Data Protection

Privacy policy

• Competent authorities/Data Protection Officer

  Responsible for the processing of personal data is the

  Bundesministerium für Gesundheit (Federal Ministry of Health)
  53123 Bonn
  Phone: +49 (0)228 99441-0
  email: poststelle(at)bmg.bund.de
  German email: poststelle(at)bundesgesundheitsministerium.de-mail.de

  The Federal Ministry of Health’s Data Protection Officer is also available to provide answers to specific questions about the protection of your data as well as any additional information regarding how personal data is handled at the Federal Ministry of Health.

  Bundesministerium für Gesundheit
  - Datenschutzbeauftragte -
  11055 Berlin
  DSB(at)bmg.bund.de

• Access to the online presence

  Any access to the Federal Ministry of Health’s online presence as well as any file access is stored and processed in a protocol file over a limited period of time for the exclusive purpose of protection and tracking security-related access.

  The protocol file contains details regarding:

  • The IP address used
  • The name of the page/file accessed
  • Date and time of data transmission
  • Report on whether data retrieval was successful.

  We are obligated under Article 6 (1) letter e) of the EU’s General Data Protection Regulation (GDPR) in conjunction with section 5 of the Act on the Federal Office for Information Security (BSI) to store data beyond the duration of your visit. This is intended to protect against attacks on the BMG’s internet infrastructure/the Federal Government’s communications technology. This data is analysed and needed to initiate legal action or criminal prosecution in case of attacks on our communications technology.

  This data is stored in form of log files beyond the duration of your visit not only with us, but also on external servers, our service providers “Mittwald CM Service GmbH & Co. KG” and the “Hundertserver GmbH”.

  Data logged during access to the BMG’s online presence will only be shared with third parties to the extent we are legally obliged to do so or if passing on the data is necessary for legal action or criminal prosecution in the case of attacks on the Federal Government’s communications technology. Otherwise, it will not be passed on. The Federal Ministry of Health does not combine this data with other data sources. To ensure a needs-based design and further develop its online presence, the BMG statistically analyses user information. Detailed information can be found in the web tracking/web analysis section of this privacy policy.

  Our website uses the services of Myra Security GmbH (DE), Landsberger Str. 187, 80687 Munich. The purpose of the service is for secure encrypted data transmission on the Internet (SSL), to improve worldwide website performance through the Myra Content Delivery Network (CDN) and to improve security and protection against hacker attacks through the Myra Hyperscale Web Application Firewall (WAF). Since we care a lot about your privacy, we've chosen Myra as a German IT security provider, that meets the high GDPR standards reliably, when processing your data. The legal basis for data processing is therefore our legitimate interest pursuant to Art. 6 para. 1 lit. e GDPR. The service is mandatory for the technical security of our website. More detailed information about GDPR and Myra Security can be found on the GDPR pages of Myra Security: https://www.myrasecurity.com/en/privacy-policy/

• Contacting the Federal Ministry of Health

  Contact by email

  • poststelle@bmg.bund.de

  • poststelle(at)bundesgesundheitsministerium.de-mail.de

  Contact by letter

  Postal address:

  Bonn Office: Bundesministerium für Gesundheit, 53107 Bonn

  Berlin Office: Bundesministerium für Gesundheit, 11055 Berlin

  Contact by phone or fax

  Federal Ministry of Health

  Phone.: +49(0)228/99441-0 or. +49(0)30/18441-0

  Fax: +49(0)228/99441-4900 or +49(0)30/18441-4900

  Should you contact the Federal Ministry of Health in writing by way of one of the aforementioned channels, then your transmitted data (e.g. surname, first name, address and/or email address) as well as the information contained within the message itself (such as personal data you might share) will be stored for the purposes of contacting you and processing your request in accordance with the statutory periods for retaining written records as set by the Registry Directive, which complements the Joint Rules of Procedure of the Federal Ministries (GGO).

  Should you contact us by telephone, generally no personal data is recorded, unless this is needed in order to process your request (call back, written message).

  The data is processed on the basis of Article 6 (1) letter e) of the GDPR in conjunction with section 3 of the German Federal Data Protection Act (BDSG) and is required to fulfil the tasks.

