Data protection declaration 

a) Data Controller

Bundesgesellschaft für Endlagerung mbH (BGE)
Eschenstraße 55
31224 Peine
Fax: 05171 43-1218 
E-Mail:  poststelle(at)bge.de
Website:  www.bge.de

b) Data Protection Officer

Bundesgesellschaft für Endlagerung mbH (BGE)
-Datenschutzbeauftragter-
Eschenstraße 55 
31224 Peine
E-Mail:  datenschutz(at)bge.de

c) Supervisory authority responsible for data protection 

According to Section 9 BDSG, the data protection supervisory authority of the BGE is the Federal Commissioner for Data Protection and Freedom of Information:

Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
53117 Bonn
Telefon: +49 (0) 228 99 7799 – 0
Fax: +49 (0) 228 99 7799 - 550
E-Mail:  poststelle(at)bfdi.bund.de
Internet:  www.bfdi.bund.de (external link)

BGE processes personal data in the following contexts. 

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4, No. 1 GDPA).

Data is processed only

1. based on the consent of the person concerned (Article 6, paragraph 1, sentence 1, letter a) GDPR),
2. if the processing is necessary for the performance of contracts or for the implementation of pre-contractual measures (Article 6, paragraph 1, sentence 1, letter b) GDPR),
3. if the processing is necessary for compliance with a legal obligation to which the data controller is subject (Article 6, paragraph 1, sentence 1, letter c) GDPR),
4. if the processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6, paragraph 1, sentence 1, letter d) GDPR),
5. if the processing is necessary for performing a task in the public interest or exercising official authority vested in the data controller (Article 6, paragraph 1, sentence 1, letter e) GDPR),
6. if the processing is necessary for the protection of legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data (Article 6, paragraph 1, sentence 1, letter f) GDPA).

Consents

Consent is usually obtained electronically (e.g. if a check mark is placed in the box regarding the use of cookies). The consent and its content will be recorded electronically.

You have the right at any time to revoke a consent once granted, in whole or in part, with effect for the future. Revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

a) Right to information (Article 15 GDPR)

You have the right at any time to demand information from us as to whether we are processing personal data from you. If this is the case, you are entitled to receive the following information free of charge:

• the processing purposes
• the categories of personal data processed
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or to international organisations
• if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining that duration
• the existence of a right of rectification or deletion of personal data relating to you or to limitation of the processing by the controller or a right to object to such processing
• the existence of a right of appeal in the case of a supervisory authority
• if the personal data are not collected from the data subject, all available information on the origin of the data
• the existence of automated decision making, including profiling, in accordance with Article 22, paragraphs 1 and 4 GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended effects of such processing on the data subject

If information has been transferred to a third country outside the scope of the GDPR, you have the right to find out whether and, if so, on the basis of which guarantees in accordance with Articles 45, 46 GDPR an adequate level of data protection is ensured in this third country. 

We will provide you with a copy of the personal data that is the subject of processing. If you submit the application electronically, the information shall be provided by us in a standard electronic format unless you request otherwise. The copy is made subject to the rights of third parties who may be affected by this data. 

If you wish to receive the information electronically, we reserve the right to demand proof of identity from you so that we do not release data in good faith to unauthorised third parties and thereby violate the protection of your personal data.

b) Right to rectification

You have the right to demand that we correct any incorrect personal data concerning you without delay. In consideration of the purposes of processing, you also have the right to request the completion of incomplete personal data – also by means of a supplementary declaration. 

c) Right of deletion (Article 17 GDPR)

You have the right to demand that BGE delete any personal data relating to you immediately; the BGE is obliged to delete it immediately if:

• The personal data are no longer necessary for the purpose of the survey.
• You revoke your consent to the processing or a legal basis is subsequently lost.
• You submit an objection to the processing in accordance with Article 21, paragraph 1 GDPR and there are no overriding legitimate reasons for the processing or you have submitted an objection to data processing for the purpose of direct advertising in accordance with Article 21, paragraph 2 GDPR.
• Your personal data has been processed unlawfully by us.
• The deletion is necessary to fulfil a legal obligation under European Union law or the law of the Member States.
• This is the personal data of a child that has been collected in relation to information society services offered in accordance with Article 8, paragraph 1 GDPR.

