Using personal data responsibly has a high priority at the Bundesnachrichtendienst (BND). We want users to know, when the BND collects and uses which data.

This privacy statement applies when you visit our website, our social media channels or our visitor centre, or if you contact us directly or participate in the CTF challenge.

We process personal data only to the extent necessary. Which data are required and processed for what purposes and on what basis mainly depends on the type of service you choose and for what purpose the data are needed.

We have taken technical and organisational measures ensuring that we and our external service providers comply with data protection regulations.

The BND processes personal data for the purposes mentioned above in compliance with the EU’s General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

1. General information

1.1 Controller and data protection officer

Responsibility for the processing of personal data lies with

Bundesnachrichtendienst
P.O. Box 45 01 71
12247 Berlin

If you have any specific questions about the protection of your personal data, please contact the BND Data Protection Officer:

Die Datenschutzbeauftragte im Bundesnachrichtendienst
P.O. Box 45 01 71
12247 Berlin
Germany

Email: datenschutzbeauftragter@bnd.bund.de

1.2 Personal data

Personal data is any information relating to an identified or identifiable natural person. Natural persons are considered identifiable if they can be identified directly or indirectly – especially by linking them to an identifier such as a name, an identification number, location data, or an online reference number.

1.3 Protection of minors

Individuals under the age of 18 should not submit any personal data to us without the prior consent of their parents or guardians. Should the data be required for visiting the BND, point 6 applies. The data will not be disclosed to third parties.

1.4 Legal basis for processing personal data

The Bundesnachrichtendienst processes personal data as it carries out its assigned responsibilities. The processing of personal data in this context is legally based on Article 6 (1) (e) of the General Data Protection Regulation (GDPR) in conjunction with the relevant national or European standards, or in conjunction with Section 3 of the Federal Data Protection Act (BDSG). Insofar as the processing of personal data is, in individual cases, required in order to fulfil a legal obligation, this is based on Article 6 (1)(c) of the GDPR in conjunction with the relevant legal provisions under which the legal obligation arises.

Insofar as we obtain the consent of the data subject to process his/her personal data, Article 6 (1)(a) GDPR serves as the legal basis.

In individual cases, the processing of personal data required for the performance of a contract to which the data subject is a party is based on Article 6 (1)(b) GDPR.
This also applies to processing operations necessary for the implementation of pre-contractual measures. As a contracting party under civil law, the Bundesnachrichtendienst is particularly active in the field of personnel recruitment and procurement.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Article 6 (1)(d) GDPR serves as the legal basis.

2. Data processing related to visiting this website

2.1 Data collection

On our website, there are various contact forms that can be used to electronically get in touch with various units inside the BND. If users choose one of these options, the data entered in the entry mask are transferred to us via an SSL encrypted https connection and stored.

You can also contact us using the email address provided. In this case, the transmitted personal user data are also stored. How we process personal data when you contact us is described in number 3.

Every time a user accesses our website and retrieves a file, data are temporarily saved in a log file.

According to Article 6 (1)(e) GDPR in conjunction with Section 5 of the Act on the Federal Office for Information Security (BSI-Gesetz), we are also required to store data past the time of your visit in order to protect against attacks on the BND’s internet infrastructure and federal communications technology. These data are analysed and, in case of attacks on the communications technology, needed to initiate legal and criminal proceedings. These data are deleted as soon as they are no longer needed for official purposes.

Data logged when the BND website is accessed are shared with third parties only if we are legally obligated to do so, or if needed for legal or criminal proceedings in case of attacks on federal communications technology. Otherwise these data are not shared with third parties. The BND does not combine these data with other data sources.

2.2 Web analysis and cookies

Cookies are used on our website. Cookies are small text files which are stored on your hard disk via your browser, which retransmit certain information to the website setting the cookie. Cookies do not compromise the security of your computer and cannot cause any damage to it. Cookies improve the usability of our website. Cookies are used on the basis of Article 6 (1)(e) GDPR in conjunction with Section 3 BDSG.

On the one hand, the BND website uses session cookies that are required for the technical provision of the website. Session cookies are small units of information which a website provider saves to the random access memory of the visitor’s computer. A session cookie contains a randomly generated, unique identification number, known as a session ID. A cookie also contains information on its origin and how long it may be saved. The following data are stored and transmitted in these cookies:

• information about the browser
• language settings

These cookies are unable to store any other data. The session cookies used are deleted when you end the session.

