The retirement arrangement for the Civil Service. 
1. Who is the data controller?
The Controller within the meaning of the GDPR is
VBL. Versorgungsanstalt des Bundes und der Länder
(VBL. Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
2. Who should I contact?
The Data Protection Officer of VBL can answer your questions.
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-Mail datenschutz@vbl.de
3. For what purpose and on what legal basis are my data processed?
We process your data
- in accordance with Art. 6 (1) (b) GDPR for the fulfilment of contracts (see nos. 3.1 and 3.2)
- in accordance with Art. 6 (1) (c) GDPR in connection with national regulations, in order to fulfil our legal obligations (see nos. 3.1 and 3.3)
- in accordance with Art. 6 (1) (e) GDPR in connection with national legal regulations, if and insofar as we act as a public body within the context of safeguarding a task in the public interest (see no. 3.4)
- on the basis of Art. 6 (1) (a) GDPR with your consent (3.5) and
- in accordance with Art. 6 (1) (f) GDPR
- to safeguard our legitimate interests outside of the scope of the performance of our tasks (see no. 3.6)
- to safeguard the legitimate interests of employers outside of the scope of the performance of our tasks in pseudonymised form (see no. 3.7).
In principle, these relevant personal data can be processed in all cases: Name, address, dates of birth, nationality, insurance number, personnel number of your employer, identification number for communication between VBL and employer, gender, marital status, insurance history, legal representation/authorisation
3.1 Data processing in the compulsory insurance scheme
The original contractual basis for the supplementary pension is your employment contract. In this contract, your (former) employer promised to provide you with a company pension in accordance with the provisions of the collective agreement for old-age provision/VBL's Articles of Association and an additional pension, disability pension and survivors' pension.
The supplementary pension is not provided directly by your employer, but by VBL. As a supplementary pension institution, it performs this task as a pension fund within the meaning of the Company Pension Act (BetrAVG) (Sections 18, 1 (1) 2, (1b) (3) BetrAVG). VBL and your employer have concluded an investment contract for this purpose. The manner in which it is provided is regulated by VBL's Articles of Association, which are based on the collective agreement for pensions.
The collective agreement for pensions and VBL’s Articles of Association are available here: VBL’s Articles of Association
Download: ATV – Tarifvertrag Altersversorgung, PDF, 318 KB
In order to implement the compulsory insurance scheme, the processing of the remuneration amount subject to additional pension is required before the event which triggers the liabilities/before submission of the application for an occupational pension.
Depending on your personal situation, data regarding your level of employment (calculation of the underlying entitlement in the integrated pension system/starting credit), any partial retirement agreements, maternity and parental leave, the transfer or recognition of insurance periods from other supplementary pension funds (insurance number, insurance period, amount of remuneration subject to supplementary insurance) may also be processed.
Following the occurrence of the event which triggers the liabilities/once the application for an occupational pension has been submitted, the following personal data will also be processed in order to calculate and pay out the occupational pension:
Bank data, social security data (data regarding the statutory retirement pension; e.g. data regarding the start of retirement, the type of pension, additional earnings), data relating to health and long-term care insurance (such as type of contribution, membership number of the insured person with the health insurance company, multiple withdrawals, amount of the total pension withdrawal) and tax data for the notification of benefits according to Section 22 (5) 7 Einkommensteuergesetz (Income Tax Act).
Data from other evidence of retirement pensions, exemption from statutory pension insurance or tax notices (e.g. in the case of additional earnings or non-social pensioners), child data (from birth certificates, survivors' pension notices, education certificates), data regarding the spouse (from marriage/death certificate, survivor's pension notices, e.g. for the recognition of maternity/parental leave and checking survivor's pension entitlements), health data, e.g. the duration and amount of sickness benefit (for disability pensions), diagnoses and prognoses (for checking/recognising occupational accidents) will be adapted to your personal situation.
