Data protection – an integral part of our company

The party responsible for data processing in connection with the provision of this website and the associated functions is

Bundesdruckerei GmbH

Kommandantenstraße 18

10969 Berlin

E-mail: info@bundesdruckerei.de

which makes the decisions on and designs Bundesdruckerei Group GmbH’s external communications.

If you wish to contact the Data Protection Officer of Bundesdruckerei, please write to the above address, adding “Attn Data Protection Officer” or send an e-mail to datenschutz@bdr.de

You can reach the Data Protection Officer of Bundesdruckerei Gruppe GmbH using the above contact details.

2.1    Categories of Data, Purpose of Processing and Legal Basis

When you use this website, we regularly process the following categories of personal data:

• contact details, including your first and last name, e-mail address or telephone number (which you provide voluntarily when registering), contact requests sent, participation in surveys, etc.;
• information provided as part of a support request;
• information automatically sent to us by your web browser or device, such as your IP address, device type, browser type, previously visited websites, visited subpages, or the date and time of your request.

We process your personal data for the following purposes:

• to enable you to use the services and functions of this website and
• to process your request.

The processing of personal data is necessary to achieve the stated purposes. More details on this are provided later on in the data protection information. Extensive information is provided on the individual processing activity along with the legal basis for processing your personal data.

2.2    Use of Cookies

When you visit our website, we collect personal data via your Internet browser and by using session cookies – which are necessary for technical reasons – during your active connection. These session cookies enable us to make the website available. They usually expire at the end of the session.

Most browsers are set to accept cookies automatically. You can also deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent. By using session cookies, we receive the following information:

• date and time the website was accessed,
• web browser, operating system and device type,
• complete IP address of the requesting device and referrer URL,
• volume of data transferred.

The legal basis for the storage of information in the end user’s terminal equipment is Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG). The use of session cookies is essential for us as the provider of this website (digital service) to ensure its availability as expressly requested.

2.3    Processing of Log Files

Every time you access this website or retrieve a file, data about this process is temporarily processed in a log file. More specifically, personal data is stored to the same extent as when session cookies are processed.

This data is analysed in the event of attacks (e.g., DDoS attacks) on the communication technology and, if necessary, used to initiate legal and criminal proceedings. These log files are deleted no longer than seven days after being collected. The legal basis for this processing of your personal data is Art. 6 (1) sentence 1 (f) GDPR. Our legitimate interest is the clarification of security-related incidents.

3.1      Newsletter

The following information explains the content of our newsletter, the registration, dispatch and statistical evaluation processes and your rights of revocation.  We send newsletters with promotional information only with the recipient’s consent or where legally permitted. Our newsletters contain information on our products, offers, campaigns and innovations from the Bundesdruckerei Group.

3.1.1   Registration/Double Opt-In Procedure

To receive the newsletter, you must provide your e-mail address. The disclosure of your first name(s) and surname is optional. Registration takes place via the double opt-in procedure. This means that, after subscribing, you will receive an e-mail in which you are asked to confirm your subscription. This confirmation is necessary so that no one can log in with another person’s e-mail address. The subscriptions to the newsletter are logged to ensure compliance with legal requirements. In this process, we store the IP address, the date and time of registration and confirmation, as well as any subsequent changes. The legal basis for this storage is Art. 6 (1) sentence 1 (f) GDPR. Our legitimate interest lies in being able to prove, if required, that informed consent to receiving the newsletter was given. After careful consideration, predominant competing interests on the part of visitors to the website are not evident.

The legal basis for sending the newsletter and processing your personal data is your voluntary and informed consent in accordance with Art. 6 (1) (a) GDPR.

3.1.2   Shipping Service Provider

The newsletter is sent using the Evalanche application from SC-Networks GmbH, Würmstraße 4, 82319 Starnberg. There is an order processing relationship within the meaning of Art. 28 GDPR. The Evalanche data protection regulations can be viewed here: SC-Networks GmbH.

