1. Controller and data protection officer

Responsible for the processing of your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) is

Robert Koch Institute
Nordufer 20
13353 Berlin
E-mail: zentrale@rki.de

Questions and concerns about data protection can be addressed to the RKI data protection officer: Robert Koch Institute, attn. Data Protection Officer, Nordufer 20, 13353 Berlin or by e-mail to: datenschutz@rki.de.

2. Scope of the processing of personal data

Personal data is information relating to an identified or identifiable individual. This includes information that allows conclusions to be drawn about your identity. Further definitions of the terms used (e.g. "processing") can be found in Art. 4 GDPR.

2.1 Accessing and visiting the website

Each time you use this website, your browser automatically sends certain access data that enables you to visit the website. This access data includes in particular:

• date and time of access
• name of the requested file
• website from which the request originates
• access status (e.g. file transferred, file not found)
• the web browser you are using and the operating system of your device
• the IP address of the requesting device
• online identifiers (e.g. device identifiers, session IDs).

The processing of this data is absolutely necessary in order to enable the use of this website within the framework of the legal fulfilment of the tasks of the RKI and to ensure the permanent functionality and security of our systems. For the purposes described above, the connection data is also temporarily stored in log files on an external server of our service provider 'Informationstechnikzentrum Bund (Federal Centre for Information Technology, ITZBund) ' on our behalf beyond the time of the visit. This is necessary in order to determine the cause and take action in the event of repeated or criminal access that jeopardises the stability and security of the survey platform.

The legal basis for the processing is Art. 6 para. 1 lit. e GDPR in conjunction with § 3 BDSG in conjunction with § 2 para. 3 lit. 1, 2, 4 BGA-Folgegesetz (BGA Succession Act) in conjunction with § 4 IfSG. The processing serves to protect the internet infrastructure of the RKI and the communication technology of the Federal Government against attacks, even beyond the time of your visit.

When you visit the RKI website, the RKI also collects data during an ongoing connection via the Internet browser and with the help of technically necessary so-called session cookies. This data only relates to the IP address. The session cookies enable the functionality of these applications.

2.2 Cookies and web tracking

So-called temporary cookies are used when accessing individual pages to facilitate navigation. These session cookies do not contain any personal data and expire at the end of the session. We do not use techniques such as Java applets or Active-X controls to track user access behaviour.

We use the web analytics service Matomo to help us optimise this website and to ensure that it is designed to meet the needs of our users. The legal basis for the processing is your consent (Art. 6 para. 1 lit. a GDPR).

Matomo uses 'cookies', which are small text files stored on your computer, that enable an analysis of your use of the Internet pages. These 'session cookies' are only temporarily stored on your computer and are deleted as soon as you close your web browser. The information generated by cookies about your use of our website is stored on the provider's server in Germany and evaluated exclusively by the ITZBund. These evaluations do not contain any personal data. The Robert Koch Institut uses these evaluations exclusively for the analysis, maintenance and improvement of its website. The data collected will not be passed on to third parties.

Every time a user accesses the RKI's online content and every time a file is downloaded, data about this process must be temporarily processed in a log file. Your IP address is neither recorded nor stored in the access logs of the web servers of our hosting platform.

The following data are processed for each access / retrieval:

• Date and time of access (time stamp)
• Request details and destination address (protocol version, HTTP method, referrer, user agent string)
• Name of the retrieved file and amount of data transferred (requested URL including query string, size in byte)
• Report on whether the request was successful (HTTP status code)

This data will be stored by the ITZBund for 30 days.

Withdrawal of consent of data collection by Matomo

Matomo supports the 'Do Not Track' feature of current web browsers. If you want to prevent your behaviour on the internet from being analysed in general, we recommend that you activate this option in your browser.

This allows you to decide whether a unique web analytics cookie should be stored in your browser, enabling the website operator to collect and analyse various statistical data. If you wish to opt out, please select the appropriate option to store the Matomo opt-out cookie in your browser.

2.3 Contacting the RKI

There are several ways to contact staff at the Institute.

Contacting us by e-mail

If you contact us by e-mail using one of the above e-mail addresses, the data you provide (in particular your first name, last name and e-mail address, as well as the information/personal data contained in the e-mail) will be processed in order to deal with your enquiry. To the extent necessary to respond to your request, we will forward your request to the appropriate departments within the RKI for response. The legal basis for the processing is Art. 6 para. 1 lit. e GDPR in conjunction with § 3 BDSG. We will delete your data after processing your request, unless there are statutory retention periods.