3.2 Data processing for voluntary insurance
VBL arranges additional, voluntary insurance with the compulsorily insured upon request (cf. Section 26 ATV/Section 54 VBLS). VBL also processes your data within the context of salary foregone and in connection with other contracts in which the employer has undertaken to take out voluntary insurance on your behalf. The contribution data needs to be processed before the occurrence of the event which triggers the liabilities in order to fulfil this contractual obligation.
The following additional data may also be processed: Data on maternity leave, parental leave and the transfer or recognition of insurance periods together with other supplementary pension funds (insurance number, period, amount of remuneration), allowance data (this includes: required child/spouse data, tax and social security data)
Following the occurrence of the event which triggers the liabilities, the personal data already listed under 3.1 will also be processed for the calculation and payment of the retirement pension from the voluntary insurance.
3.3 Data processing based on legal obligations
Due to a variety of legal regulations, we are regularly obliged to process additional personal data in accordance with tax and social laws and pension rights adjustment law. This includes pension rights adjustment data, data on reporting in the paying agent reporting procedure with the health insurance companies, tax data, social security data and spouse data.
3.4 Data processing to perform tasks in the public interest
In order to enable other public bodies and authorities to fulfil their inherent public tasks, we transfer your data on the basis of legal provisions which oblige these bodies to process data after we have checked whether further processing/changes of purpose are possible and whether your interests are to be regarded as more important than those of the public body/authority.
You will be informed in advance about this data transfer for other purposes.
3.5 Data processing on the basis of consent
On the basis of your consent in the pension application, we transfer data regarding your occupational pension, health and long-term care insurance contributions to your bank so that these can be shown on your account statement. This requires the processing of your bank details and social security data.
3.6 Data processing to safeguard our legitimate interests
Independently from our tasks, we use your data to check how we can continuously improve our services through the use of customer surveys. If we use the support of external service providers (contract processors) for this purpose, we will only disclose your data on the basis of a contract for order processing in accordance with Art. 28 (3) GDPR.
3.7 Data processing to safeguard the legitimate interests of third parties
In order to prepare balance sheets for employers who do not fall within our area of responsibility, the employers involved receive estimated amounts from us or, if deemed necessary on the basis of our assessment, pseudonymised data.
4. Where does VBL get my data from and who receives it?
4.1 Compulsory and voluntary insurance schemes
We receive personal data from you, your (former) employer/their accounting/data centre and Deutsche Rentenversicherung (DRV) to the extent required to implement compulsory/voluntary insurance.
For this purpose, we also transfer data to you, your (former) employer/their accounting/data centre and DRV in order to secure your occupational pension.
In the case of an application for transfer or mutual recognition of insurance periods in the compulsory insurance scheme, we exchange data with other supplementary pension funds in order to determine whether you have a (higher) entitlement to an occupational/survivor's pension upon your application.
If you apply for state benefits (Riester) within the scope of a voluntary insurance or compulsory insurance scheme in the tariff area East, data will be exchanged with the Central Subsidy Office for Retirement Assets (ZfA).
In addition, we also communicate with DRV in order to improve our performance. This transfer of data is automated.
Further information about this transfer can be found here: Data exchange with Deutsche Rentenversicherung
4.2 Law
Within the scope of our legal obligations, we receive data from public authorities (e.g. the health insurance company) and courts (e.g. the family court in the case of pension rights adjustments). In order to comply with our legal obligations, we also transfer these data to the responsible public authorities.
4.3 Consent
We transfer the data listed under 3.5 to your bank with your consent.
4.4 Other
In order for public authorities and your employer to be able to fulfil the legal obligations, we transfer data to them which is only available to VBL.
We also transfer further data to public bodies and authorities if, after an overall assessment, we come to the conclusion that the transfer is lawful (see No. 3.4).
Data can also be transferred to our service providers and vicarious agents if they undertake to comply with data protection and guarantee compliance with our data protection instructions. We may also receive data within this context.
