Privacy policy

Data privacy policy: Social Platform (website operation)

In this privacy policy for the Social Platform, which can be accessed at https://sozialplattform.de, we explain below how information that can be individually used to identify you or others as a person (the "personal data") is processed and used on the Social Platform.

We explain for each step of the data processing,

  • which authority is responsible in each case under data protection law (see para. 1),
  • whom you can contact if you have any questions about data protection (see para. 2), and
  • what rights you and other persons whose personal data is processed have (see para. 3).

We explain in para. 4 the individual steps of the data processing, in particular why these steps are carried out in each case, on what legal basis, how the steps work in each case and how the personal data are specifically processed in each case.

1. Controller

For the operation of the website of the Social Platform and the information offered, i.e. all data processing steps described under para. 4.2, the following authority is the controller and thus responsible under data protection law:

Ministry of Labour, Health and Social Affairs of the State of North Rhine-Westphalia
Fürstenwall 25
40219 Düsseldorf

The controller can be contacted for general enquiries (for data protection issues, see para. 2) as follows:

Phone: (02 11) 855 - 5
Email: poststelle@mags.nrw.de

For data protection queries, the data protection officer of the controller should be contacted directly. The contact details are given in para. 2.

2. Data protection officer

Contact details of the data protection officer:

Ministry of Labor, Health and Social Affairs of the State of North Rhine-Westphalia

Datenschutzbeauftragte
 [Data Protection Officer]
Fürstenwall 25
40219 Düsseldorf

Telephone: (02 11) 855 - 5
Email: datenschutz@mags.nrw.de

3. Rights as a data subject

Any person whose personal data is processed by a public authority may assert the following rights as a data subject against the respective authority (controller, see para. 1).

3.1. Right of access

Data subjects may request information from the authority pursuant to Article 15 GDPR as to whether personal data concerning them are being processed. If this is the case, data subjects may request the information on data processing referred to in Article 15 GDPR.

3.2. Right to rectification

Data subjects may request the authority to correct inaccurate personal data concerning them or to complete incomplete personal data, if applicable, in accordance with Article 16 GDPR.

3.3. Right to erasure

Data subjects may ask the authority, in accordance with Art. 17 GDPR, to delete personal data concerning them, provided that the conditions specified in Art. 17 GDPR are met.

3.4. Right to restriction of processing

Data subjects may request pursuant to Article 18 GDPR that the authority  restrict the processing of personal data concerning them, provided that the conditions set out in Article 18 GDPR are met.

3.5. Right to object against processing

Data subjects may object, on grounds relating to their particular situation, to the processing of personal data concerning them carried out on the legal basis of Article 6(1)(e) GDPR to the authority referred to in Article 21 of the GDPR.

The authority shall then no longer process the personal data unless it can demonstrate and, where applicable, prove that the conditions for continuing to process such data are met.

3.6. Right to lodge a complaint with the data protection supervisory authority

Data subjects may lodge a complaint about the processing of personal data concerning them by the authority at any time. Such a complaint shall be lodged with the competent data protection supervisory authority designated below.

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen [State Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia]
Postfach [PO Box] 20 04 44
40102 Düsseldorf

Tel.: +49 (0)211 38424-0
Fax: +49 (0)211 38424-999
Email: poststelle@ldi.nrw.de

Further contact options and complaint forms, etc. at https://www.ldi.nrw.de/metanavi_Kontakt/index.php

4. How your personal data are processed

In this para. 4 we explain the individual processing steps in which personal data are processed.

4.1. Technical operation of the Social Platform

The technical operation of the Social Platform, and therefore all processing of personal data in accordance with this Privacy Policy, is carried out entirely by Landesbetrieb Information und Technik Nordrhein-Westfalen (IT.NRW), Mauerstraße 51, 40476 Düsseldorf. IT.NRW acts in each case as a processor pursuant to Article 28 GDPR.

4.2. Visiting the website

Whose personal data are processed? (Categories of data subjects)

Every visitor to the website at https://sozialplattform.de.

Which categories of personal data are processed?

  • IP address of the accessing terminal or connection
  • Unique identifier to recognise the user across the entire website
  • Postcode selected in the search
  • Date and time of the access
  • Name of the accessed internet service, the accessed resource and the action used.
  • Query made by the client
  • data volume transferred
  • Message whether the retrieval was successful
  • Client information (including browser, operating system)

Why is the data processed? (Purposes of processing)

TEnsuring the error-free operation of the Social Platform website, including troubleshooting, and providing the intended functionality of the website as well as defence against and analysis of attacks.

What happens to the personal data?