  Please note that your data will be processed on the basis of Article 6 (1) letter e) of the GDPR in conjunction with section 3 of the BDSG to carry out the BMG’s responsibilities. To process your request, it is necessary for us to process the personal data you have transmitted to us.

  If you use this contact form for communication, you need to provide your surname and first name, your post code and your email address. Without this data, we cannot process the request you sent us via the contact form. Providing additional address information is optional and enables us to process, if you so wish, your request by post.

  Optional information will be processed on the basis of your consent pursuant to Article 6 (1) letter a) of the GDPR.

  You can withdraw your consent at any time. The lawfulness of processing based on your consent remains unaffected until such time as a withdrawal of your consent is received.

  In order to respond to telephone requests from the public, the Federal Ministry of Health has engaged the services of the Telemark Rostock Kommunikations- und Marketinggesellschaft mbH (Telemark Rostock), a multimedia communications centre. Telemark Rostock collects, processes and uses personal data exclusively within the limits prescribed in the GDPR and the Federal Data Protection Act (BDSG). It has taken a range of technical and organisational measures to ensure compliance with the legal regulations.

  This equally applies to the service providers engaged in the context of processing (more information available under the “Processors” section).

  Contact by web conference

  Data collected during web conference

  If you contact us by web conference, the following details are collected:

  • Event title and meeting room name.
  • Date and time of event.
  • Account of organiser (email address and name) and
  • Name of the participant, which can be freely selected by the participant (e.g. an anonymous username may be used).
  • Participants’ time of entry/exit.
  • When participating via telephone, the telephone number where available.
  • Line parameters for video and audio (roundtrip time, latency, package loss, jitter)
  • When participating via an external VC system:
    • IP address of the VC system,
    • By browser or app, depending on the participant’s user settings, additional data is stored:
    • the IP address,
    • System identifier (type of browser, operating system)

  Additional legal information

  1. Legal basis
     The processing needed to carry out the web conferences is conducted on the basis of Article 6 (1) letter e) of the GDPR (performance of tasks carried out in the public interest).
  2. Purpose
     Logging personal data serves to detect and eliminate disruptions and misuse. It is necessary to ensure the network and information security and is therefore a legitimate interest of the Federal Ministry of Health.
  3. Data transfer
     As a rule, personal data is not transmitted to third parties. Access to available data is reserved exclusively to employees of the Federal Ministry of Health who have been tasked with the support of this service. Where required, pursuant to section 5 (1) sentence 4 of the Act on the Federal Office for Information Security, the Federal Ministry of Health does, however, provide the Federal Office for Information Security (BSI) with traffic data, which is anonymised before transmission.
  4. Storage period
     Logging data is deleted or overwritten after 90 days at the latest. This retention period is needed to be able to perform a debugging operation in case of error or misuse.
  5. Technical-organisational measures
     Es wird eine zertifikatsbasierte Verschlüsselung der Transportschicht (TLS) verwendet. Certificate-based transport layer security (TLS) is used. Depending on the type of event, participants can freely select whether, for instance, to switch off the microphone and/or camera, or only to participate by telephone (in other words just sound without video) and also whether to display a name.
  6. Your rights as a data subject
     With respect to personal data that concerns you, you have the following rights vis-a-vis the Federal Ministry of Health: The right to information, rectification, erasure, restriction of processing, data portability, objection and file complaints. Additional details are available under "Your rights".

• Processing of personal data in the context of information provision

  The processing of personal data depends on the type of information provision. Here we differentiate between the provision of printed materials and information-gathering visits to the BMG.

• First-time orders of printed materials

  If you order brochures, reports, leaflets or other printed materials via this website, the data provided in the order form (shopping basket) to carry out the pre-contractual measures or to fulfil the contract (provision of printed materials) is processed according to Article 6 (1) letter b) of the GDPR.

  To process your order, the following personal data must be provided:

  • Form of address,
  • Surname, first name
  • Street, house no
  • Post code and city

  In case the previously indicated data is not available, it will not be possible to process the order.

  Provision of additional information such as institution, department, country and email address are voluntary, but serve to better process the order.

