Data protection statement
I. Controller's contact details
The controller for the personal data processed in the use of the website is the
Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (BNetzA)
represented by its President, Jochen Homann.
Tel.: +49 (0) 228 / 14 - 0
II. Contact details of the authority's data protection officer
III. Data processing
The Bundesnetzagentur wants to make you aware of how it processes your personal data and your data protection rights. When we process personal data, this processing is always directly connected to the performance of our public duties.
Purposes for Processing
Personal data are processed by the Bundesnetzagentur to the extent necessary for the purpose of performing its legally assigned duties. Information about the Bundesnetzagentur’s work is available at Bundesnetzagentur’s duties and in the organisation chart: Organisation Chart (pdf / 255 KB)
The Bundesnetzagentur also processes personal data as a contracting party under civil law. Examples of this are for the procurement of office materials or auxiliary services. In this context and in pursuit of its own interests the Bundesnetzagentur may also process personal data of the contracting party’s employees. The Bundesnetzagentur’s interest lies in the initiation, conclusion and execution of such contractual relationships.
As a public sector employer, the Bundesnetzagentur also processes personal data as part of its personnel recruitment and administration efforts.
The Bundesnetzagentur processes personal data on the basis of consent for special services such as delivering newsletters.
.Where the processing of your personal data is based on your consent, the legal basis is point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR)
Where the processing is necessary to fulfil a contract, the contracting party of which is the data subject, or the processing is required in order to carry out pre-contractual measures that are implemented upon the request of the data subject, the legal basis is point (b) of Article 6(1) GDPR.
Where the processing of personal data is necessary for compliance with a legal obligation to which we are subject, the legal basis is point (c) of Article 6(1) GDPR.
Where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, the legal basis is point (e) of Article 6(1) GDPR in conjunction with the respective legal task standard.
Where the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, the legal basis for the processing is point (f) of Article 6(1) GDPR..
Visiting our website
When you visit our website, we process the following computer system data, accessed by the website, as part of our automatic logging
- IP address, anonymised
- date and time
- notification if the access was successful
- page accessed/name of file accessed
- data volume transmitted
- user agent for statistics.
The legal basis we rely on is point (f) of Article 6(1) GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interest in maintaining the stable functioning of our IT systems and the technology of our website. The data are only evaluated for statistical purposes, to improve our service and to ensure data protection and information security at the Bundesnetzagentur. They are not used for other purposes or passed on to third parties. Where third-party service providers provide services for us, they are subject to agreements on processing on behalf of another party.
Temporary session cookies are used on certain web pages and saved on your device to make navigating the site easier. These cookies do not contain any personal data and expire once the session ends. We do not use any technology to track users' browsing habits.
Contacting the Bundesnetzagentur using an online form or email
.If you get in touch with us using our online form or email, the personal data you provide will be processed to deal with your query and to contact you
The legal basis for processing your data depends on the reason you contacted us. If we process the data in the course of performing our responsibilities, the usual legal basis is point (e) of Article 6(1) and Article 6(3) GDPR in conjunction with section 3 of the German Federal Data Protection Act (BDSG).
How long we have to store data and when we have to delete it also depend on the reason you contacted us. Queries from members of the public are stored in accordance with the periods laid down in the German Registry Directive for the retention of records.
You can subscribe to a free newsletter on our website. When you subscribe to the newsletter, the data you enter in the user form will be transmitted to us. During the registration process you will be asked for your consent to your data being processed and made aware of this data protection statement. The legal basis for data processing once you have registered for the newsletter and given consent is point (a) of Article 6(1) GDPR. Your email address is collected in order to send the newsletter to you. Other personal data collected during the registration process are used to make sure that services or the email address given are not abused. You can cancel your subscription to the newsletter at any time.
Video surveillance is conducted on the properties of the Bundesnetzagentur on our responsibility.
As part of the video surveillance, personal data (video recordings) of individuals on the properties of the Bundesnetzagentur are processed on the basis of point (e) of Article 6(1) GDPR.
Bundesnetzagentur video surveillance is solely for the purposes of safety and meeting the special security needs of the agency.
The video surveillance serves the legitimate interest of preventing damages to monitored buildings as well as the people and the information located in the buildings (premises security and protection from sabotage), early detection and prevention (physical access control) of entry by unauthorised persons, and to document and preserve evidence of any unauthorised entry.
Video surveillance may include making video recordings. This can be done on an as-needed basis – where the level of apparent danger makes it necessary – or on a permanent basis. Video recordings will only be shared to the extent necessary in the event of a criminal prosecution or to avert danger. The data must be deleted immediately – but after no more than seven days – if it is no longer necessary for security purposes.
Video conferencing and online meetings via Cisco Webex Meetings
We use Cisco Webex Meetings for video conferences and online meetings.
We provide our processor, Cisco International Ltd. and its affiliated companies, with the users' personal data required to use the video conferencing service. A contract for processing has been concluded with Cisco International Ltd., including its affiliated companies.
Cisco Webex services have received attestation in accordance with the BSI's Cloud Computing Compliance Controls Catalogue (BSI C5). Cisco's internal auditing process ensures that all cloud services conform to BSI C5.
