Privacy policy

For electronic applications in the Cost-of-living assistance procedure (HzL) on the social platform

Privacy policy for electronic applications in the Cost-of-living assistance (HzL) procedure on the social platform

In this privacy policy for the social platform, which can be accessed at https://sozialplattform.de, we explain below how information that can be individually assigned to you or others as a person (the "personal data") is processed and used on the social platform.

We explain for each step of the data processing

  • which authority is responsible for data protection (see section 1),
  • whom you can contact if you have any questions about data protection (see section 2), and
  • what rights you and other persons whose personal data is processed are entitled to (see section 3).

We then explain the individual steps of data processing in section 4, in particular why these steps are carried out in each case, the legal basis on which they are based, how the steps work in each case and how the personal data is specifically processed in each case.

1. responsible authority

For the processing of personal data in the context of the electronic application, the authority responsible under data protection law is the authority that is also responsible for the further processing of the application in the subsequent administrative procedure or to which the application is sent electronically. to which the application is sent electronically.

The authority responsible for the specific application under data protection law is displayed on the service details page after selecting the location.

The data protection officer or data protection officer of the respective authority should be contacted directly for inquiries regarding data protection. The contact details are listed in section 2.

2. Data protection officer, supervisory authority

The contact details of the data protection officer of the authority responsible for data protection depend on your place of residence. You will be informed as follows when your personal data is collected: As soon as you have selected an application and your place of residence, you will be taken to the selected application route by clicking on "Submit application". Here you select a registration method, e.g. BundID. Once you have made your selection, you will be taken to the terms of use and data protection information. If you click on "Privacy policy", you will find the contact details of the data protection officer under point 9.

3. Rights as a data subject

Any person whose personal data is processed by a public authority can exercise the following rights as a data subject vis-à-vis the responsible authority (see section 1).

3.1 Right to information and copy

Affected persons may request information from the authority in accordance with Art. 15 GDPR as to whether it processes personal data concerning them. If this is the case, data subjects can request the information on data processing specified in Art. 15 GDPR. At the request of the data subject, the responsible authority (in accordance with section 1) shall provide a copy of the processed personal data.

3.2 Right to rectification

Data subjects may request that the authority rectify inaccurate personal data concerning them or, where applicable, complete incomplete personal data in accordance with Art. 16 GDPR.

3.3 Right to erasure

Data subjects may request that the authority erase personal data concerning them in accordance with Art. 17 GDPR, provided that the conditions set out in Art. 17 GDPR are met.

3.4 Right to data portability

Data subjects may request that the authority provide them with the personal data concerning them in a structured, commonly used and machine-readable format in accordance with Art. 20 GDPR. They have the right to transmit this data to another controller. This only applies if the processing is based on consent or if the processing is carried out by automated means.

3.5 Right to restriction of processing

Data subjects may request that the authority restrict the processing of personal data concerning them in accordance with Art. 18 GDPR, provided that the conditions set out in Art. 18 GDPR are met. 18 GDPR.

3.6 Right to object to processing

Data subjects may, on grounds relating to their particular situation, lodge an objection with the authority pursuant to Art. 21 GDPR against the processing of personal data concerning them, which is carried out on the legal basis of Art. 6 para. 1 subpara. 1 lit. e) GDPR.

The authority will then no longer process the personal data unless it can demonstrate and, where applicable, prove that the conditions for continuing the processing of this data are met.

3.7 Right to withdraw consent

Affected persons may at any time withdraw consent that they have given to the authority for the processing of personal data concerning them in accordance with Art. 7 para. 3 GDPR. The withdrawal of consent is only effective for the future; the processing of personal data already carried out on the basis of the consent is not affected by the withdrawal.

If consent is only given for a single processing step, this processing step is carried out and completed immediately after consent is given, and subsequent processing steps are not carried out on the basis of consent, any withdrawal of consent may no longer have any effect.

3.8 Right to lodge a complaint with the data protection supervisory authority

Data subjects may lodge a complaint at any time about the processing of personal data concerning them by the authority. Such a complaint must be submitted to the competent data protection supervisory authority named on the service details page.

4. How your personal data is processed

In this section 4, we explain the individual processing steps in which personal data is processed. We describe the general and overarching processing steps (sections 4.1 and 4.3) and, in section 4.2, discuss the application that can be submitted electronically for Cost-of-living assistance via the social platform.