In particular, the right to the deletion of personal data relating to you does not exist if we process the data on the basis of a legal obligation (e.g. to fulfil legal storage obligations or to perform public tasks under the law of the European Union or its member states) or if we process the data for data backup and data control purposes. The same applies if the personal data is necessary for us to assert legal claims or to defend against legal claims. 

d) Right to restrict processing (Article 18 GDPR)

You can demand that we restrict the processing of your personal data. This applies in the following cases:

• The correctness of the personal data is disputed by you. In this case you can demand that we do not process the data until the correctness of the data has been checked.
• The processing is unlawful, but, instead of deletion, you request only the restriction of the processing.
• The BGE no longer requires the personal data for the purposes of the processing but you need the data to assert, exercise or defend legal claims.
• You have lodged an objection to the processing in accordance with Article 21, paragraph 1 GDPA as long as it is not yet clear whether the legitimate reasons of the data controller outweigh yours.

e) Right of data transferability (Article 20 GDPR)

You have the right – subject to the following provisions – to demand the surrender of data concerning you in a common electronic, machine-readable data format. The right of data transfer includes the right to transfer the data to another data controller; on request, we will therefore – as far as technically possible – transfer data directly to a responsible person named or to be named by you. The right of data transfer exists only for data provided by you and presupposes that the processing is based on consent or for the execution of a contract and is carried out using automated procedures. The right of data transfer according to Article 20 GDPR does not affect the right to delete data in accordance with Article 17 GDPR. The data transfer is subject to the rights and freedoms of other persons whose rights may be affected by the data transfer.

f) Right of objection (Article 21 GDPR)

If the BGE processes personal data on the basis of tasks in the public interest (Article 6, paragraph 1, sentence 1, letter e) GDPR) or in order to safeguard legitimate interests (Article 6, paragraph 1, sentence 1, letter f) GDPR), you can object to the processing of personal data concerning you at any time with effect for the future. 

In the event of objection, we must refrain from any further processing of your data for the aforementioned purposes, unless

• there are compelling legitimate reasons for processing that outweigh your interests, rights, and freedoms, or
• the processing is necessary for the assertion, exercise, or defence of legal claims

You can object to the use of your data for the purpose of direct advertising at any time with effect for the future.

g) Right of appeal to the supervisory authority (Article 77 GDPR)

According to Article 77 GDPR, you have the right to submit a complaint to the supervisory authority if you believe that your personal data are being processed unlawfully. The supervisory authority responsible for the BGE is mentioned in Item 1 letter c). 

a) Accessing the website in the browser

BGE processes personal data when you access this website in a browser.

Data is processed only to the extent necessary for the provision of this website.

We automatically collect and store information in “server log files”, which your browser automatically transfers to us. The data includes

• Browser type and browser version
• Operating system used
• Referrer URL (i.e. the previously visited page)
• Name and URL of retrieved file
• Date and time of server request
• Internet protocol address (IP address, anonymised by truncation)
• Amount of data transmitted

This data will not be merged with other data sources. Nor will any conclusions be drawn about the person concerned.

The information from the aforementioned data is used to optimise the contents of our website and to ensure its constant operability as well as that of our IT systems. In the event of a cyber attack on our systems, they may be used to provide law enforcement agencies with information they need

Legal basis

The basis for the data processing is derived from Article 6, paragraph 1, sentence 1, letter f) GDPR because the aforementioned purposes constitute a legitimate interest of the BGE.

Hosting

We host bge.de with the following third-party provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg; server location: Germany.

Storage duration

The data will be deleted when they are no longer necessary for the achievement of their processing purpose.  In the case of data processing when the website is accessed in the browser, this is the case when the respective session is ended.  Log files including IP address will be saved for a maximum of 15 days for the purpose of protecting system security.

b) Setting of cookies

Basic information

We use cookies on our website. These are small text files that are stored on your computer by your browser. Cookies are set that are necessary for the site’s operation. Necessary cookies help a website operate by facilitating basic features such as page navigation and access to secure areas of the site. Without these cookies, the website cannot work properly. Information is always processed in an anonymised form, and no data is passed on to third parties. The cookies used on this website are set out below.