3.1.3   Statistical Evaluation

We conduct statistical evaluations of the interaction with our newsletters in order to constantly improve the design of our newsletters and to tailor our content to the interests of our users or to enable us to send different content based on the individual preferences of our users. Two cookies called “ewafut” and “ewafutano” are also used for this purpose. Technical information is collected, such as information on the browser type and operating system as well as your IP address and the time of access. The statistical analyses also track whether and when the newsletter is opened and which links are clicked. This information can be linked to individual newsletter recipients. The legal basis for the use of cookies and their statistical evaluation is, as with the processing of your personal data for sending the newsletter, your voluntary and informed consent, here in accordance with Section 25 (1) TDDDG (use of cookies) or Art. 6 (1) sentence 1 (a) GDPR (data processing). The cookies have an operational lifetime of 24 months.

The query regarding whether you wish to subscribe to a newsletter is made via various survey masks (e.g., pop-up modules). You have the option at this point of granting your consent for the purposes described above or refusing to grant your consent by clicking on “Close window”. We use another cookie called “exit-popup” or “exit-intent” to immediately prevent the pop-up module or exit-intent module from being displayed again if you do not give your consent. This technically necessary cookie has an operational lifetime of 21 days and serves the sole purpose of storing the consent status. The legal basis for the use of this cookie is Section 25 (2) No. 2 TDDDG.

Revocation: Your consent is valid until its revocation, which you are entitled to declare at any time with effect for the future. You can unsubscribe from e-mail communication at any time. The “Unsubscribe” link is provided at the end of each newsletter e-mail. Or you can send us an e-mail to datenschutz@bdr.de. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of consent prior to the revocation.

Please note that, if you revoke your consent to the use of Evalanche, you will be deleted from our newsletter mailing list and will no longer be able to receive the newsletter. If you revoke your consent, the consent data will be stored for a reasonable period of time but will be blocked from further processing. The legal basis for this is Art. 6 (1) sentence 1 (f) GDPR due to our legitimate interest in being able to prove, in cases of doubt, that consent was given to receive our newsletter at a certain point in time.

3.2 Premium Content

On our website, we provide Premium Content, such as whitepapers, for download. Such content relates to specific topics and is extensively processed. In connection with the provision of premium content, we ask you to give your consent to the use of your e-mail address, your first name and surname and your company for the purpose of sending newsletters for Bundesdruckerei Group services. Please refer to point 3.1 of this Privacy Policy to find out what your consent covers in detail, how we proceed in the event of your consent, which evaluations we carry out, and the option of revocation.

Your e-mail address is processed on the basis of your consent within the meaning of Art. 6 (1) sentence 1 (a) GDPR. You provide us with your personal data voluntarily in return for the opportunity to use Premium Content. Without linking your consent to the receipt of Premium Content, it would not be commercially viable for us to offer this Premium Content. Once the registration process has been fully completed (cf. 3.1) we will send a link to the e-mail address provided, which will allow you to access or download the desired content.

We can also use the e-mail address to determine whether the user has already been in contact with us or whether they have already registered for other Premium Content. This assignment is made on the basis of Art. 6 (1) sentence 1 (f) GDPR. Avoiding duplicates and correlating which contacts have accessed which content is considered legitimate within the purpose of this regulation.

3.3 Press Distribution List

The press distribution list receives press releases from the member companies of the Bundesdruckerei Group. The provision of your e-mail address is necessary for inclusion in the Bundesdruckerei Group press distribution lists. Providing your first name(s) and surname is compulsory; information on your medium is voluntary.

Registration / double opt-in procedure: As part of the double opt-in procedure and prior to delivery by the press distribution list, you must expressly confirm that we may add you to the press distribution list. You will therefore receive a confirmation and authorisation e-mail from us for this purpose. We will ask you to click on the link included in the e-mail to confirm to us that you would like to receive our press releases. Please refer to the remarks in Point 3.1 for further details of the type and scope of the data processing related to the double opt-in procedure. No statistical data is collected from the subscribers, and no analyses are conducted.

Revocation:

Your consent is valid until its revocation, which you are entitled to declare at any time with effect for the future. You can unsubscribe from the press distribution list via the following link: press mailing list unsubscribe or by sending an e-mail to Datenschutz-Request@bdr.de. Revoking consent has no effect on the lawfulness of the processing carried out on the basis of the consent until the time of revocation.

