Privacy policy

In this privacy policy for the social platform, which can be accessed at https://sozialplattform.de, we explain below how information that can be individually assigned to you or others as a person (the "personal data") is processed and used when electronic applications are created via the .

We explain for each step of data processing,
- which authority is responsible under data protection law (section 1),
- who you can contact if you have any questions about data protection (section 2), and
- what rights you and other persons whose personal data is processed are entitled to (section 3).

In section 4, we explain the individual steps of data processing, in particular why these steps are carried out in each case, on what legal basis they are based, how the steps work in each case and how the personal data is specifically processed in each case.

1. Responsible authority

For the processing of personal data in the context of electronic applications, the authority responsible under data protection law is the authority that is also responsible for the further processing of the application in the subsequent administrative procedure or to which the application is sent electronically. The authority responsible for the specific application under data protection law is displayed on the service details page after selecting the location.

The data protection officer of the respective authority should be contacted directly for inquiries regarding data protection. The contact details are listed in section 2.

2. Data protection officer, supervisory authority

The contact details of the data protection officer of the authority responsible for data protection depend on your place of residence. You will be informed as follows when your personal data is collected: Once you have selected an application and your place of residence, you will be taken to the selected application route by clicking on "Submit application". Here you select a registration method, e.g. BundID. Once you have made your selection, you will be taken to the terms of use and data protection information. If you click on "Privacy policy", you will find the contact details of the data protection officer under point 9.

3. Rights as a data subject

Any person whose personal data is processed by a public authority can assert the following rights as a data subject against the respective responsible authority (in accordance with point 1).

3.1 Right to information and copy
Affected persons can request information from the authority in accordance with Art. 15 GDPR as to whether it processes personal data concerning them. If this is the case, data subjects can request the information on data processing specified in Art. 15 GDPR. At the request of the data subject, the responsible authority (in accordance with section 1) will provide a copy of the processed personal data.

3.2 Right to rectification
Data subjects may request that the authority rectify any inaccurate personal data concerning them or, where applicable, complete any incomplete personal data in accordance with Art. 16 GDPR.

3.3 Right to erasure
Data subjects may request that the authority rectify any inaccurate personal data concerning them in accordance with Art. 17 GDPR that the authority erase personal data concerning them, provided that the conditions set out in Art. 17 GDPR are met.

3.4 Right to restriction of processing
Data subjects may request the authority to restrict processing in accordance with Art. 18 GDPR that the processing of personal data concerning them be restricted, provided that the conditions set out in Art. 18 GDPR are met.

3.5 Right to data portability
In accordance with Art. 20 GDPR, data subjects may receive the personal data concerning them in a structured, commonly used and machine-readable format and have the right to transmit those data from one controller to another, provided that the conditions set out in Art. 20 GDPR are met.

3.6 Right to object to processing
Data subjects may, on grounds relating to their particular situation, object to processing of personal data concerning them which is based on the legal basis of Art. 6 para. 1 sentence 1 lit. e) GDPR.
The authority will then no longer process the personal data unless it can demonstrate and, if necessary, prove that the conditions for continuing the processing of this data in accordance with Art. 21 GDPR are met.

3.7 Right to withdraw consent
Affected persons may at any time withdraw consent that they have given to the authority for the processing of personal data concerning them in accordance with Art. 7 para. 3 GDPR. The withdrawal of consent is only effective for the future; the processing of personal data that has already taken place on the basis of the consent is not affected by the withdrawal.
If consent is only given for a single processing step, this processing step is carried out and completed immediately after consent is given, and subsequent processing steps are not carried out on the basis of consent, any withdrawal of consent may no longer have any effect.

3.8 Right to lodge a complaint with the data protection supervisory authority
Affected persons may lodge a complaint at any time about the processing of personal data concerning them by the authority. Such a complaint must be lodged with the competent data protection supervisory authority.

4. How your personal data is processed

In this section 4, we explain the individual processing steps in which personal data is processed. We describe the general and overarching processing steps (sections 4.1 and 4.3) and discuss the application that can be submitted electronically via the social platform for benefits under the AsylbLG in section 4.2.

4.1. Technical operation of the social platform
The technical operation of the social platform, and therefore all processing of personal data in accordance with this privacy policy, is carried out entirely by Landesbetrieb Information und Technik Nordrhein-Westfalen (IT.NRW), Mauerstraße 51, 40476 Düsseldorf. IT.NRW acts in each case as a further processor for the authority responsible for data protection (pursuant to section 1) in accordance with Art. 28 GDPR.