Cookie types

In the following, we present the cookies used on this website.

We differentiate between i) technically necessary cookies ii) statistic/analysis cookies, and iii) third party cookies.

We use technically necessary cookies to make the website user-friendly:

• CookieConsent: Saves the user’s cookie approval status for cookies on the current domain (storage duration: 1 year).

We use the following statistics/analysis cookies to measure, for example, the frequency of page views, whether certain website functions are used, how long users stay on individual pages, which search terms are entered, from where the user was directed to our site, and the browser type and operating system. However, these data are anonymised by technical precautions so that it is no longer possible to assign them to the user who has called up the website:

• Et_scroll_depth (etracker): Registers whether website scrolling depth detection is active – this feature keeps track of how far the user has scrolled through the sub-pages of the website in the current session (storage period: persistent)
• BT_ctst (etracker): This cookie determines whether the browser accepts cookies (storage duration: current session only).
• isSdEnabled (etracker): Registers whether website scrolling depth detection is active – this feature keeps track of how far the user has scrolled through the sub-pages of the website in the current session (storage period: 1 day.
• _et_coid [x2] (etracker): Collects information about user preferences and/or interactions with Web campaign content – this information is used on the CRM campaign platform used by web site owners to promote events or products (storage period 2 years).
• BT_sdc (etracker): Records information about the user’s visits to the site (e.g. the number of visits, average time spent on the site, and which pages were loaded) with the goal of displaying targeted ads.
• cookiesAvailable (etracker): This cookie is set by a site’s audience manager in order to determine whether third-party cookies can be set in the visitor’s browser – third-party cookies are used to collect information or track visitor behaviour on various sites. Third party cookies are set by a third party website or company.
• flowplayerTestStatus: This cookie is used to store information about the visitor’s flowplayer status, which determines whether the visitor can access the media content of the website (storage period: persistent)

Third-party cookies themselves are not currently set on this site. Third party cookies are cookies that are provided by another provider. We cannot evaluate these ourselves.

Possibility of eliminating the cookies

The cookies are stored in the browser on your respective terminal device. You can also use the corresponding function in your web browser to delete the cookies at any time before the above storage periods expire. Moreover, you can set your browser so that no cookies are stored. Your browser gives you complete control.

Legal basis for the use of cookies

Article 6, paragraph 1, sentence 1, letter f) GDPR is the legal basis for technically necessary cookies because these are necessary for the operation of the website.
For statistics/analysis cookies and third-party cookies, the legal basis is derived from your consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR. The first time you access this website, you provide your consent electronically via our cookie consent tool, Cookiebot, which appears in front of the page. Information about the tool is available at https://www.cookiebot.com/de/ (external link).

c) Use of analytical tools

This website uses the open source web analytics service Matomo. This is also used in the BGE Repository Search Navigator. The information recorded by Matomo regarding the use of these websites is saved on our server. The IP address is anonymised before it is saved. With the help of Matomo, we’re able to record and analyse data relating to how visitors use our websites. Among other things, this allows us to determine which page views happened when and what region they came from. Moreover, we record various log files (e.g. anonymised IP addresses, referrers, which browsers and operating systems are used) and can measure whether our website visitors carry out certain actions (e.g. clicks or similar).

IP anonymisation

IP addresses are anonymised for the analysis with Matomo. This process shortens your IP address prior to analysis so that it can no longer be uniquely associated with you.

Hosting

We host Matomo with the following third-party provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg; server location: Germany.

Legal basis

The basis for the use of this analysis tool is Article 6, paragraph 1, letter f) GDPR. The website operator has a justified interest in the analysis of user behaviour in order to optimise its website.

d) Social media

Our website contains links to the websites of other providers and to social media. Forwarding to providers of social media services such as Facebook, Twitter, or LinkedIn is done exclusively via link. Data about your visit to our offer (e.g. IP address, time, URL) or data available on your end device (e.g. cookie information) is thus transmitted to the respective providers only when the link is deliberately used.