5. Does VBL transfer data to any third countries/international organisations?
Data transfers to countries outside the EU or the EEA (third countries) only take place if this is required by law for the execution of your orders (e.g. payment orders), legally required (e.g. fiscal reporting obligations), you have given us your consent or within the context of order processing. Service providers in a third country are only used if, in addition to written instructions, they can prove compliance with the data protection level of the GDPR using means provided by law.
6. How long will my data be stored?
Your data will only be stored for as long as is necessary to fulfil the purpose or to meet legal retention requirements.
7. Am I required to send my data to VBL?
Due to the notification obligations according to Section 20 (1, 2) ATV, Section 48 (1, 2) VBLS you are obliged to transfer the personal data required to guarantee the supplementary pension. If you do not provide the required data, the occupational pension may be withheld.
8. What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) (e) or (f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the regulatory authority in accordance with Art. 77 GDPR. You can contact the regulatory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
9. Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Version: 15.12.2022
Solutions and technologies of econda GmbH (Zimmerstraße 6, 76137 Karlsruhe, www.econda.de) collect and store data on our behalf to ensure that this website is optimised and designed to meet your needs.
Who is the data controller?
VBL. Pension Institution of the Federal and State Governments
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed by econda?
We process your personal data exclusively to optimise this website on the basis of the following legal bases:
- On the basis of your consent pursuant to Art. 6 (1) a) GDPR and/or in accordance with Section 25 TTDSG (German Telecommunications Telemedia Data Protection Act). Tracking using your pseudonymised IP address only takes place if you have given your consent.
The web analysis can be performed as session-based web analysis and/or cookie-based web analysis. As part of giving your consent, you can activate both analysis methods or just one analysis method.
In session-based web analysis (anonymous web analysis), anonymous click data are recorded by econda, which is processed internally by VBL for the purpose of analysis and optimisation of the website. A reference to the current user session (browser session storage) is necessary for statistical evaluations. No personal data are collected in this analysis.
There is no persistent storage of data on user devices. No personal data, such as the IP address, is stored. No connection is made between the click data and the region of the user. No cookies are set. You will not be recognised on later visits and it is not possible to create a profile.
As it is theoretically possible to establish, with considerable effort, a connection between your IP address and your click behaviour during the session with econda using your access time and the IP address stored by us for security purposes for seven days, the session-based web analysis is only carried out with your consent. This is no longer possible once the browser has been closed. From this point on, it becomes anonymous statistical data.
You can withdraw your consent to this processing at any time by deactivating the slider.
In cookie-based web analysis (complete web analysis), cookies are set to collect the click data which uniquely identify a user device. The data are collected and processed internally by VBL for the purpose of analysis and optimisation of the website.
If you give your consent to full web analysis, cookies are set for the purpose described above, which allow us to recognise the browser. Among other things, this enables us to establish a relationship between the user's region and the length of time spent on the website. Due to the immediate anonymisation of the IP address after receipt, no personal data are recorded and it is technically impossible to trace the address back to specific individuals. The address is anonymised by deleting the last two octets of the IP address. No user profiles are created on the basis of your insurance number or e-mail address.
As in the case of session-based web analysis, the connection between your IP address and your click behaviour could theoretically be established with considerable effort by working with econda and using the access time, the truncated IP address and the IP address stored by us for seven days for security purposes. After the storage period of the IP address of seven days has expired, this is no longer possible and the reference to you is erased.
You can withdraw your consent to this processing at any time by deactivating the slider.
VBL has no interest in identifying you in this way. The web analysis is only intended to gain statistical insights into click behaviour in order to be able to continuously optimise the website for users.
Which data processing is required?
Anonymous web analysis
Technologies used:
- No persistent storage of data on user devices
- User session (browser session storage)
The following data are recorded:
- Information about the device used (type, operating system, browser)
- Information about pages viewed during the website visit (referrer, including metadata and click IDs)
- Anonymised information about access data (pages viewed, including metadata)
Full web analysis
Technologies used:
- Cookies
- Local storage
The following data are recorded:
- Information about the device used (type, operating system, browser)
- IP address (truncated, e.g. 164.133.xxx.xxx)
- Information about pages viewed during the website visit (referrer, including metadata and click IDs)
- Information about access data (pages viewed, including metadata)
Where does VBL get my data from and who receives it?