The storage and processing takes place on the one hand in server log files and on the other hand with the following cookies:

  • Session cookie: Used to assign activities on the platform (e.g. page changes) to a session, via the storage of a session identifier.
  • Function cookie: Used to temporarily store activities on the platform during an active session. These cookies prevent the language from having to be changed again after selecting a language and changing pages.

Log cookie: Used to save settings made and information given even beyond sessions, e.g. in the context of searching for a location.

What is the legal basis?

  1. Insofar as data is retrieved from the user's terminal device or stored on the terminal device, this is done on the legal basis of § 25(2) TTDSG, as the retrieval and storage are necessary for the provision and the intended functions of the Social Platform website.
  2. The legal basis for processing personal data is Article 6(1)(e) GDPR in conjunction with § 1(1) OZG and § 5a(2)(1) EGovG NRW, as the processing is necessary for the provision and the intended functions of the website of the Social Platform.

Is there an obligation to provide these personal data and what are the possible consequences if the data are not provided?

No, there is no obligation to enable the storage of cookies, however, the functionality of the Social Platform website may be limited if the storage of cookies in the browser is restricted or disabled.

How long will the personal data be stored?

After 48 hours, the server log files are restricted with regard to processing so that the data can only be restored from encrypted backups in individual cases on request. After 6 weeks, the data is also deleted from the encrypted backups.

The session cookie is valid for 10 minutes from the last interaction, the function cookie is valid for one year from the last interaction. The log cookie is valid indefinitely. All cookies, regardless of their validity, remain stored until they are deleted by the user in the browser, e.g. by activating a function to delete all cookies.

4.3 Use of the accessibility contact form

Whose personal data is processed? (Categories of data subjects)

Every visitor who uses the accessibility contact form on the website at https://sozialplattform.de.

What categories of personal data are processed?

  • Real name
  • Contact details (email address)
  • Registration
  • Time stamp
  • IP address
  • Information on devices used, operating systems, web browsers and any aids used

Why is the data processed? (Purposes of processing)

Provision of the contact form and possibility of responding to submissions made by website visitors concerning questions relating to the topic of accessibility and possible ways to improve access to the website of https://sozialplattform.de.

What happens to the personal data?

The data is stored and processed to respond to and process the submission in the accessibility contact form. This is also done by technical service provider IT.NRW (see section 4.1), which processes data on our behalf.

What is the legal basis?

The legal basis for the processing of personal data is point (c) of Article 6(1) and point (b) of Article 9(2) GDPR in conjunction with Sec. 10 (2) No. 2 of the Disabled Persons’ Equality Act for the State of North Rhine-Westphalia (BGG NRW) and Sec. 5 (2) of the Ordinance on Disabled Access to Information Technology for the State of North Rhine-Westphalia (BITV NRW).

Is there an obligation to disclose this personal data, and what might be the consequences of not providing the data?

No, there is no obligation to provide contact details or other information. If no contact details are provided, it is not possible to respond to the person who has made the submission.

How long is personal data stored?

The contact details and notice are erased immediately after the entry is responded to. In case of a dispute resolution/enforcement proceeding, the data is erased immediately after the proceeding is concluded.


 

Privacy Policy for Electronic Applications in the Procedure for Aid for Subsistence (HzL) on the Social Platform

In this privacy policy for the Social Platform, which can be accessed at https://sozialplattform.de, we explain below how information that can be individually used to identify you or others as a person (the "personal data") is processed and used on the Social Platform.

We explain for each step of the data processing,

  • which authority is responsible for data protection in each case (see para. 1),
  • whom you can contact if you have questions about data protection (see para. 2), and
  • what rights you and other persons whose personal data are processed have (see para. 3).

We explain in para. 4 the individual steps of the data processing, in particular why these steps are carried out in each case, on what legal basis, how the steps work in each case and how the personal data are specifically processed in each case.

1. Controller

The authority responsible for the processing of personal data (“controller”) in the context of the electronic application is the authority responsible for the further processing of the application in the subsequent administrative procedure or the authority to which the application is sent electronically.

The authority that is the controller under data protection law for the specific application is displayed after selecting the location on the service detail page.

For enquiries about data protection, the data protection officer of the respective authority should be contacted directly. The contact details are given in para. 2.
 

2. Data protection officer

The contact details of the data protection officer of the authority (controller pursuant to para. 1) are displayed after selecting the location on the service detail page.

 

3. Rights of the data subject

Any person whose personal data is processed by a public authority may assert the following rights as a data subject against the respective authority (controller, see para. 1).

 

3.1. Right of access

Data subjects may request information from the authority pursuant to Article 15 GDPR as to whether personal data concerning them are being processed. If this is the case, data subjects may request the information on data processing referred to in Article 15 GDPR.