Contacting us via the contact form

If you contact us using the contact form, we will process the data you provide. In order for us to process your enquiry, you will need to provide an e-mail address and your request. These fields are marked as mandatory. The legal basis for the processing is Art. 6 (1) (e) GDPR in conjunction with § 3 of the German Federal Data Protection Act (BDSG). If you voluntarily provide us with additional information, such as your first and last name or telephone number, the legal basis for the processing is your consent (Art. 6 para. 1 lit. a DSGVO). You may withdraw your consent at any time with effect for the future. If retention periods prevent the data from being deleted, the processing of the data will be restricted. For more information, see the section "your data privacy rights".

Your information will be transmitted in encrypted form via a secure socket layer (SSL) connection so that it cannot be viewed by unauthorised parties.

Contacting us by phone or fax

If you contact the RKI by phone or fax, we will process the personal data you provide (e.g. last name, first name, telephone or fax number; information contained in the fax) in order to contact you and process your enquiry. The legal basis for the processing is Art. 6 par. 1 lit. e GDPR in conjunction with § 3 BDSG.

2.4 Newsletter

If you subscribe to our newsletters, we will store your email address and registration date for the duration of your subscription. The legal basis for the processing of your data is your consent when ordering the respective newsletter (Art. 6 para. 1 lit. a GDPR).

After registering to receive the newsletter, you will receive an automatically generated confirmation message. Registration is only completed when you click on the confirmation link in the e-mail (double opt-in) to prevent unauthorised registration of your email address. If you unsubscribe, your data will be deleted. You can unsubscribe at any time by clicking on the unsubscribe link at the end of each e-mail or by sending a separate email to the editorial team. For more information, see the section "your data privacy rights".

2.5 Order printed material

If you order printed material such as brochures by emailing info@rki.de, we require the following personal data to process your order:

• Last name, first name,
• Street, house number,
• postcode and city,
• e-mail address.

The legal basis for the processing of your data is your consent in accordance with Article 6(1)(a) GDPR. If the above information is not provided, we will not be able to process your order.

The data you provide will be deleted 90 days after processing your order.

2.6 Internal areas (for specialist audience)

When you access a personalised internal area within www.rki.de, your e-mail address and personal password are stored securely. The legal basis for the processing of your data is your consent when you register for the respective internal area (Art. 6 para. 1 lit. a DSGVO). You can withdraw your consent to further processing at any time with effect for the future. When you deregister, your data will be deleted. For more information, see the section "your data privacy rights".

For other restricted areas within www.rki.de, the RKI provides a username and password; this data is not personal.

The login is not evaluated.

2.7 Transmission of data to third countries

As explained in this privacy policy, we use services whose providers are sometimes located in so-called third countries (such as the USA), i.e. countries where the level of data protection does not correspond to that in the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, in particular, the standard data protection clauses of the European Union (Art. 46 (2) (c) GDPR) including, where applicable, additional clauses containing further protective measures. In this case, you have the right to request a copy of the 'standard data protection clauses'.

If a transfer to a third country takes place and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data to collect and analyse them, and that your rights as a data subject cannot be guaranteed.

3. Your data privacy rights

If we process any of your personal data, you have the following data privacy rights:

• the right to be informed at any time about the processing of your personal data (Art. 15 GDPR),
• the right to have inaccurate data corrected or incomplete data completed (Art. 16 GDPR),
• the right to have data deleted or its processing restricted in accordance with legal requirements (e.g. in the event of withdrawal of your consent or unlawful processing) (Art. 17, 18 GDPR),
• the right to withdraw your consent at any time with effect for the future in the case of consent-based data processing (Art. 7(3) GDPR),
• the right to data portability (you may obtain an overview of your data in an electronic format) (Art. 20 GDPR),
• the right to object to data processing that is carried out on the grounds of a legitimate interest of the RKI, for the performance of public tasks or in the exercise of official authority (Art. 21 GDPR),
• the right to contact the data protection officer of the RKI and to submit your requests (Art. 38 para. 4 DSGVO) and
• the right to complain to the competent data protection authority (The Federal Commissioner for Data Protection and Freedom of Information, Graurheindorfer Str. 153 - 53117 Bonn, +49 (0)228-997799-0, e-mail: poststelle(at)bfdi.bund.de, https://www.bfdi.bund.de) (Art. 77 (1) GDPR).