We have provided a contact form for you to get in touch with us. You can choose whether to have us respond to your enquiry by telephone or by e-mail. You can specify this in a free text field after you have preselected the topic of your enquiry. This will enable us to find the right contact person in the Bundesdruckerei Group as quickly as possible. Possible recipients of your data are therefore the internal employees who respond to your request, along with companies belonging to the Group that are affected by your request.

If you want to schedule a consultation appointment via the contact form, you have the option of specifying an initial non-binding preferred date. In order for our consultation team to contact you to arrange a binding consultation appointment, we first need your confirmation that you are the owner of the e-mail address you provided. This confirmation is done by means of a double opt-in procedure. This means that, after you have requested an appointment, you will receive an e-mail from us asking you to confirm your request. Appointment requests are logged to allow us to verify the appointment confirmation process in accordance with the statutory requirements. In this process, we store the IP address, the date and time of registration and confirmation, as well as any subsequent changes.

The legal basis for this storage is Art. 6 (1) sentence 1 (f) GDPR. In cases of doubt, our legitimate interest lies in our being able to prove that we have permission to contact you for the purpose of scheduling a specific consultation appointment. After careful consideration, predominant competing interests on the part of visitors to the website are not evident. The Evalanche application from SC-Networks GmbH, Würmstraße 4, 82319 Starnberg, is used to process appointment scheduling. There is an order processing relationship within the meaning of Art. 28 GDPR. The Evalanche data protection regulations can be viewed here: SC-Networks GmbH.

Some fields are not mandatory. Nevertheless, if you choose to provide the corresponding information, you consent to us processing your personal data for the purpose of responding to your enquiry. If you also consent to receiving our newsletter when scheduling an appointment, we will proceed as described in Section 3.1.

The legal basis for processing your personal data in connection with the contact request is Art. 6 (1) sentence 1 (b) GDPR if you are interested in further information about our products. However, if you pursue a different request, we will process your personal data in accordance with Art. 6 (1) sentence 1 (f) GDPR on the basis of our legitimate interest in responding to your request and providing information about our products and services.

We operate a company page on popular business networks in order to reach our potential future colleagues in an optimum way. The following data protection information therefore applies for the processing of personal data within the portals.

5.1 LinkedIn

When you visit, follow or explore our LinkedIn company page, LinkedIn processes personal data about this interaction, enabling us to analyse user behaviour through statistical evaluations. This involves the “Page Insights” function. For these statistical analyses, LinkedIn primarily processes the data you provide to the platform via information in your profile. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. When we organise “polls” – post topic-related surveys on our company website – we see evaluations of the voting behaviour.

LinkedIn does not provide us with any personal data via Page Insights. We only have access to summarised Page Insights that do not allow any conclusions to be drawn about individual members.

Personal data from Page Insights is processed by LinkedIn and us as joint controllers. Analysis of the actions on our LinkedIn company page supports our constant efforts to align our public relations work with the needs of users. The legal basis for processing this data is Article 6 (1) (f) GDPR.

We have entered into a joint controllership agreement with LinkedIn, which sets out the allocation of data protection obligations between us and LinkedIn. Click here to view the agreement. Under data protection law, the company is the sole party responsible for processing personal data within the LinkedIn platform. Further information on the processing of personal data by LinkedIn is available here.

Please note that LinkedIn processes personal data in the USA or other third countries. For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. LinkedIn is certified in accordance with the DPF. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

5.2 XING and kununu

Our XING company page is provided on the platform of New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. If you visit our site and are logged into your XING account at the same time, XING can link your visit to our website to your XING account. If you log out beforehand, XING will not be able to create such a link. The way in which XING collects and processes your data and the purposes for which this is done is available in XING’s privacy policy, which is accessible here.

Whenever you visit the service, cookies and similar technologies such as pixels may be used to collect information about your use of the service and to provide you with features. In addition, advertisers or other partners of XING may place cookies or similar technologies on your device. You have the option of restricting the processing of your data in the privacy settings of your profile. Information on the privacy settings is available here.

Depending on the mobile device in question, you can restrict the service’s access to contact and calendar data, photos, location data, etc. in the settings options. However, this will depend on the operating system used.

We process data entered by you on XING via our company page on the XING platform, particularly your (user) name. We process the content published under your account by sharing your posts or by responding to them. We may also write posts that refer to your profile and your content, thereby bringing them to the attention of our followers.