 

3.2. Right of rectification

Data subjects may request the authority to correct inaccurate personal data concerning them or to complete incomplete personal data, if applicable, in accordance with Article 16 GDPR.

 

3.3. Right to erasure

Data subjects may request the authority to delete personal data concerning them pursuant to Article 17 GDPR, provided that the conditions set out in Article 17 GDPR are met.

 

3.4. Right to restriction of processing

Data subjects may request pursuant to Article 18 GDPR that the authority restrict the processing of personal data concerning them, provided that the conditions set out in Article 18 GDPR are met.

 

3.5. Right to object to processing

Data subjects may object, on grounds relating to their particular situation, to the processing of personal data concerning them carried out on the legal basis of Article 6(1)(e) GDPR to the authority referred to in Article 21 GDPR.

The authority shall then no longer process the personal data unless it can demonstrate and, where applicable, prove that the conditions for continuing to process such data are met.

 

3.6. Right to withdraw consent

Data subjects may at any time withdraw consent they have given to the authority for the processing of personal data relating to them in accordance with Article 7(3) GDPR. The withdrawal of consent is only effective for the future; the processing of personal data already carried out on the basis of the consent is not affected by the withdrawal.

If consent is only given for a single processing step, this processing step is carried out and completed immediately after consent is given, and subsequent processing steps are not carried out on the basis of consent, any withdrawal may no longer have any effect.

 

3.7 Right to complain to the data protection supervisory authority

Data subjects may lodge a complaint about the processing of personal data concerning them by the authority at any time. Such a complaint must be lodged with the competent data protection supervisory authority.

 

4. How your personal data is processed

In this para. 4, we explain the individual processing steps in which personal data are processed. In doing so, we present the general and overarching processing steps (para.s 4.1 and 4.3) and in para. 4.2 we discuss the applications that can be submitted electronically via the Social Platform (currently: aid for subsistence).

 

4.1. Technical operation of the Social Platform

The technical operation of the Social Platform, and therefore all processing of personal data in accordance with this Privacy Policy, is carried out entirely by Landesbetrieb Information und Technik Nordrhein-Westfalen (IT.NRW), Mauerstraße 51, 40476 Düsseldorf. In each case, IT.NRW acts as a further processor for the authority responsible for data protection (controller pursuant to para. 1 above) in accordance with Article 28 GDPR in conjunction with § 80 SGB X.

 

4.2. Electronic applications for benefits

Below we present the individual applications that are submitted electronically via the Social Platform.


4.2.1. Aid for Subsistence (HzL)

Whose personal data are being processed? (Categories of data subjects)

  • Applicants, also e.g. legal representatives, or legal guardians
  • Beneficiaries
  • Household members of the beneficiaries
  • Other persons with a family or similar relationship to the beneficiaries

 

What categories of personal data are processed?

Applicant: capacity as beneficiary, legal representative, or legal guardian; academic titles; name elements; first names; surname; maiden name; date of birth; place of birth; country of birth; sex.

Contact details: street; house number; address suffix; postcode; town; telephone number; e-mail address; means of identification (tax ID or pension insurance number); competent social welfare office; previous application for social welfare benefits; nationality; permanent residence in Germany; legal guardianship; legal representative; declaration of knowledge of legal instructions; declaration of commitment to notify changes to information provided.

Situation: information on current situation; marital status; health insurance; pregnancy; severe disability; other medical information.

Household: Information on other household members: Relationship to applicant; first names; surname; sex; date of birth; foster child status; permanence of household membership; marital status; nationality; earning capacity; receipt of other social benefits; pregnancy; eligibility for asylum; compulsory education; special medical needs.

Household: Information on other persons not living in the household: Relationship to applicant; first names; surname; date of birth; street; house number; address suffix; postcode; town.

Accommodation: Housing situation of the applicant; flat size; rental situation and amount; other cost situation.

Income: Income data; information on other state benefits applied for.

Expenditure: Details of specific types of expenditure.

Assets: Information on assets of both the applicant and other household members, including claims against third parties and reductions in assets such as donations or gifts.

Documents: Bank details; proofs and documents.

Metadata: Dispatch confirmation, success message, timestamp, ID of the application, user ID.

 

Why is the data processed? (Purposes of the processing)

Implementation of the administrative procedure for deciding on the entitlement to assistance for subsistence pursuant to §§ 27 ff. SGB XII by the competent social welfare agency (controller pursuant to para. 1)

 

What happens to the personal data?

The personal data are recorded electronically on the Social Platform and can be used in the administrative procedure to decide on the application. The data will be transmitted electronically to the competent social welfare agency (controller pursuant to para. 1).