  This is processed as part of the ordering process by the service providers commissioned by the Federal Ministry of Health, “IBRo Versandservice GmbH” and “GVP Bonn-Rhein-Sieg gGmbH”.

  Your data is retained by the service provider for a duration of three months following your order. Upon expiry of this time, your data will be fully anonymised. Should it not be possible to process your order on account of supply shortages, then your data will be retained until the order is completed. This retention period may last over three months. Insofar as the order cannot be completed solely by us, the data you have provided is passed onto third parties (shipping company, potentially other authorities or institutions, in case they send out the ordered materials).

• Subscription to publications

  It is possible to subscribe to selected publications of the Federal Ministry of Health. The data which you enter for the subscription is processed on the basis of your consent pursuant to Article 6 (1) letter a) of the GDPR. You can withdraw your consent at any time. The lawfulness of processing on the basis of your consent remains unaffected until such time as it is withdrawn.

  To process your order, the following personal data must be provided:

  • Form of address,
  • Surname, first name
  • Street, house no
  • Post code and city,
  • Country
  • Email address
  • Requested order size

  Your data will be stored by the service providers commissioned by the Federal Ministry of Health, “IBRo Versandservice GmbH“ and “GVP Bonn-Rhein-Sieg gGmbH” for the purpose of processing until such time as consent is withdrawn (unsubscribing). To process order requests, it is necessary to regularly check the data you have entered, above all the order size. To do so, BMG staff will view the data. Here no data is transmitted to third parties.

  Digital subscription

  It is possible to receive email notifications to inform you when selected recurrent publications are released (hereinafter: Digital subscription). Upon subscribing, every time a new issue is released, we will automatically send you an email with a link to the newest issue.

  To register, we use a double opt-in process. After you have registered, we will send an email to the email address you have provided in which we request your confirmation that you wish to receive that digital subscription. Using a registration system that involves a confirmation email with a link to the final registration ensures that a digital subscription is only provided if explicitly requested.

  If you consent to inclusion on one of the Federal Ministry of Health’s digital subscription lists, your email address, the date and time of your registration, your IP address, the User Agent and information as to the publication you have selected will be stored by us on a server. Your data is processed on the basis of your consent pursuant to Article 6 (1) letter a) of the GDPR. If the registration under the email address you have provided is not confirmed by clicking on the link in the email, the data is automatically deleted after 30 days. The data may only be used for the digital subscription once you have clicked on that link. Your data will not be passed on to a third party or used for the purposes of consulting, advertising or market research. Your data will exclusively be used for the digital subscription.

  You may withdraw your consent and thereby cancel your subscription at any time. To unsubscribe from the digital subscription, we use a double opt-out process. To do so, you can click on the corresponding link that is included in every digital subscription email. We will then send an email to the email address you have provided requesting your confirmation that you no longer wish to receive the digital subscription. Once you confirm it, your subscription’s cancellation becomes effective.

• Visitor groups

  The BMG regularly receives groups for the purpose of information and discussion. When contacting the BMG via the email address Besucherdienstinland(at)bmg.bund.de, please provide your first name and surname as well as your email address. Without this data, we cannot process your request.

  During the initial contact, additional information, such as institution, address data, telephone/fax number, group structure and impairments are optional. These serve to enable better planning of the visit and/or to contact you by other means (phone, letter).

  In the further course, you will receive an email from the Federal Ministry of Health regarding a possible date and confirmation of your request. This email also asks you to enter additional personal data concerning the people who will be participating in the visit.

  Data concerning

  • the form of address,
  • first and surname as well as
  • the birth date of the participant

  are required to facilitate coordination of the visit to the BMG.

  Additional data, such as:

  • location,
  • institution,
  • school type, school grade,
  • club as well as
  • mobility impairments

  are optional and enable better preparation for your visit to the BMG.

  Processing of the personal data you have provided is carried out in order to fulfil the task of public relations pursuant to Article 6 (1) letter e) of the GDPR in conjunction with section 3 of the Federal Data Protection Act (BDSG). Following a visit to the Federal Ministry of Health or after the date of a scheduled visit that was cancelled, the data is completely erased at the end of that same year.