The legal basis for this data processing is Art. 6 (1) lit. f GDPR. Our legitimate interest is the interaction with potential employees and the presentation of the Bundesdruckerei Group within the network. You can object to this data processing at any time. Further information on this is available under the heading “Data Subject Rights” below.

Kununu is also a brand operated by New Work SE. As a user of kununu, you can request the data that is stored about you in this application via the following link: https://www.kununu.com/user/inquiry. Further information on data processing within the scope of the entire XING service and its applications (such as kununu) is available in the data protection information provided by Xing.

5.3 Integration of YouTube Videos

Our website integrates videos from YouTube. The video platform provider is Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, Ireland. A connection to the YouTube servers is not established until you call up an embedded video (two-click method). Once you do, the YouTube server is informed about which of our pages you have visited. YouTube also obtains your IP address in this way. This is true even if you are not logged in to YouTube or do not have a Google account. By being logged in to your Google account while on YouTube, you allow Google to directly link your browsing behaviour to your personal profile. You can prevent this by logging out of your Google account on YouTube. By confirming the loading of the embedded YouTube video, your IP address could be read by the Google Fonts tool used by YouTube and forwarded to Google, over which we have no influence. For this reason, please load embedded YouTube videos only if you agree to such data forwarding.

Personal data is generally transferred to Google servers (Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA) in the USA and stored there. However, due to the activation of IP anonymisation “_anonymizeIp()”, the IP address will be shortened by Google within member states of the European Union or in other states that are party to the Agreement on the European Economic Area. For the USA, the European Commission has reached a decision on the existence of an adequate level of protection (see Art. 45 (3) GDPR) on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023. Google has a corresponding certification in accordance with the DPF. Further information on the handling of personal data is available in the data protection information provided by Google.

The legal basis for processing is your voluntary and informed consent according to Art. 6 (1) (a) GDPR, which you can revoke at any time with future effect. The legality of the data processing carried out until the time of such revocation remains unaffected by the revocation. See Google’s data protection information for more details on the handling of user data.

Ensuring compliance with legal regulations and internal rules, such as our Code of Conduct and our Code of Conduct for Business Partners, is a top priority for the Bundesdruckerei Group. This applies to both our own business division as well as our supply chains.

It is important to us that risks be identified at an early stage and violations avoided as far as possible. We want to initiate appropriate countermeasures in good time and avoid potential damages for data subjects, customers, employees, business partners and our company Group.

We have therefore established an independent, impartial and confidential whistleblower system that allows internal and external whistleblowers to report anonymously.

We enlist the support of the transparent complaints procedure to ensure the greatest possible protection, particularly for data subjects, the whistleblowers and the employees involved in investigating the reported issues. All actual and alleged violations of legal requirements, the Code of Conduct and the Code of Conduct for Business Partners can be reported under the complaints procedure. Likewise, the subject of a report may involve human-rights or environmental risks or breaches of duty anywhere along the supply chain of our Group companies and in our own business division.

Rapid, standardised processes plus confidential and professional processing of tips by internal experts form the foundation of this system, which is based on the principle of fair proceedings.

Discrimination or punishment of whistleblowers and persons entrusted with the handling of complaints and tips is not tolerated.

The aforementioned complaints procedure is applicable to Bundesdruckerei Group GmbH and the Group companies Bundesdruckerei GmbH, Maurer Electronics GmbH, genua GmbH, D-Trust GmbH, Maurer Electronics Split d.o.o, Inco Sp. z o.o. and Xecuro GmbH (collectively the “Bundesdruckerei Group”).

6.1    Categories of Personal Data

The report can be made anonymously. In this case, no personal data of the whistleblower is processed.

The categories of personal data processed depend on the information reported. If the whistleblower reports personal data about another person, including that of the person or persons being reported on, this personal data will also be processed. The following categories of personal data may be processed:

• General personal data (name, address, e-mail address, telephone number, position, etc.)
• Personal data relating to criminal convictions or suspicion thereof
• Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation)

We advise the whistleblower to only report information that is of specific relevance to the reported case and, in particular, to refrain from reporting sensitive information unless it is of central importance for processing the reported case.

6.2 Purpose and Legal Basis of Data Processing

The purpose of processing personal data is the management of the whistleblower system, including the detection of serious violations or potential violations of applicable law or other serious matters.