We record your data during your visit to our website vbl.de.
Your data are processed by our contractor econda GmbH on the basis of a data processing agreement. The contractor does not use the data for its own purposes and does disclose them to third parties.
How long will my data be stored?
The data are only processed and stored for the period required to achieve the respective processing purpose. The cookie stored for the purpose of cookie-based web analysis is deleted after six months.
Does VBL transfer data to any third countries/international organisations?
The data are processed and stored on servers located in Germany and the EU. No data are transferred to countries outside the EU or the EEA (third countries).
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG (German Federal Data Protection Act)) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) e) or f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you assert your rights, we will check that the legal requirements have been met.
You also have the right to lodge a complaint with the Regulatory Authority in accordance with Art. 77 GDPR. You can contact the Regulatory Authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Visitors to this website can withdraw their consent to this data collection and storage at any time in our Cookie Policy with future effect.
Withdrawal only applies to the device and the web browser on which the cookie was set. If necessary, please repeat the process on all devices for which you have given your consent.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to monitoring by the
Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Information about data protection law for the electronic exchange of data with Deutsche Rentenversicherung (German pension insurance scheme) for pensioners in accordance with Art. 13 and Art. 14 GDPR.
Version: 28.07.2022
VBL and Deutsche Rentenversicherung (DRV) have jointly set up an electronic data exchange. In future, VBL will receive all the data required for calculating and reviewing the occupational pension from the statutory pension notice directly electronically from DRV. The electronic data exchange initially applies to all pension beneficiaries from the compulsory insurance scheme (VBLklassik) who apply for an occupational pension from 1 August 2022 and are entitled to a (survivor's) pension from the statutory pension insurance scheme.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder (Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-mail datenschutz@vbl.de
For what purpose and on what legal basis are my data exchanged with DRV?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) to calculate your occupational pension:
- From 1 August 2022 due to the obligation under the collective agreement in accordance with Article 6 (1) c) GDPR in conjunction with Section 20 (1) sentence 2 of the collective agreement for pensions (ATV) specified in Sections 48 (1a), 84a (12) of VBL's Articles of Association (VBLS)
- Until 1 August 2022 based on your consent in accordance with Article 6 (1) a) GDPR
If, in a particular individual case, it is not possible for the data to be exchanged, we will contact you.
Which data processing is required? Where does VBL get my data from and who receives them?
In order for us to calculate your occupational pension correctly in accordance with the requirements of the collective agreement, the Articles of Association and the general terms and conditions of insurance for voluntary insurance, we need various pieces of information from the pension notice from Deutsche Rentenversicherung (DRV) concerning your statutory pension. For this reason, the pension notice with the required annexes had to be submitted until now.
Electronic data exchange makes this easier. When you submit an application for an occupational pension to us, we will register you with DRV for data exchange. DRV then sends us the required data and subsequently informs us of any changes to your statutory pension.
We use this data to check and calculate your occupational pension in accordance with VBL's Articles of Association. We do not disclose these data records to other entities or third parties. If you also receive a pension from voluntary insurance (VBLextra/VBLdynamik) in addition to the occupational pension from compulsory insurance (VBLklassik), we use the retrieved data to check and calculate your occupational pension from voluntary insurance in accordance with the specifications of the general terms and conditions of insurance.
The data are transmitted via a secure and encrypted connection between VBL and DRV.
To register for the data exchange, we transmit your name, date of birth, social security number and VBL insurance number.