 

What is the legal basis?

  1. The processing on the Social Platform by the Ministry of Labour, Health and Social Affairs of the State of North Rhine-Westphalia (MAGS NRW) and IT.NRW is carried out on behalf of the competent social welfare agency (controller pursuant to para. 1) in accordance with Article 28 GDPR in conjunction with § 80 SGB X.
  2. The competent social welfare agency (controller pursuant to para. 1) collects the personal data on the legal basis for the administrative procedure for aid for subsistence, i.e. Article 6(1)(e), Article 9(2)(b) GDPR in conjunction with §§ 27 ff. SGB XII, 67a SGB X, 35, 12, SGB I.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

According to §§ 60-62, 65 SGB I, anyone who wishes to receive aid for subsistence is obliged to provide all information relevant for the decision and, if necessary, to provide requested evidence.

The information and evidence do not have to be provided electronically via the Social Platform but can also be provided by other means of communication or in person.

The competent social welfare agency (controller according to para. 1) may refuse or withdraw benefits in whole or in part as long as the information required for the decision is not available.

 

How long will the personal data be stored?

  1. After sending the application, the personal data collected for the application will be deleted from the Social Platform immediately, usually after a few minutes.
  2. In the case of the competent social welfare agencies, the duration of the storage of personal data shall be governed by the principle of storage limitation set out in Article 5(1)(e) GDPR, which specifies the principle of data minimisation in terms of time. The competent social welfare agencies are responsible for determining the specific duration of storage. The maximum storage period is 30 years.

 

4.3. Comprehensive data processing for various electronic applications

The processing steps described in this para. 4.3 are implemented uniformly for all applications that can be submitted electronically on the Social Platform and apply to the application procedure referred to in para. 4.2 above.

 

4.3.1. Authentication by means of the new identity card (nPA) or electronic residence permit

Whose personal data are being processed? (Categories of data subjects)

Applicant

 

What categories of personal data are processed?

  • Family name
  • First name
  • Date of birth
  • Registration address

 

Why is the data processed? (Purposes of the processing)

Authentication of the applicant without media discontinuity in order to be able to assign an application to a user of the Social Platform.

 

What happens to the personal data?

When authenticating by means of the new identity card (nPA) or the electronic residence permit, the above-mentioned personal data are read from the secure memory chip of the nPA with the reader (e.g. smart card reader or smartphone) and transmitted directly to the local web browser and from there to the Social Platform via the locally installed AusweisApp2. During this transmission, no third party intervenes as an intermediary for the data.

Here, the personal data on the Social Platform is transferred to the application, but can be changed by the user.

 

What is the legal basis?

  1. The query of the above-mentioned data shall only take place with the consent of the applicant.
  2. The processing on the Social Platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing pursuant to Article 28 GDPR in conjunction with. § 80 SGB X for the respective authority responsible for the application in terms of data protection law (pursuant to para. 1).
  3. The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to identify himself or herself to the authority responsible for the administrative procedure to decide on the application (controller pursuant to para. 1) by means of an ID card or electronic residence permit.

However, all applications that can be submitted electronically via the Social Platform technically require legitimisation, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without proof of identity. However, the applicant is still free to submit the application to the competent authority by post or in person.

 

How long will the personal data be stored?

The personal data shall be stored in the application on the Social Platform and shall be deleted on the Social Platform with the other application data after the application has been sent to the competent authority (controller pursuant to para. 1).

The personal data shall furthermore be stored by the competent authority (controller pursuant to para. 1) in the respective administrative procedure for the decision on the application in accordance with the regulations applicable there.

 

4.3.2. Authentication via user account

Whose personal data are being processed? (Categories of data subjects)

Applicant

 

What categories of personal data are processed?

  • Family name
  • First name
  • Date of birth
  • Registration address
  • Salutation
  • E-mail address
  • Mobile number
  • User account mailbox

 

Why is the data processed? (Purposes of the processing)

Authentication of the applicant without media discontinuity in order to be able to assign an application to a user of the Social Platform.

 

What happens to the personal data?

When authenticating by means of a user account, e.g. the Servicekonto.NRW, a service account of the federal government or another federal state, the above-mentioned personal data, if stored in the user account, will be transferred to the respective application.

The data is retrieved from the authority responsible for maintaining the respective user account (transmission).

Here, all transferred data can be changed and overwritten by the applicant.

 

What is the legal basis?

1. the retrieval of the above-mentioned data shall only take place with the consent of the applicant pursuant to § 8 (6) OZG.

The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with. § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).

The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to legitimise himself or herself by means of a user account to the authority responsible for the administrative procedure for deciding on the application (controller pursuant to para. 1) or to consent to the transfer of data.