At this stage it cannot be guaranteed that a level of data protection comparable to that of the EU exists in the US. The transfer of data to the US by clicking a social media link of a US social media service is your own decision and responsibility. The BGE cannot assume any guarantee for data transmission to the US.

YouTube

On our site, YouTube videos are integrated via a “double-click solution”. When you access the page, only a preview image of the video is displayed; this is provided from our own server. After the first click, you will see the following message: “By viewing the video, you agree that your data will be transferred to YouTube LLC USA and that you have read the data protection declaration. 

Only when you click on accept will the YouTube video be started in “extended privacy mode”.

The BGE Repository Search Navigator also incorporates YouTube videos. Before the video plays, the following notice appears: “By opening the video, you agree to the transmission of data such as cookies and log files to and their storage at YouTube.” This can be confirmed by clicking on “Load video from YouTube”. It is only by clicking that you accept the transfer of data to YouTube.

At this stage, it cannot be guaranteed that a level of data protection comparable to that of the EU exists in the US. The transfer of data to the US by starting a YouTube video according to the “double click solution” is your own decision and responsibility. The BGE cannot assume any guarantee for data transmission to the US.

Validity of external data protection provisions

Data processing by clicking on links to social networks or by loading YouTube videos is governed by the privacy policy of the respective operator. You should familiarise yourself with this privacy policy before clicking on these links or downloading videos. The BGE is not responsible for the data protection regulations or the content of external Internet offers.

Legal basis

Data is processed only on the basis of your consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR, which you give by either clicking on the link of the social media provider (e.g. Facebook/Twitter) or by starting a YouTube video with the aforementioned double-click solution by explicitly clicking on the link.

(e) Esri mapping and survey tools

The website uses maps and the tools Story Maps and Survey123 from Esri Inc., 380 New York Street, 92373 Redlands, California, USA.

Story Maps are used to generate maps of the site selection process combined with accompanying multimedia content. The Survey123 tool is used to conduct digital surveys on this website. Esri is integrated via a “double-click solution”. When you access the page, only a preview image of the maps is displayed; this is provided from our own server.

After the first click, you will see the following message: “By viewing the video, you agree that your data will be transferred to Esri Inc. USA and that you have read the data protection declaration. Only when you click on accept will the maps tool/survey be started in “extended privacy mode”.

The Repository Search Navigator also uses maps from Esri Inc. On accessing the Navigator, you will also see the above notice, which you can accept by clicking on “Load Repository Search Navigator”. It is only by clicking that you accept the transfer of data to Esri Inc.

At this stage, it cannot be guaranteed that a level of data protection comparable to that of the EU exists in the US. The transfer of data by clicking on an Esri map or an Esri survey tool in accordance with the “double-click solution” is your own decision and responsibility. The BGE cannot assume any guarantee for data transmission to the US.

Technology:

ESRI, as well as its partners, uses cookies and similar technology to analyse trends, administer the website, track the movements of users on the website, and gather demographic information about the user base as a whole. Users can control the use of cookies at the individual browser level.

The use of targeting cookies can be disabled by clicking the following link:

https://www.esri.com/de-de/privacy/manage-privacy/cookies (external link)

Log files:

Certain information is automatically collected and stored in log files by ESRI and its tracking partners. This data includes the IP (internet protocol) address, browser type, internet service provider (ISP), and clickstream data. The aim of this data collection is to improve services, marketing, analysis, and site functions as well as to authenticate users.

For more information on the handling of user data, please refer to ESRI’s Privacy Statement: https://www.esri.com/de-de/privacy/overview (external link).

Legal basis

The data will be processed only on the basis of your consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR, which you give by opening a map or survey with the aforementioned double-click solution by explicitly clicking on it.

f) Press mailing list

Under the “Press” section, you can send us an email message if you would like to be included in our press mailing list. We then store only the email address and regularly send our press releases and event information by email without asking for further permission. If you no longer wish to receive these messages, simply reply with a corresponding notification to presse(at)bge.de Your email address will then be deleted immediately and permanently and will not be used any more. 