Both the signalling and the content is encrypted in the video conferences.
The following personal data are processed when the service is used:
-host and usage information:
-user agent identifier
-operating system type and version
-IP addresses along the network path
-MAC address of the client (as applicable)
-meeting session information (title, date and time, frequency, average and actual duration, quantity, quality, network activity, and network connectivity)
-number of meetings
-number of screen-sharing and non-screen-sharing sessions
-number of participants
-performance, troubleshooting and diagnostics information.
The processing of the personal data listed above serves in particular to provide the service, enrol users in the service, diagnose technical issues, and conduct analytics and statistical analysis in aggregate form to improve the technical performance of the service.
- meeting and call recordings (if applicable)
- uploaded files (if applicable).
The Bundesnetzagentur has the option to record video conferences using Cisco Webex Meetings; it will inform meeting attendees prior to recording and will only record meetings if the attendees agree. Meeting recordings will be deleted immediately after they have been used for the agreed purpose (for example for meeting reports).
Users can request deletion of their personal data retained on the Cisco Webex platform by sending a request to email@example.com.
Further relevant information about Webex Meetings data protection is available on the Cisco Trust Center web pages here
IV. Your rights as a data subject
You have legal rights concerning the processing of your personal data. These include:
- Right to information
Article 15 GDPR gives you the right to information about your personal data processed by the Bundesnetzagentur free of charge. In particular:
- the purposes of the processing of your personal data,
- the categories of personal data that are being processed,
- the recipients or categories of recipients to whom the personal data have been or will be disclosed,
- the envisaged period for which the personal data will be stored, or the criteria used to determine that period,
- the source of the data if we did not collect the data from you.
The exceptions to this right laid down in section 34 BDSG apply.
- Right to rectification
Article 16 GDPR gives you the right to have inaccurate personal data corrected without undue delay and, where appropriate, the right to have incomplete personal data completed.
- Right to erasure
Article 17 GDPR gives you the right to have your personal data erased, provided the grounds laid down in Article 17(1) GDPR apply. However, according to paragraph 3 there is no such right when the processing of data is necessary for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims. In addition, the exceptions to this right laid down in section 35 BDSG apply.
- Right to restriction of processing
Article 18 GDPR on the right to restriction of processing gives you the option to temporarily prevent the further processing of your personal data provided the grounds laid down in Article 18(1) apply; for example, for a period enabling your opposing rights to be verified.
- Right to data portability
Article 20 GDPR gives you the right to receive the personal data concerning you, which you have provided to the Bundesnetzagentur, in a structured, commonly used and machine-readable format, where the Bundesnetzagentur processes this data based on your consent and the processing is carried out by automated means. In accordance with Article 20(3) second sentence GDPR, this right does not apply to processing necessary for the performance of a task carried out in the public interest.
- Right to object
Where the Bundesnetzagentur processes your personal data for the performance of a task carried out in the public interest or for the purposes of legitimate interests (points (e) and (f) of Article 6(1) GDPR), you have the right to object, on grounds relating to your particular situation, to this processing (Article 21 GDPR). If you exercise your right to object, the Bundesnetzagentur will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims. In accordance with section 36 BDSG, the right to object does not apply if there is an urgent public interest in the processing that outweighs the interests of the person concerned or if processing is required by law.
Right to lodge a complaint with a supervisory authority
.Article 77 GDPR gives you the right, without prejudice to any other legal remedy, to lodge a complaint with the competent supervisory authority if you consider that the processing of personal data relating to you is unlawful. The competent supervisory authority for the Bundesnetzagentur is
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information)
V. Information in accordance with section 55 BDSG:
a) Purposes for processing (section 55 para 1 BDSG)
The Bundesnetzagentur is also responsible for preventing, investigating, taking action against and penalising certain regulatory breaches. The Bundesnetzagentur is entitled to process personal data in order to perform these tasks.
b) Data subjects' rights (section 55 para 2 BDSG)
In accordance with section 57 BDSG, the Bundesnetzagentur must inform the data subject upon request whether the data concerning them is being processed. The data subject also has the right to receive the information in accordance with section 57(1) BDSG.
Furthermore, the data subject has the right to rectification, erasure and limitation of the processing in accordance with section 58 BDSG.
c) Right to appeal with the Federal Commissioner for Data Protection and Freedom of Information (section 55 paras 4 and 5 BDSG)
In accordance with section 60 BDSG, the data subject can, at any time, contact the Federal Commissioner for Data Protection and Freedom of Information. The contact information is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information)
Telephone: +49 (0)228 99 7799-0
Fax: +49 (0)228 99 7799-5550
Data protection in social media
The Bundesnetzagentur is active on Twitter and has its own YouTube channel. More specific information is available at:
Datenschutzinformationen zum Twitter-Kanal (pdf / 15 KB)(in German)
Datenschutzinformationen zum YouTube-Kanal (pdf / 14 KB)(in German)
The Bundesnetzagentur also operates a grid expansion fan page on Facebook and uses SlideShare.
More specific information is available at: https://www.Netzausbau.de/datenschutz (in German)