4.2 Electronic applications for benefits
We present the application in detail below.

Application for Benefits under the Asylum-Seekers' Benefits Act (AsylbLG)

Whose personal data is processed? (Categories of data subjects)

Applicants, including, for example, representatives or carers

Beneficiaries

Dependents of the beneficiaries

Other persons with a family or similar relationship to the beneficiaries

.

Which categories of personal data are processed?

• Master data of the caregiver or authorized representative: surname, first name, organization/association
• Master data of the applicant: surname, first name, last name, maiden name, date of birth, place of birth, country of birth, gender, postal address if applicable, information on academic qualifications
• . postal address, information on academic degree
• Contact details of caregiver or authorized representative: telephone, e-mail, address in Germany/abroad
  
  Contact details of applicant: telephone, e-mail, address in Germany/abroad
• General data on persons in the household: surname, first name, date of birth, gender, relationship to applicant, residence status, applying for benefits for other persons (probably only for spouse/partner)
• General data on family/family members: Marital status, dependants outside the household (surname, first name, date of birth, gender, relationship to the applicant, residence status, address in Germany), single parent
• Individual identification numbers: tax ID, ZAR number, AZR number
• Financial and insurance data: Details of bank details, financing departure, securing livelihood, details of income and assets, pension support at home and abroad, details of assets, pension provision, motor vehicle, claims against third parties, real estate and property. Third parties, real estate and property, health and long-term care insurance, loan, rental deposit, one-time receipt of aid for housing procurement costs, relocation costs, renovation costs, rent arrears, arrears in (advance) payments for electricity, one-time receipt of costs for replacement purchases, passport procurement costs, proof of insurance, proof of assets, proof of needs
• Information on social benefits: Previous receipt of benefits for subsistence, selection of benefits according to AsylbLG, end and reason for end of benefit receipt
  Selection of benefits according to AsylbLG: Benefits to secure subsistence, application for benefits to secure subsistence has already been made, health benefits, benefits for pregnancy and birth, benefits for recurring needs, benefits for One-Time Needs (relocation costs, rent deposit, interpreter services, benefits for assistance and care, passport procurement costs, etc.).)
• General data on the housing situation: Accommodation (type of accommodation, place of residence, other persons in the household), private housing, assignment of rent, initial furnishings, proof of registration, proof of housing
• Citizenship and residence information: Citizenship, residence status, periods of residence, registration address, information on residence conditions in home country as well as entry (reason for departure, livelihood home country, date of entry, etc.)
• Special personal data in accordance with Art. 9 GDPR: Information on required health services, benefits for pregnancy and childbirth and date of delivery, information on severe disability, cost-intensive nutrition for medical reasons, proof of health services, proof of pregnancy
• Declaration of commitment to finance the stay: Surname, first name, address home/abroad
• Photo: uploaded image file with photo of the person's face or declaration of desire to use the photo from the Central Register of Foreigners to create an Electronic Health Card
• Use of services: Interpreter services
• Metadata: Pseudo user ID, process ID, creation date, last update date, completion date, (client) ref ID, session ID, user ID, user object (also contains user ID and session ID), document UUIDs, document data, application ID

Why is the data processed? (Purposes of processing)

Conducting the administrative procedure for deciding on entitlement to benefits under the Asylum-Seekers' Benefits Act (AsylbLG).

What happens to the personal data?

The personal data is recorded electronically on the social platform and transmitted electronically to the competent body (authority responsible for data protection in accordance with section 1). The information is then processed by the competent authority for the decision on benefits under the Asylum-Seekers' Benefits Act (AsylbLG) in the administrative procedure.
The competent authority (authority responsible for data protection in accordance with Section 1) may retrieve the photo and basic personal data from the Central Register of Foreigners, insofar as this serves to ensure the accuracy of the data or to process the granting of benefits (in particular medical benefits in accordance with Section 4 Asylum-Seekers' Benefits Act by issuing an electronic health card).

What is the legal basis?

1. processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR for the responsible body (authority responsible for data protection in accordance with section 1).

2. The responsible body (authority responsible for data protection in accordance with section 1) collects the personal data on the legal basis for the administrative procedure for benefits under the AsylbLG, i.e. Art. 6 para. 1 subpara. 1 lit. e), Art. 9 para. 2 lit. h) GDPR in conjunction with §§ Sections 1a, 2, 3, 4, 6, 7, 9 para. 3, 11 para. 3 and 3a AsylbLG in conjunction with.

3. The transfer of data from the Central Register of Foreigners to the competent body (authority responsible for data protection in accordance with section 1) is carried out on the legal basis of Art. 6 para. 1 subpara. 1 lit. e), Art. 9 para. 2 lit. h) GDPR in conjunction with §§ 4 AsylbLG, 4 AsylbLG, 4 AsylbLG, 9 para. 2 lit. h) GDPR. §§ 4 AsylbLG, 60-67 SGB I, 291a para. 5 SGB V, 14 AZRG.


Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

Whoever wishes to apply for benefits under AsylbLG is legally obliged to provide all information relevant to the decision and, if necessary, to provide any requested evidence in accordance with § 9 para. 3 AsylbLG i.V.m. §§ 60-67 SGB I. If the required data is not provided, the application cannot be processed properly.

The information and evidence does not have to be provided electronically via the social platform, but can also be provided via other communication channels or in person.

The responsible body (authority responsible for data protection in accordance with section 1) can refuse the application as long as the information required for the decision has not been provided.


How long will the personal data be stored?

1. After the application has been sent, the personal data collected for the application will be deleted from the social platform immediately, usually after just a few minutes.
2. In the case of the competent authority, the duration of the storage of personal data is based on the principle of storage limitation regulated in Art. 5 para. 1 lit. e GDPR, which specifies the principle of data minimization in terms of time. The responsible bodies determine the specific duration of storage on their own responsibility.

4.3 Comprehensive data processing for various electronic applications

The processing steps described in this section 4.3 are implemented uniformly for all applications that can be submitted electronically on the social platform and apply to the application procedure mentioned in section 4.2 above.

4.3.1 Authentication using a new identity card or electronic residence permit

Whose personal data is processed? (Categories of data subjects)
Applicant and, if applicable, the carer or authorized representative

Which categories of personal data are processed?
- Surname
- First name
- Date of birth
- Address

Why are the data processed?(Purposes of processing)

Media-interruption-free authentication of the applicant or the carer or authorized representative

Whose personal data are processed? the caregiver or authorized representative in order to be able to assign an application to a user of the social platform.

What happens to the personal data?

When authenticating using the new ID card (nPA) or electronic residence permit, the above-mentioned personal data is read from the secure memory chip of the nPA using the reader (e.g. chip card reader or smartphone) and transmitted directly to the local web browser via the locally installed ID card app and from there to the social platform. During this transmission, no third party acts as an intermediary for the data.

What is the legal basis?

1. The above-mentioned data is only retrieved with the consent of the applicant or the caregiver or authorized representative.

2. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with section 1).

3. The authority responsible for the application under data protection law (in accordance with section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified in section 4.2.



Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or the caregiver or authorized representative is not legally obliged to identify themselves to the authority responsible for the administrative procedure for deciding on the application (authority responsible for data protection pursuant to section 1) by means of an nPA or electronic residence permit.

However, all applications that can be submitted electronically via the social platform require technical legitimization, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without legitimization. However, the applicant or representative is still free to submit the application to the competent authority by other means.

How long will the personal data be stored?

The personal data will be deleted from the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection in accordance with section 1).
The personal data will also be stored by the competent authority (authority responsible for data protection in accordance with section 1) in the respective administrative procedure for deciding on the application in accordance with the regulations applicable there.

4.3.2 Authentication via user account

Whose personal data is processed? (Categories of data subjects)

Applicant and, if applicable, caregiver or authorized representative

Which categories of personal data are processed?
- Surname
- First name
- Date of birth
- Address
- Title
- User account mailbox
- Email

Why is the data processed? (Purposes of processing)


Media-interruption-free authentication of the applicant or the caregiver or authorized representative in order to be able to assign an application to a user of the social platform.

What happens to the personal data?

During authentication via a user account, e.g. the Servicekonto.NRW, a service account of the federal government or another federal state, the above personal data is requested if it is stored in the user account.
The data is retrieved from the authority responsible for managing the respective user account (transmission).

What is the legal basis?

1. the retrieval of the above-mentioned data only takes place with the consent of the applicant or the caregiver or authorized representative in accordance with Section 8 (6) OZG.

2. the processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with section 1).

3. The authority responsible for the application under data protection law (in accordance with section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided? The applicant or the caregiver and authorized representative is not legally obliged to legitimize themselves to the authority responsible for the administrative procedure for deciding on the application (authority responsible for data protection in accordance with section 1) by means of a user account or to consent to the transfer of data.

However, all applications that can be submitted electronically via the social platform require technical legitimization, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without legitimization. However, the applicant or the caregiver and authorized representative are still free to submit the application to the competent authority by other means.

How long will the personal data be stored?

The personal data will be deleted on the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection in accordance with section 1).
The personal data will also be stored by the competent authority (authority responsible for data protection in accordance with section 1) in the respective administrative procedure for deciding on the application in accordance with the regulations applicable there.

4.3.3. transfer of data from the user account to the application

Whose personal data is processed? (Categories of data subjects)

Applicant and, if applicable, caregiver or authorized representative

Which categories of personal data are processed?