Legal basis

The data will be processed only on the basis of your consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR, which you declare by sending us the aforementioned email in which you request to be included in the press mailing list. 

g) 3D Models

GST Web application

The 3D models are displayed by the GST Web application (https://viewer.bge.de (external link)). This application is operated on a server of the Amazon Web Services cloud at a German data centre. Information on GDPR-compliance of the Amazon Web Services cloud is available at https://aws.amazon.com/compliance/gdpr-center/ (external link)

GST Web only uses technically necessary cookies that are essential for its functionality. The cookies expire once the browser window is closed or, in the case of the “disclaimerSeen” cookie, after seven days. No personal data is processed. The GST Web cookies are not used for statistical purposes.

The application sets the following cookies:

• Name: PHPSESSID
  Task: This cookie is used to manage the session. As HTTP is a stateless protocol, there is no way for the web server to recognise related requests from a single user. The web server therefore generates the PHPSESSID cookie and sends it to the browser, which repeatedly sends it back to the server in subsequent HTTP requests. The cookie is deleted once the browser window is closed.
  Type: First-party session cookie
  Lifetime: Session
• Name: advancedMode
  Task: With GST Web, users can create cross sections and virtual drill holes. When the corresponding dialogue for this functionality is opened, it is possible to activate an advanced mode. This cookie stores whether a user wishes to use the advanced mode or not. It is deleted once the browser window is closed.
  Type: First-party cookie
  Lifetime: Session
• Name: disclaimerSeen
  Task: When GST Web is first loaded, a disclaimer is shown in order to inform the user that no guarantee is provided for the accuracy of the 3D models. The user is also notified of which 3D capabilities the browser must have in order to use GST Web. The cookie stores whether this disclaimer has been shown so that returning users are not shown the disclaimer every time they visit the web application.
  Type: First-party cookie
  Lifetime: 7 days

Only anonymised data (only the first 2 bytes of the user’s IP address) is stored in relation to the use of this application. This data is not personal.

BKG web map services (WMS)

The GST Web application uses maps from the Federal Agency for Cartography and Geodesy (BKG), provided via WMS. Here, necessary data for providing the service is automatically recorded and stored in log files by the BKG. This data includes:

1. IP address
2. Type and version of your Internet browser
3. Operating system used
4. Page accessed
5. Previously visited page (referrer URL)
6. Time of the server request

This data is analysed and is needed by the BKG to initiate administrative or criminal prosecution in the event of attacks on the communications technology. For more information on the handling of this data, please refer to the BKG’s data protection declaration: https://www.bkg.bund.de/EN/Service/Privacy/privacy.html (external link).

Legal basis

Data is processed on the basis of Article 6, paragraph 1, sentence 1, letter e) GDPR in conjunction with section 5 of the BSI Act on the storage of data – for protection against attacks on the internet infrastructure of the BKG/communications technology of the federal government.

h) BGE Repository Search Navigator

Cookies

The section below relates to the cookies on the domain: https://navigator.bge.de 

We use cookies in the Repository Search Navigator. Cookies are set that are necessary for the site’s operation. Data is only passed on to third parties if you have agreed to this on request.

Necessary cookies help a website operate by facilitating basic features such as page navigation and access to secure areas of the site. Without these cookies, the Repository Search Navigator cannot operate properly.

Cookies used

• Name: be_typo_user
  Provider: navigator.bge.de
  Purpose: Maintains the user’s status for all page requests
  Expiry: Session
  Type: HTTP cookie
• Name: cc_cookie
  Provider: navigator.bge.de
  Purpose: Saves the user’s cookie approval status for cookies on the current domain
  Expiry: 182 days
  Type: HTTP cookie

Optional cookies are those that you must consent to before they are set. These cookies are set on https://navigator.bge.de during the use of the Repository Search Navigator in order to enable individual functions for which consent is required.