4.1 Technical operation of the social platform

The technical operation of the social platform, and therefore all processing of personal data in accordance with this privacy policy, is carried out entirely by Landesbetrieb Information und Technik Nordrhein-Westfalen (IT.NRW), Mauerstraße 51, 40476 Düsseldorf. IT.NRW acts as an additional processor for the authority responsible for data protection (see section 1 above) in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X. § Section 80 SGB X.

4.2 Electronic applications for benefits

We present the application in detail below.

Whose personal data is processed? (Categories of data subjects)

  • Applicants, including, for example representatives, carers, third parties
  • benefit recipients
  • household members of the benefit recipients
  • other persons with a family or similar relationship to the benefit recipients

What categories of personal data are processed?

  • Personal data
  • Address data
  • Contact data
  • Citizenship and residence information
  • Details of household members
  • Details of family members
  • Training and education data
  • Family members
  • Family members
  • Financial data
  • Insurance data
  • Asset data
  • Information on state benefits applied for
  • Information on social benefits
  • Data on housing
  • Special personal data pursuant to Art. 9 GDPR
  • Data on criminal convictions and offenses pursuant to Art. 10 GDPR
  • Metadata

Why is the data processed? (Purposes of processing)

Conducting the administrative procedure to decide on the entitlement to Cost-of-living assistance in accordance with Section 27 ff SGB XII by the competent social welfare institution (authority responsible for data protection in accordance with Section 1).

What happens to the personal data?

The personal data is recorded electronically on the social platform and can be used in the administrative procedure to decide on the application. The data is transmitted electronically to the competent social welfare provider (authority responsible for data protection in accordance with section 1).

What is the legal basis?

1. Processing on the social platform by the Ministry of Labor, Health and Social Affairs of the State of North Rhine-Westphalia (MAGS NRW) and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the competent social welfare provider.

2. The competent social welfare institution (authority responsible for data protection pursuant to Section 1) collects the personal data on the legal basis for the administrative procedure for Cost-of-living assistance, i.e. Art. 6 para. 1 subpara. 1 lit. e), Art. 9 para. 2 lit. b) GDPR in conjunction with Sections 27 et seq. §§ Sections 27 ff SGB XII, 67a SGB X, 35, 12, 28, SGB I.

Is there an obligation to provide this personal data and what consequences can arise if the data is not provided?

Pursuant to Sections 60-62, 65 SGB I, anyone wishing to receive assistance with living expenses is obliged to provide all information relevant to the decision and, if necessary, to provide any evidence requested.

The information and evidence does not have to be provided electronically via the social platform, but can also be provided via other communication channels or in person.

The competent social welfare institution (authority responsible for data protection in accordance with section 1) may refuse or withdraw benefits in whole or in part as long as the information required for the decision has not been provided.

How long will the personal data be stored?

1. After the application has been sent, the personal data collected for the application will be deleted from the social platform immediately, usually after just a few minutes.

2 In the case of the responsible social welfare institutions, the duration of the storage of personal data is based on the principle of storage limitation regulated in Art. 5 para. 1 lit. e) GDPR, which specifies the principle of data economy in terms of time. The competent social welfare institutions are responsible for determining the specific duration of storage. The maximum duration of storage is 30 years.

4.3 Overarching data processing for various electronic applications

The processing steps described in this section 4.3 are implemented uniformly for all applications that can be submitted electronically on the social platform and apply to the application procedure mentioned above in section 4.2 above.

4.3.1 Authentication using a new ID card or electronic residence permit

Whose personal data is processed? (Categories of data subjects)

  • Applicants, including, for example, representatives

Which categories of personal data are processed?

  • Personal data
  • Address data
  • Technical metadata

Why is the data processed? (Purposes of processing)

Media-interruption-free authentication of the applicant or representative in order to be able to assign an application to a user of the social platform.

What happens to the personal data?

When authenticating with the new ID card (nPA) or electronic residence permit, the above-mentioned personal data is read from the secure memory chip of the nPA with the reader (e.g. chip card reader or smartphone) and transmitted directly to the local web browser via the locally installed ID card app and from there to the social platform.

What is the legal basis?

1. The retrieval of the above-mentioned data only takes place with the consent of the applicant or representative in accordance with Art. 6 para. 1 subpara. 1 lit. a) GDPR.

2 Processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X. § Section 80 SGB X for the authority responsible for the application under data protection law (in accordance with Section 1).

3. The authority responsible for the application under data protection law (in accordance with Section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or representative is not legally obliged to identify themselves to the authority responsible for the administrative procedure for deciding on the application (authority responsible for data protection pursuant to section 1) by means of an nPA or electronic residence permit.

However, all applications that can be submitted electronically via the social platform require technical legitimization, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without legitimization. However, the applicant or representative is still free to submit the application to the competent authority by other means.

