Effective from: 13 November 2024
Handling personal data responsibly is a top priority for the federal administration. We want to ensure that users know when and which data are collected and used while they are using the Federal Central Invoice Submission Portal (hereinafter referred to as the “ZRE”, an abbreviation of its German name “Zentrale Rechnungseingangsplattform des Bundes”).
The Procurement Office of the Federal Ministry of the Interior (Beschaffungsamt des BMI) is responsible for processing personal data.
Procurement Office of the Federal Ministry of the Interior (Beschaffungsamt des BMI)
Brühler Str. 3
53119 Bonn
Germany
Email: e-rechnung@bescha.bund.de
http://www.beschaffungsamt.de
The Procurement Office of the Federal Ministry of the Interior is responsible for the care and maintenance of the ZRE and undertakes to fulfil all data privacy requirements for the portal. The Procurement Office of the Federal Ministry of the Interior is responsible for the ZRE website itself, and for the registration and authentication of ZRE accounts. It undertakes to fulfil all data privacy requirements, in particular:
Data Protection Officer of the Procurement Office of the Federal Ministry of the Interior
Brühler Str. 3
53119 Bonn
Germany
Tel.: +49 (0)22899 610-0
Email: datenschutz@bescha.bund.de
Each time the ZRE website is accessed, personal data and other data from the user's computer are used automatically.
The following data are recorded in this context:
The Procurement Office of the Federal Ministry of the Interior analyses these data, which are first rendered anonymous, for purely statistical purposes in order to continuously improve the ZRE.
The recorded data are not linked to the user's other personal data.
Article 6 (1) (e) of the GDPR provides the legal basis for the storage of personal data for the purposes of tracing and analysing possible errors in the system so that these errors can be swiftly rectified in the public interest, thus safeguarding the operation of the ZRE.
Data which are stored temporarily for the purpose of making the website available for use are deleted when the user's session ends.
The temporary collection and storage of data is essential for providing and operating the ZRE website.
The ZRE website uses cookies. Cookies are text files which are stored in the internet browser or which the internet browser stores on a user's computer system. When a user accesses the ZRE website, a cookie may be stored on the user's computer system. This cookie contains a distinctive sequence of characters which allows the browser to be clearly identified the next time the user accesses the website. The ZRE website only uses session cookies. These become invalid as soon as the user leaves the website, and can be deleted locally by the user by changing the browser settings accordingly.
Article 6 (1) (e) of the GDPR, in conjunction with section 3 (2) of the Ordinance on Electronic Invoicing in Federal Public Procurement (E-Rechnungsverordnung, ERechV), provides the legal basis for the use of cookies in relation to the ZRE's task of forwarding invoices to recipients and the associated need for registration pursuant to the Online Access Act (Onlinezugangsgesetz, OZG).
Some of the functions of the ZRE website cannot be used without cookies. In order to provide these functions, it is essential that the user's browser can still be recognised after the user navigates to a different page on the site.
The user data collected using cookies which are necessary for technical reasons are not used to compile user profiles.
Cookies are stored on the user's computer and then transmitted to the ZRE website. By changing the settings in their internet browser, users can deactivate or restrict the transmission of cookies. Previously stored cookies can be deleted at any time by the user. This can also be done automatically. If cookies are deactivated, however, it may not be possible to use all of the functions of the ZRE website.
The ZRE website gives users the option of registering with the portal by setting up a user account. Users also have the option to create company accounts. Personal data and companyrelated user data are collected and stored during the registration process and when creating such accounts.
The following data are stored during the registration process when setting up a user account:
The following data are stored when company accounts are created:
Administrator rights enable the user to administer the company account that they have set up.
During the registration process the user must consent to the terms of use, and a record of their consent is stored.
After signing into the user account, the following data are stored in relation to the user's activities:
Article 6 (1) (e) of the GDPR, in conjunction with section 3 (2) of the Ordinance on Electronic Invoicing in Federal Public Procurement, provides the legal basis for the processing of the data. The data are processed for the purpose of forwarding invoices to recipients, and due to the associated need for registration pursuant to the Online Access Act.
The data are deleted as soon as they are no longer needed for processing purposes. This is the case if the user account and the user's company accounts are deleted. In the event of an amendment to the details in the user or company account, the revised information is stored and the original information is deleted. Please note that an account is only permanently deleted after a 30-day retention period. The user account is also deleted if the user has not used it for more than 365 days.
Please note that if a user account is deleted, the company accounts linked to the user account will also be deleted automatically.
Users can delete their user account and the associated company accounts, or amend their stored personal data, at any time.