  For good order, the Federal Ministry would like to draw attention to the fact that it is the legal responsibility of the person(s) carrying out the registration to ensure that the requested personal data of participants may be transmitted to the Federal Ministry of Health.

• Processors

  We utilise external service providers (processors) e.g. to send out publications and the newsletter. Separate agreements on order processing have been concluded with the service providers so as to ensure the protection of your personal data.

  We collaborate with the following service providers:

  • Scholz & Friends GmbH

  • Mittwald AG

  • THE BRETTINGHAMS GmbH

  • Hundertserver GmbH

  • coding. powerful. systems. CPS GmbH

  • Cosmonauts & Kings GmbH

• Voluntary personal data

  Some sections of the BMG’s online presence enable you to provide voluntary personal data. The (personal) data transmitted is stored and used exclusively for the purpose you intended when providing them. It will not be passed on to third parties.

  Automatically stored logging data (see access to the online presence) is deleted after a limited period of time.

• Use of cookies

  Cookies are small text files, which are stored when calling up particular sites or functions on your computer.

  A prerequisite for storage is that you have cookies activated in your browser settings (e.g. Microsoft Edge, Internet Explorer, Mozilla Firefox, Opera, Apple Safari).

  The BMG’s online presence is largely usable without activating cookies in your browser settings. Cookies only need to be activated in your browser when using the shopping basket to order information material. In this connection, a cookie referred to as a “session cookie” is set, which is automatically deleted from your computer once the browser session is closed. This is carried out on the basis of Article 6 (1) letter e) of the GDPR in conjunction with section 3 of the BDSG to provide needs-based online information on the tasks conferred to the Federal Ministry of Health.

  Additionally, when calling up the website of the Federal Ministry of Health, solely the essential cookies are stored/accessed on your end device. Furthermore, the session cookies used on this page do not contain any personal data.

• Web tracking/web analysis

  To ensure a needs-based design and for optimisation purposes, the Federal Ministry of Health analyses the usage of this website on the basis of Article 6 (1) letter e) of the GDPR in conjunction with section 3 of the German Federal Data Protection Act (BDSG) using the open-source web-analytics platform Matomo. Here the information from the log files is used and anonymised, before the information is used for usage analysis.

• Embedding videos

  To embed videos, the site uses external services that are outside the BMG’s control. When watching a video, these services autonomously store and process their users’ personal data (e.g. IP addresses). Data may also be stored on your end device or data stored there accessed.

  We embed these videos using a two-click solution. A direct connection between the service and the user is only established when the user actively clicks on the video to start it, thus giving consent (Article 6 (1) letter a) of the GDPR). User data is not automatically transmitted to the operators of these platforms. Personal data concerning your visit is processed by the operators when you watch the video. Fundamentally, it is the same as following a link to their services. Further information can be found in the service providers’ data privacy policies.

  We work with the following providers:

  • YouTube by Google Ireland Ltd.; Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland; Privacy policy: https://policies.google.com/privacy?hl=de The headquarters of YouTube’s operator, Google Ireland Ltd., are located in the EU; however, it cannot be excluded that it also processes data in countries outside of the EU, above all in the US, where the level of data protection is not comparable to that of the European data protection standards. It can therefore, for instance, not be excluded that state-run bodies are given access to personal data or transmit the data to third parties, with whom you have no rights as a data subject.
  • German Bundestag, German Bundestag, constitutional body of the Federal Republic of Germany, Platz der Republik 1, D - 11011 Berlin Privacy policy: https://www.bundestag.de/datenschutz

• Information on using our social media presences

  The social media internet platforms provide a federal authority with excellent opportunities to communicate, network and actively engage with citizens. The Federal Ministry of Health has therefore decided to set up its own online presences on Facebook, Instagram, X, LinkedIn, YouTube, Mastodon, Bluesky, Threads and is additionally also represented on TikTok and Telegram. Feel free to also inform yourself on our work and exchange ideas with us there.