However, all applications that can be submitted electronically via the Social Platform technically require legitimisation, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without proof of identity. However, the applicant is still free to submit the application to the competent authority by post or in person.

 

How long will the personal data be stored?

The personal data shall be stored in the application on the Social Platform and shall be deleted on the Social Platform with the other application data after the application has been sent to the competent authority (controller pursuant to para. 1).

The personal data shall furthermore be stored by the competent authority (controller pursuant to para. 1) in the respective administrative procedure for the decision on the application in accordance with the regulations applicable there.

 

4.3.3. Storage of unsent applications

Whose personal data are being processed? (Categories of data subjects)

The same persons as in the respective application

 

What categories of personal data are processed?

The same categories as in the respective application

 

Why is the data processed? (Purposes of the processing)

Enabling the interruption and later completion of an application, e.g. to provide further information or documents relevant to an application.

 

What happens to the personal data?

The data is stored on the Social Platform. Beyond that, no further processing of the data takes place.

 

What is the legal basis?

The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).

The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure, as the efficient execution of the application also requires the storage of intermediate statuses of the application, as would also be possible with paper forms. The legal basis for the administrative procedure is specified for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to save the data on the Social Platform. Saved applications can be deleted at any time. However, all data must then be re-entered when submitting a new application.

 

How long will the personal data be stored?

Saved applications are deleted no later than 30 days after the last change to the application, unless they are sent before then. After that, applications deleted in the system can still be reconstructed from encrypted data backups for a period of 4-6 weeks.

 

4.3.4. Transmission of sent applications

Whose personal data are being processed? (Categories of data subjects)

The same persons as in the respective application

 

What categories of personal data are processed?

The same categories as in the respective application

 

Why is the data processed? (Purposes of the processing)

Carrying out the administrative procedure to decide on the respective application.

 

What happens to the personal data?

After an application has been sent by clicking on the "send" button, the data is first forwarded to the "Central Data Exchange Infrastructure" (ZDI), which is operated by IT.NRW.

The operator of the ZDI (IT.NRW) prepares the application technically and forwards it to the authority responsible for the administrative procedure to decide on the application (controller pursuant to para. 1).

 

What is the legal basis?

  1. The transfer to the "Central Data Exchange Infrastructure" (ZDI) and processing by its operator is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the authority responsible for the application (controller pursuant to para. 1).
  2. The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

How long will the personal data be stored?

The data is deleted at the ZDI immediately after it has been processed and transmitted to the responsible authority. This processing and transmission usually takes a few seconds to a few minutes.

 

4.3.5. Session cookie of the form management system

Whose personal data are being processed? (Categories of data subjects)

User of the web browser used to complete the online application form

 

What categories of personal data are processed?

Unique identifier to recognise the user in the form management system.

 

Why is the data processed? (Purposes of the processing)

Unique assignment of the application form to a specific browser session and assignment of the communication between the form management system and the browser.

 

What happens to the personal data?

The unique identifier is stored in a cookie file on the user's computer.

 

What is the legal basis?

  1. The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).
  2. The respective authority responsible for the application (controller pursuant to para. 1) processes the personal data on the legal basis for the respective administrative procedure mentioned in para. 4.2, as this processing is technically necessary for the online application.
  3. Insofar as data is retrieved from the user's terminal device or stored on the terminal device, this is done by the authority responsible for the application (controller pursuant to para. 1) on the legal basis of § 25(2) TTDSG, as the retrieval and storage are necessary for the function of the online application.

 

How long will the personal data be stored?

The session cookie, which contains the unique identifier, is deleted when the web browser is closed.


 

Privacy Policy for Electronic Applications in the Housing Entitlement Certificate (WBS) Procedure in North Rhine-Westphalia on the Social Platform

In this privacy policy for the Social Platform, which can be accessed at https://sozialplattform.de, we explain below how information that can be individually used to identify you or others as a person (the "personal data") is processed and used on the Social Platform.

We explain for each step of the data processing,

  • which authority is responsible for data protection in each case (see para. 1),
  • whom you can contact if you have questions about data protection (see para. 2), and
  • what rights you and other persons whose personal data are processed have (see para. 3).

We explain in para. 4 the individual steps of the data processing, in particular why these steps are carried out in each case, on what legal basis, how the steps work in each case and how the personal data are specifically processed in each case.

1. Controller

The authority responsible for the processing of personal data (“controller”) in the context of the electronic application is the authority responsible for the further processing of the application in the subsequent administrative procedure or the authority to which the application is sent electronically.

The authority that is the controller under data protection law for the specific application is displayed after selecting the location on the service detail page.