On the other hand, the usage information generated by a first-party cookie is transferred to the servers of the Federal Information Technology Support Center (ITZBund), where it is stored and analysed by means of the Matomo web tracking tool.

privacy statement ITZBund (in German only)

The generated information is only used for statistical purposes and to improve the website and the server and is deleted after 7 days. Your IP address is recorded on a purely anonymous basis and cannot be related back to you.

When individual pages of the BND website are retrieved, the following data are stored via Matomo

• two bytes of the IP address of the user’s retrieving system (anonymous)
• the web page accessed
• the website from which the user arrived at the web page retrieved (referrer)
• the sub-pages retrieved from the web page retrieved
• length of time spent on the page
• how often the web page was retrieved

Most browsers are set to accept cookies by default. If you do not want cookies to be stored on your computer, you can change the settings of your browser. Cookies which have already been stored can also be deleted via the settings of the browser. However, disabling all cookies via the respective browser settings can limit the functions available on the website.

Any internet browser can indicate when cookies are set and what they contain. In this regard, the websites of the Federal Commissioner for Data Protection and Freedom of Information and the Federal Office for Information Security supply detailed information. There are also permanent cookies, in order to recognize website visitors returning after a long absence. We do not use such cookies on our website.

3. Processing personal data when you contact us

Personal data are processed depending on how you contact us. In this context, it can be distinguished between contacts via email, contact form, letter or telephone.

If you send us a message via online form or email, we will assume that we are authorized to reply via email. If not, please indicate how you wish to communicate with us.

3.1 Contacting the Bundesnachrichtendienst via email

You can contact the Bundesnachrichtendienst using one of our various special mailboxes or the central email address (zentrale@bundesnachrichtendienst.de). Personal data sent to the central email address are deleted after they are forwarded to the responsible organizational units within the Bundesnachrichtendienst.

The data you send (such as name, first name, address), but at least your email address and the information contained in your message (including any personal data you provide) will be saved by the relevant organizational unit for the purpose of contact and responding to your message.

Please note that the data will be processed in compliance with Article 6 (1)(a and e) GDPR in conjunction with Section § 3 BDSG. To respond to your message, it is necessary to process the personal data you provide.

3.2 Contacting the Bundesnachrichtendienst using the online forms

You may contact the Bundesnachrichtendienst using the online forms found on our website.

The information provided through the contact forms of the Bundesnachrichtendienst is transmitted via an encrypted https connection.

If you use this form to communicate, you will need to provide your name and first name as well as your email address. Without this information, the request you submitted via contact form cannot be processed. In addition, the date and time your message was sent and your IP address will be transmitted to us.

Please note that the data transmitted with the online form and its content (which may also include personal information you provide) will be processed on the basis of Article 6 (1)(a) GDPR for the purpose of responding to your message.

By ticking the box and submitting the form, you agree in accordance with Article 6 (1)(a) GDPR to have your personal data and IP address transmitted and stored. The IP address will be used only if needed for law enforcement and threat prevention purposes on the basis of applicable law.

If you do not consent to the processing of your data, you can cancel the contacting process at any time, and your message will not be submitted.

3.3 Contacting the Bundesnachrichtendienst by letter

If you write a letter to the BND, the data you send (such as name, first name, address) and the information contained in your letter (including any personal data you provide) will be saved for the purpose of contact and responding to your letter in accordance with Article 6 (1)(a and e) GDPR in conjunction with Section 3 BDSG. To respond to your message, it is necessary to process the personal data you provide.

3.4 Contacting the Bundesnachrichtendienst by telephone

If you contact the Bundesnachrichtendienst via the telephone number 030 – 41 46 457, no personal data will be collected. Data will only be collected if you request either a callback or a written notification.

4. Processing personal data when using social networks

The Bundesnachrichtendienst is active on Instagram, YouTube, Twitter and Xing. The Bundesnachrichtendienst has no influence on how Instagram Inc., YouTube, LLC., Twitter Inc. or New Work SE collect or use data.

The BND is not aware of how many, where and for how long data are stored, whether Instagram, YouTube, Twitter or New Work SE (Xing) comply with their obligations to delete data, how the data are analysed and connected and with whom the data are shared. Due to the fact that Instagram, YouTube and Twitter are not European service providers, they do not consider themselves bound by German data protection law. For example, this affects your rights to be informed, your rights to block or delete data or the ability to object to your data being used for advertising purposes. Details on what data are processed by Instagram, YouTube, Twitter or Xing for what purposes can be found in the privacy statements from Instagram, YouTube, Google, Twitter and Xing respectively.

