing the user account.
    ID of the current browser session on the Federal Portal. The *_LEGACY cookie is set so that older devices will be supported as well.
    Validity period: End of session

Technically necessary session and local storage objects:

  • Session storage object: what-input and what-intent
    Purpose / application: Simplifying usability to support accessibility. 
  • Session storage object: tabID and local storage object: lbTabAlive, lbActiveTabWithAntrag, userLogout
    Purpose / application: Supporting the filing of applications and avoiding data loss when several tabs are open. 
  • Local storage object: lbUserState 
    Purpose / application: Displaying/hiding the user icon during the login/logout process when several tabs are open.
  • Session storage object: flashmessage and flash-messages-v2
    Purpose / application: Ensuring that messages are only displayed once.

Validity period of all session and local storage objects: Until you close the browser tab in which you opened the website.

The session cookies, local and session storage objects are considered technically necessary in accordance with section 25 (2) (2) of the Act regulating Data and Privacy Protection in Telecommunications and Telemedia (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG). For this reason, they may be stored on your device without your consent, and the information they hold may also be accessed without your consent. Data collected by technically necessary cookies or storage objects are not used to create user profiles.

Web analytics/user statistics:

  • Cookie: isPiwikConsentSent
    Purpose / application: Initiating the web analytics via JavaScript and setting the required Piwik PRO cookies. 
    Validity period: 7 days 
  • Cookie: isTrackingConsentGiven
    Purpose / application: Avoiding repeated consent requests.
    Validity period: 7 days 
  • Cookie: _pk_id.<appID>.<domainHash> 
    Purpose / application: Randomly generated visitor ID to attribute activities clearly (unique visitor)
    Validity period: 1 day
  • Cookie: _pk_ses.<appID>.<domainHash> 
    Purpose / application: Session cookies serve to clearly assign the user (tracking ID) to the current session (by means of ID).
    Validity period: 30 minutes; the validity period is extended by another 30 minutes if a Federal Portal website/function is called up.
  • Cookie: _ppms_privacy.<appID>.<domainHash>
    Purpose / application: Saves the visitor's consent to the collection and use of data vis-à-vis Piwik Pro.
    Validity period: 1 day
  • JavaScript
    Purpose / application: JavaScript serves to read and analyse client data (such as: type of device, IP address, URL; for details, see section 5.4)
    Validity period: Newly delivered with each site.

In accordance with section 25 (1) of the Act regulating Data and Privacy Protection in Telecommunications and Telemedia, the cookies and similar technologies used for web analytics/user statistics purposes will be stored on your device only with your consent, and the information stored in those objects will be accessed only with your consent. 

Article 6 (1) (a) of the GDPR provides the legal basis for processing personal data using cookies.

Note: With any internet browser, you can see when cookies have been set and what they contain. Depending on which browser you use, you can set your browser to accept cookies in general, to accept only certain cookies or to reject all cookies. Your browser will usually also show you which cookies are stored on your device so that you can delete all or some of them.
Using your browser’s developer tools (DevTools/console) you can also view, manage or delete the local and session storage entries for the Federal Portal.

5.4 Which data do we process when gathering web analytics/user statistics?

The web analytics software Piwik PRO is used as a cloud service in order to provide information as needed and improve the functions of the Federal Portal. 

If you have accepted cookies and similar technologies in the web analytics banner (for more information on cookies and similar technologies used, see section 5.3), the Federal Portal will analyse your user behaviour and usage information in anonymous statistics to improve the functions of the Federal Portal.

When you open the individual pages of the Federal Portal website, the cookies mentioned above and JavaScript will be used to collect the following data:

  • IP address of the system you used to access the website, 
  • the time you opened the website,
  • the website accessed,
  • the website from which you arrived at the website accessed (referrer),
  • the sub-sites that you opened from the website accessed,
  • the length of time you spent on the website, 
  • how many times you accessed the website,
  • the country from which you accessed the website,
  • the type of device you used (PC, mobile phone, tablet), 
  • the operating system of your device and the browser you used,
  • the website you accessed upon leaving the Federal Portal, and
  • the language preferences stored in your browser.

We do not store your entire IP address; the IP addresses are masked (i.e. IPv4: 217.110.0.0 statt 217.110.196.152, IPv6: 2001:db8:0:8d3:0:0:0:0 instead of 2001:db8:0:8d3:0:8a2e:70:7344) so that the IP address cannot be traced back to the computer accessing the website.

The website recognises your browser using cookies and similar technologies (see section 5.3). Due to the privacy-friendly setting of these cookies, after one day, you will count as a new visitor when using this browser and carrying out activities with this browser.