For enquiries about data protection, the data protection officer of the respective authority should be contacted directly. The contact details are given in para. 2.
 

2. Data protection officer

The contact details of the data protection officer of the authority (controller pursuant to para. 1) are displayed after selecting the location on the service detail page.

 

3. Rights of the data subject

Any person whose personal data is processed by a public authority may assert the following rights as a data subject against the respective authority (controller, see para. 1).

 

3.1. Right of access

Data subjects may request information from the authority pursuant to Article 15 GDPR as to whether personal data concerning them are being processed. If this is the case, data subjects may request the information on data processing referred to in Article 15 GDPR.

 

3.2. Right of rectification

Data subjects may request the authority to correct inaccurate personal data concerning them or to complete incomplete personal data, if applicable, in accordance with Article 16 GDPR.

 

3.3. Right to erasure

Data subjects may request the authority to delete personal data concerning them pursuant to Article 17 GDPR, provided that the conditions set out in Article 17 GDPR are met.

 

3.4. Right to restriction of processing

Data subjects may request pursuant to Article 18 GDPR that the authority restrict the processing of personal data concerning them, provided that the conditions set out in Article 18 GDPR are met.

 

3.5. Right to object to processing

Data subjects may object, on grounds relating to their particular situation, to the processing of personal data concerning them carried out on the legal basis of Article 6(1)(e) GDPR to the authority referred to in Article 21 GDPR.

The authority shall then no longer process the personal data unless it can demonstrate and, where applicable, prove that the conditions for continuing to process such data are met.

 

3.6. Right to withdraw consent

Data subjects may at any time withdraw consent they have given to the authority for the processing of personal data relating to them in accordance with Article 7(3) GDPR. The withdrawal of consent is only effective for the future; the processing of personal data already carried out on the basis of the consent is not affected by the withdrawal.

If consent is only given for a single processing step, this processing step is carried out and completed immediately after consent is given, and subsequent processing steps are not carried out on the basis of consent, any withdrawal may no longer have any effect.

 

3.7 Right to complain to the data protection supervisory authority

Data subjects may lodge a complaint about the processing of personal data concerning them by the authority at any time. Such a complaint must be lodged with the competent data protection supervisory authority.

 

4. How your personal data is processed

In this para. 4, we explain the individual processing steps in which personal data are processed. In doing so, we present the general and overarching processing steps (para.s 4.1 and 4.3) and in para. 4.2 we discuss the applications that can be submitted electronically via the Social Platform (currently: aid for subsistence).

 

4.1. Technical operation of the Social Platform

The technical operation of the Social Platform, and therefore all processing of personal data in accordance with this Privacy Policy, is carried out entirely by Landesbetrieb Information und Technik Nordrhein-Westfalen (IT.NRW), Mauerstraße 51, 40476 Düsseldorf. In each case, IT.NRW acts as a further processor for the authority responsible for data protection (controller pursuant to para. 1 above) in accordance with Article 28 GDPR in conjunction with § 80 SGB X.

 

4.2. Electronic applications for benefits

Below we present the individual applications that are submitted electronically via the Social Platform.


4.2.1. Aid for Subsistence (HzL)

Whose personal data are being processed? (Categories of data subjects)

  • Applicants, also e.g. legal representatives, or legal guardians
  • Beneficiaries
  • Household members of the beneficiaries
  • Other persons with a family or similar relationship to the beneficiaries

 

What categories of personal data are processed?

Applicant: capacity as beneficiary, legal representative, or legal guardian; academic titles; name elements; first names; surname; maiden name; date of birth; place of birth; country of birth; sex.

Contact details: street; house number; address suffix; postcode; town; telephone number; e-mail address; means of identification (tax ID or pension insurance number); competent social welfare office; previous application for social welfare benefits; nationality; permanent residence in Germany; legal guardianship; legal representative; declaration of knowledge of legal instructions; declaration of commitment to notify changes to information provided.

Situation: information on current situation; marital status; health insurance; pregnancy; severe disability; other medical information.

Household: Information on other household members: Relationship to applicant; first names; surname; sex; date of birth; foster child status; permanence of household membership; marital status; nationality; earning capacity; receipt of other social benefits; pregnancy; eligibility for asylum; compulsory education; special medical needs.

Household: Information on other persons not living in the household: Relationship to applicant; first names; surname; date of birth; street; house number; address suffix; postcode; town.

Accommodation: Housing situation of the applicant; flat size; rental situation and amount; other cost situation.

Income: Income data; information on other state benefits applied for.

Expenditure: Details of specific types of expenditure.