Users can submit electronic invoices via their user account using various transmission methods. These are:
As well as the content of the electronic invoice, the following data are also processed when electronic invoices are submitted using one of the above mentioned transmission methods:
Article 6 (1) (e) of the GDPR, in conjunction with section 3 (2) of the Ordinance on Electronic Invoicing in Federal Public Procurement, provides the legal basis for the storage of the data.
The processing of the data serves the purpose of a) validating a submitted electronic invoice in accordance with the XRechnung standard in its current version, b) logging the status of a submitted electronic invoice, c) enabling a connection to be made between the electronic invoice and the user submitting the invoice, and d) forwarding the invoice to the competent federal authority which is the addressee of the invoice.
Invoice data are further processed by the invoice recipient solely with the purpose of processing the invoice in accordance with current budget and economic management regulations and to document adherence to these regulations (see section 90 Federal Budget Code; Bundeshaushaltsordnung, BHO).
Invoices are deleted by the operator 30 days after their delivery via the ZRE, regardless of their processing status.
Data connected to the processing of an invoice (invoice and invoice data) are generally stored for five years by the invoice recipient in accordance with section 4.7 of the “administrative regulation for payments, accounting and invoicing” of the Federal Budget Code (Verwaltungsvorschrift für Zahlungen, Buchführung und Rechnungslegung - Bundeshaushaltsordnung, VV-ZBR BHO). To allow for individual agreements in special cases, the duration of storage for electronic invoices may be extended in these cases by the authority.
For as long as a user makes use of the ZRE, the Procurement Office of the Federal Ministry of the Interior has the right to process the user's nonpersonal transaction and volume data in connection with invoices sent. These data are used to produce anonymous monthly and quarterly reports about the operational capacity of the ZRE. This information can then be used to scale, refine and improve the ZRE.
Specifically, the following data are stored:
a) the number of sent invoices per invoice recipient, the associated buyer references (Leitweg-ID), the processing status of invoices and the dates of changes in their processing status; these data are recorded without any reference to the invoice sender
b) the number of uploaded files, the size of uploaded files (measured roughly in groups) the number of different file types (e.g. pdf, docx, xlsx) and the number of upload errors according to various categories.
The above described transaction and volume data, which are required for creating the anonymous monthly and quarterly reports, are deleted after a period of 365 days.
In some cases, the Procurement Office of the Federal Ministry of the Interior may be obliged by law to grant other public authorities access to personal data. In such cases, the data may be processed by law enforcement agencies or the Federal Office for Information Security (BSI) if this is necessary in order to avert a threat to public security, to prosecute criminal offences or to defend against attacks on our IT infrastructures. Otherwise these data are not shared with third parties. The Procurement Office of the Federal Ministry of the Interior does not combine these data with other data sources, for example to create user profiles.
The ZRE's controller and data protection officer (see sections II and IV, respectively) may be contacted in the event of questions relating to data privacy.
In case of technical or specialist questions, the user can contact the ZRE help desk. The help desk can be contacted by telephone on working days from Monday to Friday, 08:00-16:00 (CET) on +49 (0)30 2598 4436, or any time via email: sendersupport-xrechnung@bdr.de.
You have the following rights which must be respected by the Procurement Office of the Federal Ministry of the Interior with regard to personal data concerning you:
This right gives data subjects comprehensive access to data concerning them and to a few other key criteria, such as the purpose of processing or the length of storage. Exceptions to this right are governed by section 34 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
The right to rectification includes the option of having inaccurate personal data concerning the data subject corrected.
This right enables data subjects to have the controller delete data concerning them. However, such data may be deleted only if they are no longer needed, if they were processed unlawfully or if consent covering their processing has been withdrawn. Exceptions to this right are governed by section 35 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
This right enables data subjects to temporarily prevent further processing of personal data concerning them. Such a restriction is used above all when data subjects are examining whether to claim other rights.
This right enables data subjects to object, on grounds relating to their particular situation, to the further processing of their personal data when the justification for this processing is based on the need to perform public tasks or to exercise public and private interests. Exceptions to this right are governed by section 36 of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
The right to data portability gives data subjects the option of receiving from the controller the personal data concerning them in a commonly used and machine-readable format in order to have them transmitted to another controller. According to Article 20 (3) sentence 2 of the GDPR, this right does not apply if the data processing is necessary in order to perform tasks in the public interest.
If the personal data are processed on the basis of consent, data subjects can withdraw their consent at any time for the purpose in question. The lawfulness of processing on the basis of consent remains unaffected until notification is received that consent has been withdrawn.
You can claim these rights by writing to the contact listed in section II of this privacy policy.
If you think that the processing of your personal data infringes on your rights, you can lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR):
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Husarenstr. 153
53117 Bonn
Germany
Tel.: +49 (0)228 997799-0
Email: poststelle@bfdi.bund.de
https://www.bfdi.bund.de/