Web analytics are disabled in the default settings. Use the following link to enable cookies and similar technologies (JavaScript) to allow the Federal Portal to gather and analyse the aforementioned data of your visit for anonymised statistical purposes, or to view or change your previous choice. 

View or change web analytics settings

Click on “Web analytics settings” in the footer to view or change your settings at any time. 

Your choice on web analytics on the Federal Portal will be stored in a cookie for seven days. After that period, you will once again be asked to make a choice.

In this context, the legal basis for processing personal data is Article 6 (1) (a) of the GDPR.

5.5. Which data do we process when gathering user statistics (visitor statistics)/feedback on services of the Single Digital Gateway of the European Union?

The Federal Portal is part of the Single Digital Gateway (SDG) of the European Union (EU), which provides cross-border access to online government services.

To improve the website and to increase your satisfaction with the information and services offered through the Single Digital Gateway, we gather user statistics and provide a feedback tool for you.

We compile the following information in statistics:

  • the URL of the site you visited within the SDG,
  • the time you opened the site,
  • the country from which you accessed the site,
  • the type of device you used (PC, mobile phone, tablet).

To compile the statistics, we collect the following data:

  • the operating system of your device and the browsers you use.

User feedback (if you have provided such feedback):

Questions related to the information and services provided (these are found at the end of the service description under the heading “Tell us your opinion!”).

  • Found what you were looking for (yes/no/partly)?
  • How do you rate this information (scale of 1 to 5)?

The answers you submit as user feedback are not linked to your IP address.

Statistics are collected on a monthly basis and transmitted to the EU. Your feedback is also transmitted on a monthly basis to the EU via the national feedback component (NFC).

Article 6 (1) (e) of the GDPR in conjunction with Article 24 of Regulation (EU) 2018/1724 on the Single Digital Gateway (SDG) in conjunction with Article 3 (1) of Commission Implementing Regulation (EU) 2020/1121 provides the legal basis for processing your personal data for the purpose of compiling user statistics. Article 6 (1) (e) of the GDPR in conjunction with Article 25 of Regulation (EU) 2018/1724 on the Single Digital Gateway (SDG) in conjunction with Articles 8 and 10 (2) of Commission Implementing Regulation (EU) 2020/1121 provides the basis for processing your feedback.

6. Data processing when you contact us

6.1. Which data do we process when you contact us via the support or feedback form?

When you send us a contact request using the support form or the feedback form provided on the Federal Portal (both forms are available via the footer at the bottom of each page), we record the following data:

  • the previous Federal Portal page you visited (called “referrer”),
  • the date and time you sent the message,
  • your name, phone number or email address if you have provided this information,
  • the content of your message.

If you send us a message via one of the two forms including your email address, we will assume that we are authorised to reply by email. If not, please specifically indicate how you wish to communicate with us.

The information provided through the forms is transmitted via an encrypted HTTPS connection.

If you do not consent to the processing of your data, you can cancel the process at any time and your message will not be submitted.

Depending on your browser, you may disable referrer tracking.

Article 6 (1) (e) of the GDPR in conjunction with section 3 of the Federal Data Protection Act provides the legal basis for processing your contact with us.

Your contact with us is processed by the competent service team. Your data will only be stored to respond to your message and in compliance with the legal and contractual requirements. They will be deleted as soon as they are no longer needed as evidence or for revision. If the service team is unable to respond, your message will be forwarded to the appropriate division of the Federal Ministry of the Interior and Community.

If your message is forwarded, it will be processed in accordance with the time limits for record retention given in the Registry Directive, supplemental to the Joint Rules of Procedure of the Federal Ministries (GGO).

6.2. Which data do we process when you send us a request by email?

If you send an email to the central poststelle@bmi.bund.de address or to poststelle@bmi-bund.de-mail.de, we process:

  • the email address from which you contacted us,
  • the date and time we received your email,
  • the content of your message.

If you contact us by email, we will assume that we are authorised to reply by email. If not, please specifically indicate how you wish to communicate with us.

Such data will be processed in line with section 3.1 of the general Privacy Policy of the Federal Ministry of the Interior and Community.

6.3. Which data do we process when you contact the Federal Portal service team by email?

If you send an email to support-bundesportal@bdr.de, we process:

  • the email address from which you contacted us,
  • the date and time we received your email,
  • the content of your message.

If you contact us by email, we will assume that we are authorised to reply by email. If not, please specifically indicate how you wish to communicate with us.