How long will the personal data be stored?

The personal data will be deleted from the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection pursuant to section 1).

The personal data will also be stored by the competent authority (authority responsible for data protection pursuant to section 1) in the respective administrative procedure for deciding on the application in accordance with the applicable regulations.

4.3.2 Authentication via user account

Whose personal data is processed? (Categories of data subjects)

Applicants or applicants, including, for example, representatives

Which categories of personal data are processed?

  • Personal data
  • Address data
  • Contact data
  • Technical metadata

Why is the data processed? (Purposes of processing)

Media-interruption-free authentication of the applicant or representative in order to be able to assign an application to a user of the social platform.

What happens to the personal data?

When authenticating via a user account, e.g. a service account of the federal government or a federal state, the above personal data, if stored in the user account, is requested.

The data is retrieved from the authority responsible for maintaining the respective user account (transmission).

What is the legal basis?

1. The retrieval of the above-mentioned data only takes place with the consent of the applicant or the representative in accordance with Art. 6 para. 1 subpara. 1 lit. a) GDPR in conjunction with Section 8 para. 6 OZG.

2. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of order processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the respective data subject. § Section 80 SGB X for the authority responsible for the application under data protection law (in accordance with Section 1).

3. The authority responsible for the application under data protection law (in accordance with Section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or representative is not legally obliged to identify themselves to the authority responsible for the administrative procedure for deciding on the application (authority responsible for data protection pursuant to section 1) by means of a user account or to consent to the transfer of data.

However, all applications that can be submitted electronically via the social platform require technical legitimization, either via the nPA, electronic residence permit or a user account.

The electronic application cannot be completed without legitimization. However, the applicant or representative is still free to submit the application to the competent authority by other means.

How long will the personal data be stored?

The personal data will be deleted from the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection in accordance with section 1).

The personal data will also be stored by the competent authority (authority responsible for data protection pursuant to section 1) in the respective administrative procedure for deciding on the application in accordance with the applicable regulations.

4.3.3 Transfer of data from the user account to the application

Whose personal data is processed? (Categories of data subjects)

Applicants, including, for example, representatives

Which categories of personal data are processed?

  • Personal data
  • Address data
  • Contact data

Why is the data processed? (Purposes of processing)

Transfer of the above personal data of the applicant or representative without media discontinuity in order to pre-fill the application form.

What happens to the personal data? If the applicant or representative authenticates themselves via a user account at the beginning of the application, e.g. a service account of the federal government or a federal state, the above personal data can be transferred to the respective application, provided that it is stored in the user account.

The data is retrieved from the authority responsible for maintaining the respective user account (transmission).

All transferred data can be changed and overwritten here by the applicant or representative.

What is the legal basis?

1. The above-mentioned data will only be transferred with the consent of the applicant or representative in accordance with Art. 6 para. 1 subpara. 1 lit. a) GDPR.

2. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of order processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the respective social platform. § Section 80 SGB X for the authority responsible for the application under data protection law (in accordance with Section 1).

3. The authority responsible for the application under data protection law (in accordance with Section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or representative is not legally obliged to consent to the transfer of data.

If the applicant or representative does not consent to the processing, the information must be entered themselves.

How long will the personal data be stored?

The personal data will be stored in the application on the social platform and deleted from the social platform with the other application data after the application has been sent to the competent authority (authority responsible for data protection pursuant to section 1).

The personal data will also be stored by the competent authority (authority responsible for data protection pursuant to section 1) in the respective administrative procedure for deciding on the application in accordance with the applicable regulations.

4.3.4 Use of the inbox function

Whose personal data is processed? (Categories of data subjects)

Applicants, also e.g. representatives

Which categories of personal data are processed?

Technical metadata (e.g. PostkorbID)

Why is the data processed? (Purposes of processing)

The data is used for the purpose of enabling contact with the applicant and, if applicable, the representative in order to provide application-specific information and/or the administrative decision by electronic means.

What happens to the personal data?

When the inbox is used, the aforementioned personal data is stored on the social platform. In addition, the data is forwarded to the authority responsible for data protection (in accordance with section 1).

What is the legal basis?

1. Processing only takes place with the consent of the applicant or the representative in accordance with section 1. of the representative in accordance with Art. 6 para. 1 subpara. 1 lit. a) GDPR.

2. Processing on the social platform by MAGS NRW and IT.NRW is carried out by way of order processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the respective data subject. § Section 80 SGB X for the authority responsible for the application under data protection law (in accordance with section 1).