The processing of personal data is necessary for fulfilling legal obligations to which we are subject; see Art. 6 (1) sentence 1 (c) GDPR. This is the law for better protection of whistleblowers (Whistleblower Protection Act – Hinweisgeberschutzgesetz, HinSchG).

The purpose of processing the data is to safeguard our legitimate interest in detecting serious violations or potential violations of applicable law or other serious matters pursuant to Art. 6 (1) sentence 1 (f) GDPR.

As far as the processing of special categories of personal data is concerned, processing on the basis of the Whistleblower Protection Act is necessary for reasons of substantial public interest; see Art. 9 (2) (g) GDPR. Special categories of personal data are processed pursuant to Art. 9 (2) (f) GDPR in conjunction with. Art. 6 (1) sentence 1 (f) GDPR for the establishment, exercise or defence of legal claims.

A data subject is anyone who is the subject of the report. Data subjects may be employees, contractual partners or anyone else who is professionally associated with us. Additionally, we process personal data of the individual providing the information if they share their contact details or any other information that identifies them. Whistleblowers must therefore be aware that we may process personal data about them in connection with processing the reported case.

6.3     Recipients of Personal Data

The reports are documented as a process in the WhistleB System at Bundesdruckerei GmbH. After being evaluated, the processes are passed on internally to the responsible departments, and any necessary

follow-up measures are initiated. If a report concerns one of the Group companies of the Bundesdruckerei Group, these processes are forwarded to the responsible persons of the respective Group company and evaluated internally by the responsible person, and any necessary follow-up measures are initiated. Personal data is only passed on for a specific purpose and in accordance with the principle of data minimisation; in other words, only the personal data that is absolutely necessary to process the report is passed on.

We disclose personal data about the whistleblower to authorities if this is necessary for dealing with serious offences or serious matters or for ensuring the right of defence of the data subjects. In other cases, personal data about the whistleblower is only passed on with the consent of the whistleblower. Personal data about persons other than the whistleblower is only passed on as part of following up on a reported case or dealing with serious offences or serious matters.

The reporting platform is provided by the processor, WhistleB Whistleblowing Centre AB, Stockholm, Sweden. Further information on WhistleB, Whistleblowing Center AB is available to read in the Terms of Use.

6.4     Obligation to Provide Personal Data

There is no obligation to provide the personal data listed under section 6.1, as it is also possible to report anonymously. However, it may not be possible for us to process the report without being provided with personal data.

6.5 Storage Duration

Personal data that proves to be irrelevant for the processing of a reported case, along with reports that we consider to be unfounded, are immediately categorised as “irrelevant”, and any personal reference (unless it is already an anonymous report) will be removed. This report will then be archived initially (without personal reference) but not yet deleted in order to guarantee the legally required documentation obligation and statutory deletion period arising from Section 11 (1), (5) HinSchG. Archived cases are used exclusively to fulfil documentation obligations and can therefore no longer be called up for processing.

Reports and personal data collected in the course of processing a report form the basis for further processing and are anonymised as soon as possible. However, if the need for follow-up measures within the meaning of Section 3 (8) and Section 18 HinSchG arises, it is possible that deviating from anonymisation will become necessary due to an official order or to secure legal claims. In this case, unless otherwise specified (e.g., by a court order), pseudonymisation is generally striven for. The documentation will be deleted three years after completion of the procedure. The documentation may be kept for longer in order to fulfil the requirements of this Act or other legislation – as long as this is necessary and appropriate. 

In order to obtain information about the behavior of users when they visit our websites, we use the web tracking tool etracker from etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany. To count visitors, we only use data that the browser transmits anyway. However, for the further purpose of ‘analyzing user behavior’, we anonymize this data so that we do not create user profiles. Web analysis is therefore not carried out on the basis of personal data, but with the help of so-called ‘cross device IDs’ which cannot be referenced to individual users.  