Article 6 (1) (e) of the GDPR in conjunction with section 3 of the Federal Data Protection Act provides the legal basis for processing your contact with us.

Your request will be processed by the service team. Your data will only be stored to respond to your message and in compliance with the legal and contractual requirements. They will be deleted as soon as they are no longer needed as evidence or for revision. If the competent service team is unable to respond, your message will be forwarded to the appropriate division of the Federal Ministry of the Interior and Community.

If your message is forwarded, it will be processed in accordance with the time limits for record retention given in the Registry Directive, supplemental to the Joint Rules of Procedure of the Federal Ministries (GGO).

6.4. Which data do we process when you contact the Federal Ministry of the Interior and Community by post?

If you write us a letter, the data you send (e.g. last name, first name, address) and the information contained in the letter (including, where applicable, personal data communicated by you) will be saved to enable your enquiry to be processed and so that we can contact you. At the Federal Ministry of the Interior and Community, such data will be processed in line with section 3.5 of the general Privacy Policy of the Federal Ministry of the Interior and Community.

6.5. Which data do we process when you contact the public enquiry service at the Federal Ministry of the Interior and Community by telephone?

If you contact the public enquiry service using the telephone number +49 (0) 30 16861 0, no personal data will be collected. Personal data will be collected only if you request a written response or ask to be called back.

Such personal data will be processed and stored in line with section 3.4 of the general Privacy Policy of the Federal Ministry of the Interior and Community.

6.6. Which data do we process when you contact the Federal Portal service team by telephone?

If you contact the Federal Portal service team using the telephone number +49 (0) 30 2598 4402, no personal data will be collected. Personal data will be collected only if you request a written response or ask to be called back. In these cases personal data will be processed and stored in line with section 6.1 above.

7. Forwarding your data to third parties

Data processing is carried out on behalf of the Federal Ministry of the Interior and Community by Bundesdruckerei GmbH, Kommandantenstr. 18, 10969 Berlin.  A contract in accordance with Article 28 (3) of the GDPR has been concluded with this service provider; the Federal Ministry of the Interior and Community remains responsible for data privacy issues.

8. Your rights as a data subject

8.1. Your rights

You have the following rights vis-à-vis the Federal Ministry of the Interior and Community with regard to personal data concerning you:

  • Right of access (Article 15 of the GDPR)
    This right gives data subjects comprehensive access to data concerning them and to a few other key criteria, such as the purpose of processing or the length of storage. Exceptions to this right are governed by section 34 of the Federal Data Protection Act (Bundesdatenschutzgesetz).
  • Right to rectification (Article 16 of the GDPR)
    The right to rectification includes the option of having inaccurate personal data concerning the data subject corrected.
  • Right to erasure (Article 17 of the GDPR)
    The right to erasure includes the option of having data concerning the data subject deleted by the controller. However, such data may be deleted only if they are no longer needed, if they were processed unlawfully or if consent covering their processing has been withdrawn. Exceptions to this right are governed by section 35 of the Federal Data Protection Act (Bundesdatenschutzgesetz).
  • Right to restriction of processing (Article 18 of the GDPR)
    This right enables data subjects to temporarily prevent further processing of personal data concerning them. Such a restriction is used above all when data subjects are examining whether to claim other rights.
  • Right to data portability (Article 20 of the GDPR)
    The right to data portability gives data subjects the option of receiving from the controller the personal data concerning them in a commonly used and machine-readable format in order to have them transmitted to another controller. According to Article 20 (3) sentence 2 of the GDPR, this right does not apply if the data processing is necessary to perform a task in the public interest.
  • Right to object to collection, processing and/or use (Article 21 GDPR)
    This right enables data subjects to object, on grounds relating to their particular situation, to the further processing of their personal data when the justification for this processing is based on the need to perform public tasks or to exercise public and private interests. Exceptions to this right are governed by section 36 of the Federal Data Protection Act (Bundesdatenschutzgesetz).
  • Right to withdraw consent (Article 7 (3) of the GDPR)
    If the personal data are processed on the basis of consent, data subjects can withdraw their consent at any time for the purpose in question. The lawfulness of processing on the basis of the consent remains unaffected until notification has been received that consent has been withdrawn.

8.2. How to assert your rights

You can assert your rights online or using contact details provided in section 2 above.

Under Article 77 of the GDPR, you also have the right to lodge a complaint with a data protection supervisory authority. In Germany, this is the Federal Commissioner for Data Protection and Freedom of Information.

You may also submit questions and complaints directly to the data protection officer at the Federal Ministry of the Interior and Community mentioned in section 2 above.