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or representative is not legally obliged to consent to the use of the inbox function. The authority can still contact the applicant or representative by post.

How long is the personal data stored?

The personal data is stored on the social platform and deleted after a few minutes, usually ten minutes, after the application has been sent to the competent authority (authority responsible for data protection in accordance with section 1). If the application is not sent, the data will be deleted 24 hours after the last change to the application.

The personal data will also be stored by the competent authority (authority responsible for data protection in accordance with section 1) in the administrative procedure for deciding on the application in accordance with the applicable regulations.

4.3.5 Storage of unsent applications

Whose personal data is processed? (Categories of data subjects)

The data of the same persons who submit the request.

Which categories of personal data are processed

The same categories as in the respective application (in accordance with section 4.2).

Why are the data processed? (Purposes of processing)

To enable the interruption and subsequent completion of an application, for example to provide further information or documents that are relevant to an application.

What happens to the personal data

The data is stored in the social platform database. The storage of unsent applications is only possible if the applicant or representative has authenticated themselves with a user account. Beyond this, no further processing of the data takes place.

What is the legal basis?

1. The processing on the social platform by MAGS NRW and IT.NRW takes place by way of order processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the respective application.

2. The authority responsible for the application under data protection law (in accordance with Section 1) collects the personal data on the legal basis for the respective administrative procedure, as it must be possible for the applicant or representative - as with applications in paper form - to complete an application at different times. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

Is there an obligation to provide this personal data and what are the consequences if the data is not provided?

The applicant or representative is not legally obliged to store the data on the social platform. Saved applications can be deleted at any time. However, all data must then be re-entered when submitting a new application.

How long is the personal data stored?

Saved applications are deleted 24 hours after the last change to the application, unless they are sent beforehand. After that, applications deleted from the system can still be reconstructed from encrypted data backups for a period of 6 weeks.

4.3.6 Transmission of submitted applications

Whose personal data is processed? (Categories of data subjects)

The data of the same persons submitting the request.

Which categories of personal data are processed?

The same categories as in the respective request (in accordance with section 4.2).

Why are the data processed? (Purposes of processing)

To carry out the administrative procedure to decide on the respective application.

What happens to the personal data?

After clicking on the button to submit an application, the data is transferred by IT.NRW to the authority responsible for data protection (in accordance with section 1) or, if applicable, to the additionally commissioned technical service provider.

What is the legal basis?

1. The processing and transmission of the data by IT.NRW and the additionally commissioned technical service provider, if applicable, is carried out by way of order processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X. § Section 80 SGB X for the authority responsible for the application under data protection law (in accordance with Section 1).

2. the authority responsible for the application under data protection law (in accordance with section 1) collects the personal data on the legal basis for the respective administrative procedure. The legal basis for the administrative procedure is specified for the respective procedure in section 4.2.

How long will the personal data be stored?

After the application has been sent, the personal data from the social platform operated by IT.NRW will be deleted within ten minutes of transmission to the responsible authority (in accordance with section 1) or, if applicable, to the additionally commissioned technical service provider.

If the responsible authority (in accordance with section 1) uses an additionally commissioned technical service provider to collect the application from the social platform operated by IT.NRW, the deletion of the data may take longer. In this case, the data will be completely deleted from the technical service provider's system after a maximum of 21 days.

4.3.7 Session cookie of the form management system

Whose personal data is processed? (Categories of data subjects)

Users of the web browser used to complete the online application form.

Which categories of personal data are processed?

Unique identifier to recognize the user in the form management system.

Why is the data processed? (Purposes of processing)

Unique assignment of the application form to a specific browser session and assignment of the communication between the form management system and the browser.

What happens to the personal data?

The unique identifier is stored in a cookie file on the user's end device.

What is the legal basis?

1. The processing on the social platform by MAGS NRW and IT.NRW is carried out by way of commissioned processing in accordance with Art. 28 GDPR in conjunction with Section 80 SGB X for the respective social platform. § Section 80 SGB X for the respective authority responsible for the application under data protection law (in accordance with Section 1).

2. The respective authority responsible for the application under data protection law (in accordance with Section 1) processes the personal data on the legal basis for the administrative procedure specified in Section 4.2, as this processing is technically necessary for the online application.

3. Insofar as data is retrieved from the user's terminal device or stored on the terminal device, this is done by the authority responsible for the application under data protection law (in accordance with Section 1) on the legal basis of Section 25 para. 2 TTDSG, as the retrieval and storage are necessary for the online application function.

How long is the personal data stored?

The session cookie, which contains the unique identifier, is deleted when the web browser is closed.