The legal basis for the processing of your personal data to analyze your user behavior is your voluntary and informed consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time with future effect by sending an e‑mail to: Datenschutz-Request@bdr.de. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

8.1 Description of the Processing Activity

We use the “Friendly Captcha” service to make automated access – such as by bots – more difficult. A bot is a computer program that performs repetitive tasks largely automatically without being dependent on any interaction with a human user. When a website protected by “Friendly Captcha” is accessed, the program code integrated into the page generates a short calculation task (“puzzle”). The visitor’s end device receives this puzzle request, calculates a solution and sends it back to our web server, which in turn has the “Friendly Captcha” server validate whether the task has been solved correctly. Website access can only be continued following successful validation. This makes it more difficult for bots to obtain access or call up web pages on a massive scale.

8.2 Data Subjects and Categories of Personal Data

All visitors to our websites on which Friendly Captcha is active are affected by data processing. The following data in particular is processed as part of the puzzle calculation and validation:

• Connection data (e.g., browser type, operating system, user agent, referencing website, timestamp of the request)
• IP address, but only in hashed (one-way encrypted) form
• Environment data (e.g., device properties such as available fonts, screen resolution, browser and language settings, local time)
• Interaction data (e.g., non-content keystrokes of functional keys, scroll movements, window changes)
• Functional data (e.g., session IDs, version and status information on the protection software, number of repeated connection attempts)

8.3 Purposes and Legal Basis for Processing Personal Data

The legal basis for processing the aforementioned data is Art. 6 (1) sentence 1 (f) GDPR. We have a legitimate interest in ensuring the security and functionality of our websites and in offering all users a stable user experience.

The legal basis for the storage of information in the end user’s terminal equipment is Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act ( TDDDG). The short-term storage and read processes serve to protect the website from abusive automated access and to thereby ensure the stability of our online offering and are therefore necessary from a technical standpoint.

8.4 Recipients of Personal Data

In the course of the validation process, the data required for the puzzle and its verification are transmitted to our servers and temporarily to the Friendly Captcha servers. Friendly Captcha is our processor within the meaning of Art. 28 GDPR. No further transmission to third parties will take place unless there is a legal obligation it to be disclosed.

8.5  Storage Duration

The data collected during validation is only stored for as long as is necessary to carry out and document the puzzle request. IP addresses are processed exclusively in hashed form. No long-term analysis is conducted. Temporary log entries may be retained for troubleshooting or security tracking purposes; however, they will be deleted as soon as the respective purpose has been achieved, and no later than after 30 days.

8.6  Necessity of Providing Personal Data

Processing the aforementioned information is necessary for the secure and trouble-free operation of our websites. Without this technical data (e.g., browser information, solved puzzle), it would not be possible to recognise automated access, meaning there would be no effective protection against bots. Accordingly, it is only possible for our website to be used with the provision of this data – in pseudonymised form – which is equally in your and our interest in order to ensure a stable, functional online offering.

Goods or digital services to be provided (e.g., merchandise, software, technology) and the cross-border transfer thereof may be subject to German, European, Chinese or US export control regulations. The respective client is responsible for the cross-border provision of the goods and digital services provided by Bundesdruckerei and must ensure that no natural persons or legal entities, organisations or institutions are involved in the execution of the contract or benefit from the execution of the contract that are on an EU or United Nations sanctions list. This also applies with regard to natural persons or legal entities, organisations or institutions that are on the sanctions lists of other governments, with the exception of such listings that are based on the legal acts listed in the Annexes to Regulation (EC) No. 2271/96 and/or that are directed against a state against which neither the United Nations nor the EU nor the Federal Republic of Germany have adopted any economic sanction measures.

If Bundesdruckerei is obliged as the actor responsible for exports to carry out export controls and sanctions list comparisons in individual cases due to a deviating constellation, this is done on the basis of Art. 6 (1) sentence 1 (f) GDPR and of our legitimate interest in not entering into business relationships with persons/entities on the relevant sanctions lists and of being able to fully avoid the penalties that would result. In the case of false matches, the date of birth, place of birth, nationality and name at birth are used.

We take all necessary technical and organisational security measures to protect your personal data from loss and misuse. For example, your data is stored in a secure operating environment that is not accessible to the public.

Personal data may be transferred within the Bundesdruckerei Group to other Group companies for the aforementioned purposes if this is necessary to fulfil the aforementioned purposes.

Personal data is also disclosed to courts, regulatory authorities or law firms to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend against legal claims.