5. Registration for and participation in CTF events

Through the company Compass Security Network Computing AG / the Hacking-Lab (*.hacking-lab.com / *.hacking-lab-ctf.com), the Bundesnachrichtendienst offers a CTF event (hacking challenge). The details below refer to the login page https://auth.ost-dc.hacking-lab.com/auth/realms/bnd/ and the challenge website https://bnd.hacking-lab.com/.

The location of data processing is Switzerland, for which an adequacy decision by the European Commission exists (Commission Decision 2000/518/EC of 26 July 2000, OJ 2000 L215 1).

If you are interested in participating in our CTF event, you will be asked to provide personal data like name and e-mail address and to choose a user name and a password. The data is needed for registration in order to set up a user account for participating in the CTF event. You will be able to use this account for repeated login and for requesting your results of the hacking challenge. If you participate in the hacking challenge, your solution results, the achieved score and the teacher feedback will be stored for this purpose.

You are at liberty to register with fake data. Personal data will not be passed on to third parties. If you do not agree to the processing of your data, you can cancel the registration process at any time. By providing personal data and confirming the terms of use at the end of the registration process, you agree to the processing of your personal data for the above-mentioned purposes.

The data in connection with the hacking challenge will be deleted 6 months after the end of the hacking challenge at the latest.

The Hacking Lab website uses so-called session cookies for the login process. Furthermore, certain information is recorded and stored in log files if you interact with the Hacking-Lab website. This information includes IP addresses and browser types, internet providers, URL of referrers / exit sites, operating systems, date/time stamps, search terms, language settings and preferences, identification numbers connected to your devices, your mobile phone providers and system configuration data.

Log and session data will be deleted after a maximum of 14 days.

6. Visitors

The BND regularly welcomes groups for informational visits. The Bundesnachrichtendienst visitor centre can be contacted by mail.

On the Bundesnachrichtendienst web pages, you can sign up a group to attend a presentation at the BND visitor centre. After having selected visiting options, visiting day and time, target group and number of visitors, the applicant then has to supply the following data:

• first name and last name,
• telephone number (optional)
• email address,
• the place of origin of the group,
• details on the institution of the group.

Inter alia, these data help to improve the preparation of the visit to the BND. By providing your personal data and confirming the privacy statement in selecting the check box, in accordance with Article 6 (1)(a) GDPR, you agree to the processing of your data for the purpose mentioned above.

The Bundesnachrichtendienst faces a high level of general threat, and especially the visitor centre, which is open to the public, requires accordingly high security standards which we have to meet.

In order to provide security for all individuals present at the visitor centre, and in order to be able to assert possible civil claims, such as lost property or liability in the case of damage, the visitors must be clearly identifiable during the visit and up to 7 days after. Therefore, upon the visitors’ entry and with their explicit consent, their first and last names as well as their dates of birth will be registered in attachment TN or attachment DS in accordance with Article 6 (1)(a) GDPR. Should a visitor refuse such consent, he or she will unfortunately not be able to attend the lecture or participate in the guided tour of the exhibition.

Pursuant to Article 7 (3) GDPR, you can revoke your consent to the data collection in writing at any time. The lawfulness of processing remains unaffected until we receive notification that you have revoked your consent, but must not be continued after that point in time. The data are stored in an IT-supported system and will automatically be deleted 7 days after the visit. The data are expressly not transferred to third parties.

Additional information, such as the institution, type of school, class level, association, or limited mobility, are optional, but help in preparing the visit to the Bundesnachrichtendienst.

7. Video surveillance

To prevent trespassing and for the purposes of threat prevention, law enforcement and security, the Bundesnachrichtendienst property is monitored by a video surveillance system.

The data collected are transmitted to law enforcement agencies only if requested as part of a legitimate police measure or by court order for the purposes stated above. Transmission is documented with a standard security receipt. Videos are recorded within the scope of legal provisions.

8. Your rights

You have the following rights vis-à-vis the Bundesnachrichtendienst with regard to your personal data:

• Right of access, Article 15 GDPR
• Right to rectification, Article 16 GDPR
• Right to erasure, Article 17 GDPR
• Right to restriction of processing, Article 18 GDPR
• Right to object to collection, processing and/or use of data, Article 21 GDPR
• Right to data portability, Article 20 GDPR
• Right to withdraw consent, Articles 13 and 14 GDPR

You can assert the above-mentioned rights in writing by turning to the contacts listed under 1.1.

Pursuant to Article 77 GDPR, you also have the right to submit a complaint to the supervisory authority under data protection law, the Federal Commissioner for Data Protection and Freedom of Information.

You may also submit questions and complaints to the BND Data Protection Officer listed under 1.1.