  At this juncture, please note that the terms of use of the listed services and their operators do not fall under the Federal Ministry of Health’s control. On our part, we will always strive to handle your data with care in this context as well, but will not be liable for the actions of the operators or third parties.

  In addition, we expressly note that the operators of the social networks that we use for communication permanently store data outside of Germany and for commercial purposes. The extent and duration to which the data is stored cannot be ascertained by us.

  The Federal Ministry of Health takes the discussion around data privacy in social networks very seriously. We are following the debate and the investigations by the competent authorities and examine on an ongoing basis ourselves whether we can continue to run our social media presences under the prevailing conditions relating to data privacy.

  Until further notice, we would ask you to carefully check what specific personal data you are revealing as a social media user. Please also regularly check the settings in your social media to protect your privacy.

• Privacy policy for Facebook

  For the information service provided here, the Federal Ministry of Health utilises the technical platform and services of Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.

  Please note that you are using this Facebook page and its features under your own responsibility. This applies especially to the use of interactive features (e.g. commenting, sharing, liking). Alternatively, you can also call up the information we have available about this site at our website.

  When visiting our Facebook page, Facebook collects information such as your IP address as well as additional information on your computer in form of cookies. This information is used to provide us as the operator of these Facebook pages with statistical data concerning the use of the Facebook page. Additional relevant information is provided by Facebook via this link.

  The data collected on you in this connection is processed by Facebook Ltd. and where relevant transmitted to countries outside of the European Union. What information Facebook collects and how it employs this is explained by Facebook in a general manner in its data usage policies. There you will also find information on how to contact Facebook as well as settings on advertising. The data usage policies can be found here.

  Facebook’s full data policies can be found here.

  How Facebook uses the data collected when visiting Facebook pages for its own purposes, to what extent activities on the Facebook page are traced to individual users, how long Facebook stores this data and whether data from visiting a Facebook page is relayed on to third parties is not conclusively or clearly indicated or known to us.

  When accessing a Facebook page, the IP address assigned to your end device is transmitted to Facebook. According to information provided by Facebook, this IP address is anonymised (in case of “German” IP addresses) and deleted after 90 days. Furthermore, Facebook stores information about the users’ end devices (e.g. as part of the “login notification” feature) and may thereby potentially be able to trace IP addresses back to individual users.

  When you, as a user, log in on Facebook, a cookie is placed on your end device with your Facebook name. This enables Facebook to reconstruct your visit to this page and how you have used it. This applies to all other Facebook pages. It is possible for Facebook to track your visits to these websites and trace them back to your user profile using Facebook buttons that are integrated in these websites. This data enables content and ads to be tailored to you.

  If you wish to avoid this, you should log out of Facebook and/or deactivate the feature “remain logged on”, delete the cookies stored on your device and then close down and restart your browser. This deletes Facebook data through which you can be identified directly. This allows you to use our Facebook page without revealing your Facebook name. When you access interactive features of this page (liking, commenting, sharing, messaging etc.), a Facebook log-in page will appear. After a log-in, you will once more be visible as a distinct user to Facebook.

  Information on how to manage or delete the information concerning you can be found on these Facebook support pages.

  As providers of this information service, we do not collect or process additional data on your usage of our service.

  This privacy policy can be found in its latest applicable version here. The link to this page can also be found on our Facebook page. Additional information on Facebook and other social networks as well as how you can protect your data can also be found at youngdata.de.

  Information on the data protection risks of social media services from a legal perspective

  Social media services are often multilevel service provider relationships, wherein the respective information or communication service is offered on a platform, provided by third parties and where the users' data is processed in the context of the platform operators' own business purposes. This makes social media services non-transparent from a user perspective and often problematic from a legal perspective, specifically with regard to existing responsibilities. Particularly in the case of platform operators/providers from outside Europe, from a data protection perspective, social media services often do not adhere to the General Data Protection Regulation.

  In particular, it requires that users be provided with sufficient information and requires their consent before personal data is processed.

  Public authorities that operate a social media presence to perform their tasks share the responsibility under data protection law for processing the data of the users visiting their social media presence with the operators of the social media platform.