Only the data required for checking and calculating your occupational pension are then transmitted by DRV. If applicable in your case, we receive the following data: Name, social security number, date of birth, date of pension notice, information on the benefit case and type, access factor, start and end of the pension, reason for calculation or rejection, information on health/nursing care insurance, indicator for a possible reimbursement claim by a social insurance carrier, indicator for pension rights adjustment as well as information on the suspension of the pension or on drawing a partial pension.
The data can be found in the statutory pension notice and the annexes "Calculation of pension", "Calculation of personal earning points" and "Concurrence of pension and income" as well as in the pension adjustment notification for your statutory pension.
You can also find more information on this in our data protection information in accordance with Art. 13 and 14 GDPR.
You can obtain further information on the exchange of benefit data in the pension application process from DRV at: https://www.dsrv.info/de/Navigation/20_Unsere_Verfahren/01_Nationaler_Datenaustausch/11_Versorgungstraeger/03_LEA2/LEA2_index_node.html
Does VBL transfer data to any third countries/international organisations?
No data is transferred to countries outside the European Union (EU) or the European Economic Area (EEA) as part of the data exchange.
How long will my data be stored?
In order to rule out the possibility of a technical transmission error, we store the data records for 14 days following transfer of the data from DRV. They are then deleted.
What other exchange procedures are there with DRV?
In addition, as part of our legal duty, we transmit data to DRV for offsetting income in the case of survivors' pensions and in the context of pension rights adjustment.
You can find more information at Deutsche Rentenversicherung:
On offsetting income:
For reimbursement in the pension rights adjustment process:
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) or request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
If you have given us your consent to offset your income, you can withdraw it at any time up to 1 August 2022 with effect for the future, e.g. by letter or fax. Due to the new provision of the collective agreement and the Articles of Association, we are generally allowed to process your data from this point onwards based on the provision of the collective agreement. You will be provided information on this separately.
In cases where processing takes place on the legal basis of Art. 6 (1) e) or f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the supervisory authority in accordance with Art. 77 GDPR. You can contact the supervisory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Information about data protection law for the use of eveeno in accordance with Art. 13 and Art. 14 GDPR.
Version: 21.06.2021
VBL has introduced eveeno to enable business partners and insured persons to book and participate in events from any location. When you book appointments or participate in events via your customer portal “My VBL”, you will be redirected to eveeno’s external website.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder
(VBL. Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-Mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed?
We process your personal data exclusively for the purpose of booking appointments and participating in VBL digital events through eveeno on the basis of the following legal bases:
For insured persons and pensioners:
- To fulfil contractual obligations in accordance with Art. 6 (1) (b) GDPR: Your personal data are processed to fulfil a contract with you or to carry out pre-contractual measures.
For participants and employees of participating employers:
- In accordance with Art. 6 (1) (f) GDPR, we invite you to events which are necessary within the context of the cooperation. We use eveeno for digital events due to our internal organisation and invite you by processing your work e-mail address and your name. We process these data in the interest of working with you or your employer. You can opt out if you do not want to receive eveeno invitations.
Which data processing is required?
Personal data which are absolutely necessary when booking an event:
For participants and employees of participating employers:
- Employer data (name, employer account number, address)
- Full name
- E-mail address
Optional:
- Telephone number
For insured persons:
- Full name
- E-mail address
Optional:
- Telephone number
Optional calendar function: You can download the booked appointment to your electronic calendar (not an automatic download, active action on your part is necessary).
Voluntary disclosure of further data:
You can send a message to VBL as the organiser under “Other” when making the booking. The entry of data in the free text field is optional and voluntary. For this reason, only enter data if you consider this to be absolutely necessary.
Where does VBL get my data from and who receives it?
The data required for booking and participating in an event will be transferred to VBL when you make your booking.
Eveeno receives the data listed above within the scope of an order processing contract.
A booking can either be made by you, someone else on your behalf (e.g. by an employer), by a person named by you or by VBL’s service office. In accordance with Art. 14 (3) (b) GDPR, we will inform you about the option of having the booking arranged by others no later than in our first notification.