Cookies used

• Name: acceptedMap
  Provider: navigator.bge.de
  Purpose: Stores the user’s approval status for displaying the ESRI map
  Expiry: 7 days
  Type: HTTP cookie
• Name: acceptedYt
  Provider: navigator.bge.de
  Purpose: Stores the user’s approval status for displaying YouTube videos
  Expiry: 7 days
  Type: HTTP cookie

Possibility of eliminating cookies

The cookies are stored in the browser on your respective terminal device. You can also use the corresponding function in your web browser to delete the cookies at any time before the above storage periods expire. Moreover, you can set your browser so that no cookies are stored. Your browser gives you complete control.

Legal basis for the use of cookies

Article 6, paragraph 1, sentence 1, letter f) GDPR is the legal basis for technically necessary cookies because these are necessary for the operation of the website.

For statistics/analysis cookies and third-party cookies, the legal basis is derived from your consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR. You give your consent for statistics/analysis cookies when first accessing the BGE website. You give your consent for third-party provider cookies electronically via the cookie banner when first accessing the Repository Search Navigator. Data is only passed on to third-party providers if you have agreed to this on request.
 

The BGE provides information about open vacancies on this website. Thank you for visiting our career site and for your interest in the Bundesgesellschaft für Endlagerung mbH as an employer.

Online applications are submitted exclusively via our online applicant management system SAP SuccessFactors. You will find the complete data protection declaration for SAP SuccessFactors there before submitting your application. The BGE uses technical and organisational measures to protect the data collected from you against accidental or intentional manipulation, loss, destruction, or unauthorised access.

Legal basis

Your application data will be processed in accordance with Section 26, paragraph 1, BDSG for the purpose of deciding on whether to establish an employment relationship or, after its establishment, for its implementation.

Storage duration

If the employment relationship comes about, your application documents will become part of the personnel file and will be kept in accordance with the legal requirements. If we do not conclude an employment contract with you and/or do not conclude any other written agreement with regard to the further retention of the submitted applicant data, the application documents will be deleted six months after announcing the rejection decision provided that no other legitimate interests on our part conflict with a deletion. Another legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

BGE publishes current invitations to tender on the "invitations to tender" part of the website. We are pleased about your interest in submitting offers.

Tenders or requests to participate in award procedures are usually submitted via the service provider subreport online (www.subreport.de (external link)). subreport online is operated by subreport Verlag Schawe GmbH, Buchforststraße 1-15, 51101 Cologne, Germany. There is a contract processing relationship between the BGE and the service provider (external link, German only) in accordance with Article 28 GDPR, the contract of which you can view as an example. You can view the data protection regulations of subreport (external link, German only).

Access to your data will be granted only to the persons responsible for its processing. In particular, employees of the awarding authority receive offers. In addition, responsible data protection officers, quality managers, internal auditors, invoice and price auditors, and members of the audit institutions can also gain insight into your data.

Legal basis

Data in connection with participation in award procedures is processed on the basis of Article 6, paragraph 1, sentence 1, letter b) GDPR for the purpose of initiating or implementing a contract.

Storage duration

The data will be stored for as long as necessary to fulfil contractual or legal obligations. If the data is no longer required for this purpose, it is regularly deleted. However, this is not the case if their temporary further processing results from the following purposes:

• Fulfilment of commercial and tax law retention obligations:
  The German Commercial Code (HGB) and the German Fiscal Code (AO) are to be mentioned. The periods of retention or documentation specified there are two to ten years.
• Preservation of evidence within the framework of the legal statute of limitations. According to Sections 195 et seqq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

When BGE operates video surveillance on its property, it does so for the following purposes:

• Enforcement of householder’s rights
• For danger prevention (theft, vandalism)
• To protect against disruptive action and other third-party interference
• To support the security service
• For purposes of preservation of evidence 

Legal basis

The legal basis derives from the legitimate interest under Section 6 paragraph 1, sentence 1, letter f) GDPR, which consists of the aforementioned purposes.

The recording data is deleted or overwritten after a maximum of 72 hours if no event worthy of documentation has occurred. There is no sound recording.

The records are handed over to the police, public prosecutor’s office, or a court on their orders.