Assets: Information on assets of both the applicant and other household members, including claims against third parties and reductions in assets such as donations or gifts.

Documents: Bank details; proofs and documents.

Metadata: Dispatch confirmation, success message, timestamp, ID of the application, user ID.

 

Why is the data processed? (Purposes of the processing)

Implementation of the administrative procedure for deciding on the entitlement to assistance for subsistence pursuant to §§ 27 ff. SGB XII by the competent social welfare agency (controller pursuant to para. 1)

 

What happens to the personal data?

The personal data are recorded electronically on the Social Platform and can be used in the administrative procedure to decide on the application. The data will be transmitted electronically to the competent social welfare agency (controller pursuant to para. 1).

 

What is the legal basis?

  1. The processing on the Social Platform by the Ministry of Labour, Health and Social Affairs of the State of North Rhine-Westphalia (MAGS NRW) and IT.NRW is carried out on behalf of the competent social welfare agency (controller pursuant to para. 1) in accordance with Article 28 GDPR in conjunction with § 80 SGB X.
  2. The competent social welfare agency (controller pursuant to para. 1) collects the personal data on the legal basis for the administrative procedure for aid for subsistence, i.e. Article 6(1)(e), Article 9(2)(b) GDPR in conjunction with §§ 27 ff. SGB XII, 67a SGB X, 35, 12, SGB I.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

According to §§ 60-62, 65 SGB I, anyone who wishes to receive aid for subsistence is obliged to provide all information relevant for the decision and, if necessary, to provide requested evidence.

The information and evidence do not have to be provided electronically via the Social Platform but can also be provided by other means of communication or in person.

The competent social welfare agency (controller according to para. 1) may refuse or withdraw benefits in whole or in part as long as the information required for the decision is not available.

 

How long will the personal data be stored?

  1. After sending the application, the personal data collected for the application will be deleted from the Social Platform immediately, usually after a few minutes.
  2. In the case of the competent social welfare agencies, the duration of the storage of personal data shall be governed by the principle of storage limitation set out in Article 5(1)(e) GDPR, which specifies the principle of data minimisation in terms of time. The competent social welfare agencies are responsible for determining the specific duration of storage. The maximum storage period is 30 years.

 

4.3. Comprehensive data processing for various electronic applications

The processing steps described in this para. 4.3 are implemented uniformly for all applications that can be submitted electronically on the Social Platform and apply to the application procedure referred to in para. 4.2 above.

 

4.3.1. Authentication by means of the new identity card (nPA) or electronic residence permit

Whose personal data are being processed? (Categories of data subjects)

Applicant

 

What categories of personal data are processed?

  • Family name
  • First name
  • Date of birth
  • Registration address

 

Why is the data processed? (Purposes of the processing)

Authentication of the applicant without media discontinuity in order to be able to assign an application to a user of the Social Platform.

 

What happens to the personal data?

When authenticating by means of the new identity card (nPA) or the electronic residence permit, the above-mentioned personal data are read from the secure memory chip of the nPA with the reader (e.g. smart card reader or smartphone) and transmitted directly to the local web browser and from there to the Social Platform via the locally installed AusweisApp2. During this transmission, no third party intervenes as an intermediary for the data.

Here, the personal data on the Social Platform is transferred to the application, but can be changed by the user.

 

What is the legal basis?

  1. The query of the above-mentioned data shall only take place with the consent of the applicant.
  2. The processing on the Social Platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing pursuant to Article 28 GDPR in conjunction with. § 80 SGB X for the respective authority responsible for the application in terms of data protection law (pursuant to para. 1).
  3. The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to identify himself or herself to the authority responsible for the administrative procedure to decide on the application (controller pursuant to para. 1) by means of an ID card or electronic residence permit.

However, all applications that can be submitted electronically via the Social Platform technically require legitimisation, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without proof of identity. However, the applicant is still free to submit the application to the competent authority by post or in person.

 

How long will the personal data be stored?

The personal data shall be stored in the application on the Social Platform and shall be deleted on the Social Platform with the other application data after the application has been sent to the competent authority (controller pursuant to para. 1).

The personal data shall furthermore be stored by the competent authority (controller pursuant to para. 1) in the respective administrative procedure for the decision on the application in accordance with the regulations applicable there.

 

4.3.2. Authentication via user account

Whose personal data are being processed? (Categories of data subjects)

Applicant

 

What categories of personal data are processed?

  • Family name
  • First name
  • Date of birth
  • Registration address
  • Salutation
  • E-mail address
  • Mobile number
  • User account mailbox

 

Why is the data processed? (Purposes of the processing)

Authentication of the applicant without media discontinuity in order to be able to assign an application to a user of the Social Platform.