  The platform operator’s data protection provisions can be found on the following page:

  Facebook’s data usage policies:
  de-de.facebook.com/about/privacy

  Facebook’s full data policies:
  de-de.facebook.com/full_data_use_policy

  Information on ways to limit the respective platform operator’s processing of your data can be found here:
  www.datenschutz.rlp.de/fileadmin/lfdi/Dokumente/Orientierungshilfen/oh-Selbst_DS_soziale_Netze.pdf.

  If you have questions regarding our information offering, you can reach us using the following contact details:

  Bundesministerium für Gesundheit
  - Datenschutzbeauftragte -
  11055 Berlin
  DSB@bmg.bund(dot)de

• Check your data

  • You can view the data that is automatically transmitted to our server from your browser.
  • You can use any internet browser to display whether cookies are set and what these contain.

  Detailed information is provided on the websites of the Federal Commissioner for Data Protection and the Federal Office for Information Security.

• Your rights

  With respect to personal data concerning you, you have the following rights vis-a-vis the controller:

  • Right of access, Article 15 of the GDPR

    The right of access entitles the data subject to access the personal data concerning them. The exceptions to this right provided under section 34 of the Federal Data Protection Act (BDSG) apply.

  • Right to rectification, Article 16 of the GDPR

    The data subject can demand that inaccurate personal data concerning them be rectified.

  • Right to erasure, Article 17 of the GDPR

    The right to erasure means the data subject can demand the controller erase data. However, this is only possible if the personal data concerning them is no longer required, is being processed illegitimately, the relevant consent has been withdrawn and none of the statutory reasons for exemption apply, cf. Article 17 (3) of the GDPR, section 35 of the BDSG.

  • Right to restriction of processing, Article 18 of the GDPR

    The right to restriction of processing entails the possibility of the data subject to prevent further processing of personal data for the time being. Such restrictions mainly occur during the examination period of other rights being exercised by the data subject.

  • Right to data portability, Article 20 of the GDPR

    The right to data portability affords the data subject the possibility to receive their personal data in a commonly used, machine-readable format in order to potentially pass these on to other controllers. Pursuant, for instance, to the exemptions set out under Article 20 (3) of the GDPR, this right does not apply when the processing of data serves the performance of a task carried out in the public interest. The sole instance where this is not the case at the Federal Ministry of Health is when data processing is carried out for taxation purposes.

  • Right to object against data collection, processing and/or use, Article 21 of the GDPR

    The right to object entails the right in a specific situation to object against further processing of personal data. Pursuant, for instance, to section 36 of the BDSG, this right does not apply if a public authority is required to process the data by law.

  • Right to withdraw consent

    Where processing is carried out in accordance with Article 6 (1) letter a) of the GDPR on the basis of your consent, you can always withdraw your consent for that purpose. The lawfulness of processing remains unaffected until a withdrawal of consent is received.

  The aforementioned rights can be asserted by contacting poststelle(at)bmg.bund.de or poststelle(at)bundesgesundheitsministerium.de-mail.de.

  Right to lodge a complaint with a supervisory authority, Article 77 of the GDPR

  Furthermore, you have the right to submit a complaint to the supervisory authority for data protection law (the Federal Commissioner for Data Protection and Freedom of Information) at:

  Bundesbeauftragte(r) für den Datenschutz und die Informationsfreiheit,
  Graurheindorfer Straße, 153 53117 Bonn,
  Email: poststelle(at)bfdi.bund.de

• Video monitoring

  The premises of the Federal Ministry of Health in Bonn (Rochusstraße 1, 53123 Bonn) and in Berlin (Friedrichstraße 108, 10117 Berlin) are monitored by a video system to supervise adherence to the house rules. Processing is carried out on the basis of Article 6 (1) letter e) of the GDPR in conjunction with section 4 of the Federal Data Protection Act (BDSG). Data collected in this way is only shared with third parties to the extent that we are legally required to do so or sharing it is necessary for legal action or criminal prosecution in cases of house law violation. Otherwise, it will not be passed on.

   

• Protection of minors

  People under the age of 16 should not transmit personal data to the Federal Ministry of Health without the consent of a legal guardian. No personal data is knowingly processed or passed on from this group to third parties without parental consent.