If we work with service providers, such as providers of IT maintenance services, they only act on our instructions and are contractually obliged to comply with the applicable data protection requirements. Bundesdruckerei remains responsible for the data processing.

If no explicit retention period is specified when personal data is collected (e.g., as part of a declaration of consent) or within the descriptions of this data protection information, personal data is deleted as soon as it is no longer required for the purposes for which it was collected unless statutory retention obligations (e.g., retention obligations under commercial and tax law) prevent such deletion.

The following general time limits apply to storage and archiving in accordance with German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets along with the work instructions and other organisational documents, accounting documents and invoices required for their understanding (Section 147 (3) in conjunction with (1) Nos. 1, 4 and 4a of the Tax Code (Abgabenordnung, AO), Section 14b (1) of the Value Added Tax Act (Umsatzsteuergesetz, UStG), Section 257 (1) Nos. 1 and 4, (4) of the Commercial Code (Handelsgesetzbuch, HGB).
• 6 years – Other business documents: commercial or business letters received, reproductions of commercial or business letters sent, other documents insofar as they are of significance for taxation, such as hourly wage slips, company accounting sheets, calculation documents, pricing, and also payroll accounting documents insofar as they are not already accounting documents and cash register receipts (Section 147 (3) in conjunction with (1) Nos. 2, 3, 5 AO, Section 257 (1) Nos. 2 and 3, (4) HGB).
• 3 years – Data required for considering potential warranty and compensation claims or similar contractual claims and rights and for processing related inquiries based on past business experience and standard industry practices is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

You have the following rights in accordance with the GDPR:

Right to Information

You have the right to request information from us at any time about all data that we store about you pursuant to Art. 15 GDPR. In particular, this includes information about 

• the purposes for which we process your data,
• the categories of data that we process concerning you,
• the specific recipients or, if these are not known, the categories of recipients to whom we transfer your data,
• the duration for which we store your data or, if this cannot be determined, the criteria under which we store your data and,
• if applicable, the origin of the data if we have not collected it from you.

Right to Rectification

If your data processed by us is incorrect or incomplete, you may ask us to rectify or complete this data at any time in accordance with Art. 16 GDPR.

Right to Erasure (Being Forgotten)

If the original legal basis for the data processing no longer applies or if you have revoked your consent or objected to the processing or if we are no longer permitted to process your data for another of the reasons stated in Art. 17 (1) GDPR, you can request that we erase the personal data concerning you in accordance with Art. 17 GDPR.

This right does not apply if processing is necessary to exercise freedom of expression and information, protect public interests, comply with a legal obligation or to assert, exercise or defend legal claims.

Right to Restriction

Pursuant to Art. 18 GDPR, you may also request that the processing be restricted. You are entitled to this right if you dispute the accuracy of the data, if the processing is unlawful, if we no longer need the data for the stated purposes or if you have objected to the processing and if we are not otherwise permitted to process the data lawfully in the latter two cases.

Right to Data Portability

You can also ask us to transfer your data to you or another controller in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR.

Right to Revoke Consent

If your consent serves as the legal basis for processing your data, in accordance with Art. 6 (1)(1) (a) or Art. 9 (2) (a) GDPR, you may revoke it at any time pursuant to Art. 7 (3) GDPR. If you revoke your consent, we will cease processing your data; however, the lawfulness of processing conducted prior to the revocation will not be affected.

Right to Lodge a Complaint with a Supervisory Authority

You can also lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, this should be the supervisory authority of your usual place of residence or workplace; alternatively, you can also address your complaint to the supervisory authority of our company headquarters.

RIGHT OF OBJECTION

IN ACCORDANCE WITH ART. 21 GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA IF WE PROCESS YOUR PERSONAL DATA SOLELY ON THE BASIS OF OUR LEGITIMATE INTERESTS AND THERE ARE GROUNDS RELATING TO YOUR PARTICULAR SITUATION. IF YOUR OBJECTION IS DIRECTED AGAINST DIRECT ADVERTISING, YOU HAVE A GENERAL RIGHT TO OBJECT WITHOUT STATING SPECIFIC REASONS.

YOU CAN DECLARE YOUR OBJECTION BY SENDING AN E-MAIL TO DATENSCHUTZ-REQUEST@BDR.DE.