Because of its legal mandate, BGE is obliged to carry out extensive public relations work. At events organised by the BGE or at events co-organised by the BGE, photographs and film recordings of speakers, participants, and guests may be taken and distributed for the purposes of documentation and public relations work. Such recordings may be used on this website, in publications or internal presentations, or may be forwarded to the media.

This fact is pointed out in the invitations issued by BGE and also at the venue itself.

Legal basis

These records are based on Article, 6 paragraph 1, sentence 1, letter e) GDPR. There is a public interest in the final disposal of radioactive waste and related events. The interests of the persons concerned are safeguarded. For example, photographs are taken without consent in accordance with Article 6, paragraph 1, sentence 1, letter a) GDPR only if they are large group or overview photographs. Targeted portraits or close-ups of individual persons or children are taken only with their consent.

The Conference on Sub-areas Database is an online database that is publicly accessible via the BGE website (www.bge.de) and contains data along with notes, comments and questions regarding the site selection procedure and the Sub-areas Interim Report. Using the information provided by the database, interested citizens can trace how the results of the Conference on Sub-areas are handled and how they are taken into account at a later stage in the procedure.

No personal data is transmitted during the use of the database. The hosting of the database is provided by Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg. Our server is located in Germany. The database and therefore the documents stored in it are to remain publicly accessible until the end of the site selection procedure.

The BGE has set up a whistleblower system (reporting office) for reporting indications of possible infringements of laws or rules. Data processing within the framework of the whistleblower system is carried out in accordance with the German Whistleblower Protection Act (HinSchG). Moreover, the processing of data serves to handle reports that do not fall within the scope of HinSchG. This serves to maintain sound administrative procedures and to protect the assets of the BGE, its partners, and its business partners. For example, these reports include violations of internal guidelines and of the BGE’s Code of Conduct. Lastly, data processing serves to accept and investigate complaints in accordance with the Supply Chain Act (LkSG). These complaints relate to violations of human rights and environmental due diligence as regulated in LkSG.

Legal basis

The whistleblower’s personal data is generally processed on the basis of Article 6, paragraph 1, letter c, GDPR in conjunction with section 12 HinSchG or in conjunction with section 8 LkSG. In other cases, personal data in the whistleblower system is processed based on Article 6, paragraph 1, letter f, GDPR in order to safeguard the overriding legitimate interest of the BGE. This legitimate interest lies in preventing and combating corruption and in processing serious suspected cases of other rule violations in connection with the BGE and protecting the BGE and its employees from any potential resulting harm. Given that the reporting of violations can avoid legal consequences such as prosecution, claims for damages and considerable reputational damage, this interest is not overridden by the legitimate interests of the affected individuals in excluding processing or use.

The following data is processed:

• details of the accused (e.g. first name, surname, title, contact details, position and details of the employment relationship)
• details of the (alleged) behavioural violations and of the circumstances

Since the BGE’s whistleblower system provides for anonymous reporting, no personal details of the whistleblower are collected unless they state otherwise. In the event of non-anonymous reporting, personal data such as the first name and surname of the reporting individual and, if need be, their email address, phone number or address, depending on the reporting channel, are collected along with the circumstances of the observation.

The recipients of the personal data are the BGE’s Compliance and Anti-Corruption Officer, who is responsible for the reporting office, and their representatives as well as, where applicable, other bodies following consent by the whistleblower.

Retention period

Following completion of the procedure, documentation relating to reports pursuant to HinSchG is deleted after three years (section 11(5) HinSchG) and documentation relating to complaints pursuant to LkSG is deleted after seven years (section 10(2), sentence 2, LkSG). Otherwise, personal data from reports is deleted within a reasonable period of time in accordance with the applicable legal provisions.

The data protection regulations may have to be adapted because of technical developments, jurisdiction, or legal changes.

In order to keep yourself informed about the current status of our data use conditions, you should visit this page regularly.

Changes will be announced and updated here in the future:

• Removal of the references in Item 4 d), e) to the US Privacy-Shield certification regarding YouTube and esri because of ECJ decision C-311/18 of 16 July 2020
• Insertion of references in Item 4 d), e) to the fact that in the US there is no current level of data protection comparable to that in the EU and that the decision to transfer one’s data to the US is up to the user.