 

What happens to the personal data?

When authenticating by means of a user account, e.g. the Servicekonto.NRW, a service account of the federal government or another federal state, the above-mentioned personal data, if stored in the user account, will be transferred to the respective application.

The data is retrieved from the authority responsible for maintaining the respective user account (transmission).

Here, all transferred data can be changed and overwritten by the applicant.

 

What is the legal basis?

1. the retrieval of the above-mentioned data shall only take place with the consent of the applicant pursuant to § 8 (6) OZG.

The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with. § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).

The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to legitimise himself or herself by means of a user account to the authority responsible for the administrative procedure for deciding on the application (controller pursuant to para. 1) or to consent to the transfer of data.

However, all applications that can be submitted electronically via the Social Platform technically require legitimisation, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without proof of identity. However, the applicant is still free to submit the application to the competent authority by post or in person.

 

How long will the personal data be stored?

The personal data shall be stored in the application on the Social Platform and shall be deleted on the Social Platform with the other application data after the application has been sent to the competent authority (controller pursuant to para. 1).

The personal data shall furthermore be stored by the competent authority (controller pursuant to para. 1) in the respective administrative procedure for the decision on the application in accordance with the regulations applicable there.

 

4.3.3. Storage of unsent applications

Whose personal data are being processed? (Categories of data subjects)

The same persons as in the respective application

 

What categories of personal data are processed?

The same categories as in the respective application

 

Why is the data processed? (Purposes of the processing)

Enabling the interruption and later completion of an application, e.g. to provide further information or documents relevant to an application.

 

What happens to the personal data?

The data is stored on the Social Platform. Beyond that, no further processing of the data takes place.

 

What is the legal basis?

The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).

The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure, as the efficient execution of the application also requires the storage of intermediate statuses of the application, as would also be possible with paper forms. The legal basis for the administrative procedure is specified for the respective procedure in para. 4.2.

 

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

The applicant is not obliged to save the data on the Social Platform. Saved applications can be deleted at any time. However, all data must then be re-entered when submitting a new application.

 

How long will the personal data be stored?

Saved applications are deleted no later than 30 days after the last change to the application, unless they are sent before then. After that, applications deleted in the system can still be reconstructed from encrypted data backups for a period of 4-6 weeks.

 

4.3.4. Transmission of sent applications

Whose personal data are being processed? (Categories of data subjects)

The same persons as in the respective application

 

What categories of personal data are processed?

The same categories as in the respective application

 

Why is the data processed? (Purposes of the processing)

Carrying out the administrative procedure to decide on the respective application.

 

What happens to the personal data?

After an application has been sent by clicking on the "send" button, the data is first forwarded to the "Central Data Exchange Infrastructure" (ZDI), which is operated by IT.NRW.

The operator of the ZDI (IT.NRW) prepares the application technically and forwards it to the authority responsible for the administrative procedure to decide on the application (controller pursuant to para. 1).

 

What is the legal basis?

  1. The transfer to the "Central Data Exchange Infrastructure" (ZDI) and processing by its operator is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the authority responsible for the application (controller pursuant to para. 1).
  2. The authority responsible for the application (controller pursuant to para. 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is stated for the respective procedure in para. 4.2.

 

How long will the personal data be stored?

The data is deleted at the ZDI immediately after it has been processed and transmitted to the responsible authority. This processing and transmission usually takes a few seconds to a few minutes.

 

4.3.5. Session cookie of the form management system

Whose personal data are being processed? (Categories of data subjects)

User of the web browser used to complete the online application form

 

What categories of personal data are processed?

Unique identifier to recognise the user in the form management system.

 

Why is the data processed? (Purposes of the processing)

Unique assignment of the application form to a specific browser session and assignment of the communication between the form management system and the browser.

 

What happens to the personal data?

The unique identifier is stored in a cookie file on the user's computer.

 

What is the legal basis?

  1. The processing on the Social Platform by MAGS NRW and IT.NRW is carried out pursuant to Article 28 GDPR in conjunction with § 80 SGB X on behalf of the respective authority responsible for the application (controller pursuant to para. 1).
  2. The respective authority responsible for the application (controller pursuant to para. 1) processes the personal data on the legal basis for the respective administrative procedure mentioned in para. 4.2, as this processing is technically necessary for the online application.
  3. Insofar as data is retrieved from the user's terminal device or stored on the terminal device, this is done by the authority responsible for the application (controller pursuant to para. 1) on the legal basis of § 25(2) TTDSG, as the retrieval and storage are necessary for the function of the online application.

 

How long will the personal data be stored?

The session cookie, which contains the unique identifier, is deleted when the web browser is closed.