- Family name
- First name
- Date of birth
- Address
- Salutation
- Email

Why is the data processed? (Purposes of processing)

Media seamless transfer of the above personal data of the applicant or the caregiver or authorized representative to pre-fill the application form.

What happens to the personal data? the caregiver or authorized representative authenticates themselves at the beginning of the application, e.g. the Servicekonto.NRW, a service account of the federal government or another federal state, the above personal data can be transferred to the respective application, provided that it is stored in the user account.

The data is retrieved from the authority responsible for maintaining the respective user account (transmission).
All transferred data can be changed and overwritten here by the applicant or the caregiver or authorized representative.

What is the legal basis?

1. The transfer of the above-mentioned data only takes place with the consent of the applicant or the caregiver or authorized representative.

2. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of order processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with Section 1).

3. The authority responsible for the application under data protection law (in accordance with Section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided? The applicant or the caregiver or authorized representative is not legally obliged to consent to the data transfer.
If the applicant or the caregiver or authorized representative does not consent to the processing, the information must be entered themselves.

How long will the personal data be stored?

The personal data will be stored in the application on the social platform and deleted from the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection pursuant to section 1).
The personal data will also be stored by the competent authority (authority responsible for data protection in accordance with section 1) in the respective administrative procedure for deciding on the application in accordance with the regulations applicable there.

4.3.4 Storage of unsent applications

Whose personal data is processed? (Categories of data subjects)

The data of the same persons who submit the request.

Which categories of personal data are processed?

The same categories as in the respective request.

Why are the data processed? (Purposes of processing)

To enable the interruption and subsequent completion of an application, for example to provide further information or documents that are relevant to an application.

What happens to the personal data?

The data is stored in the social platform database. The storage of unsent applications is only possible if the applicant or the caregiver or authorized representative has authenticated themselves with a user account. Beyond this, no further processing of the data takes place.

What is the legal basis?

1. Processing on the social platform by MAGS NRW and IT.NRW is carried out by way of order processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with section 1).

2. The authority responsible for the application under data protection law (in accordance with section 1) collects the personal data on the legal basis for the respective administrative procedure, as it must be possible for the applicant - as with applications in paper form - to complete their application at a later date. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or the caregiver or authorized representative is not legally obliged to store the data on the social platform. Saved applications can be deleted at any time. However, all data must then be re-entered when submitting a new application.

How long is the personal data stored?

Saved applications are deleted no later than 24 hours after the last change to the application, unless they are sent before then. After that, applications deleted from the system can still be reconstructed from encrypted data backups for a period of 6 weeks.

4.3.5. Transmission of submitted applications

Whose personal data is processed? (Categories of data subjects)

The data of the same persons who submit the request.

Which categories of personal data are processed?

The same categories as in the respective request.

Why are the data processed? (Purposes of processing)

To carry out the administrative procedure for deciding on the respective application.

What happens to the personal data?

After an application has been sent by clicking on the "Submit application" button, the data is technically processed and forwarded via the so-called "Central Data Exchange Infrastructure" (ZDI) to the authority responsible for the administrative procedure for deciding on the application (authority responsible for data protection in accordance with section 1).

What is the legal basis?

1. the transfer to the "Central Data Exchange Infrastructure" (ZDI) and processing by its operator is carried out by way of order processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with section 1).

2. the authority responsible for the application under data protection law (in accordance with section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

How long is the personal data stored?

The data is deleted from the social platform by the ZDI within a few minutes immediately after processing and transmission to the responsible authority.

4.3.6 Session cookie of the form management system

Whose personal data is processed? (Categories of data subjects)

User of the web browser through which the online application form is completed.

Which categories of personal data are processed?

Unique identifier to recognize the user in the form management system.

Why is the data processed? (Purposes of processing)

Unique assignment of the application form to a specific browser session and assignment of communication between the form management system and the browser.

What happens to the personal data?

The unique identifier is stored in a cookie file on the user's end device.

What is the legal basis?

1. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR for the authority responsible for the application under data protection law (in accordance with Section 1).

2. The authority responsible for the application under data protection law (in accordance with section 1) processes the personal data on the legal basis for the administrative procedure specified in section 4.2, as this processing is technically necessary for the online application.

3. Insofar as data is retrieved from the user's terminal device or stored on the terminal device, this is done by the authority responsible for the application under data protection law (in accordance with section 1) on the legal basis of § 25 para. 2 TTDSG, as the retrieval and storage are necessary for the function of the online application.

How long is the personal data stored?

The session cookie, which contains the unique identifier, is deleted when the web browser is closed.