If a booking is made by others, this will have no effect on your rights as a data subject in accordance with Art. 15 et seq. GDPR.
Examples of a booking by others:
- Your employer's HR department or another person from the company registers you for a seminar by contacting our service office.
- A person from your company who has already booked would like you to participate in the event in their place and instructs VBL to rebook.
- Another person registers you for an event on their own portal access.
Does VBL transfer data to any third countries/international organisations?
Data transfers to countries outside the EU or the EEA (third countries) only take place if there is a legal obligation to do so, if you have given us your consent or within the context of order processing. Service providers in a third country are only used if, in addition to written instructions, they can prove compliance with the data protection level of the GDPR using means provided by law.
How long will my data be stored?
In order to meet tax law requirements, the data collected will be stored at VBL for ten years and will then be erased at the end of the year. Within eveeno, the data collected will be erased at the end of the following year.
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) (e) or (f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the regulatory authority in accordance with Art. 77 GDPR. You can contact the regulatory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Information about data protection law for the use of the appointment-making tool for insured persons and pensioners in accordance with Art. 13 and Art. 14 GDPR.
Version: 22.06.2021
We use the “Terminland” service from Terminland GmbH, Wiesbaden, to arrange appointments. This service is used to offer you a simple, effective and time-saving way to make an appointment with us for a callback or an individual consultation. The service provider processes data on our behalf. Reservations for individual consultations can be made in Terminland by opening the application in the My VBL Portal. A reservation for our telephone call-back-service in Terminland can be made directly in the My VBL Portal or on vbl.de’s website.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder
(VBL. Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-Mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed by Terminland?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
For the fulfilment of contractual obligations (Art. 6 (1b) GDPR).
Your personal data are processed (Art. 4 (2) GDPR) in order to fulfil a contract with you. This also includes processing operations which are necessary to carry out pre-contractual measures (such as making an appointment in advance of the consultation).
Which data processing is required?
We process personal data which we receive from you when making an appointment.
This includes details such as your name and address, in addition to texts which make it possible to identify you. We collect the following data in detail:
- Personal master data: Full name, date of birth
- Communication data: Telephone numbers, e-mail addresses
You are required to provide your date of birth in order to identify you and allocate you to the event which triggers the liabilities.
You can enter the description of your request in a free text field. This will enable you to easily control which data you wish to enter. Only ever provide the personal data which you consider to be absolutely necessary.
Optional calendar function: You can download the booked appointment to your electronic calendar (not an automatic download, active action on your part is necessary).
Where does VBL get my data from and who receives it?
Data processing by Terminland.
Departments of the service provider will only gain access to your data if required to fulfil contractual and legal obligations. The commissioned contract processors used (Art. 28 GDPR) may also receive data for these purposes. With regard to the transfer of data to third parties, it should be noted that information about you will only be passed on if this is required by law, if you have given your consent or if the service provider is authorised to provide information.
Data processing by VBL.
VBL processes your data to the extent necessary for the purpose of booking an appointment. Depending on the reason for making an appointment, it may be necessary for VBL to use the data you entered in the appointment tool to find out more information about your request. This takes place outside of the appointment tool and is not part of the data processing by Terminland. No data other than those mentioned above are collected for the purpose of arranging an appointment.
Appointments can be booked directly in the My VBL Portal or, in the case of a call-back-service, on the vbl.de website. Appointments for the call-back-service can also be booked by third parties due to preventative circumstances of the insured person. This may happen if an appointment is booked by a representative or when booking an appointment that requires the presence of two people. The appointment confirmation will be sent to the e-mail address provided when booking along with the data entered when booking the appointment. No further data will be added to the appointment confirmation.
Does VBL transfer data to any third countries/international organisations?
Data transfers to countries outside the EU or the EEA (third countries) only take place if there is a legal obligation to do so, if you have given us your consent or within the context of order processing. Service providers in a third country are only used if, in addition to written instructions, they can prove compliance with the data protection level of the GDPR using means provided by law.
How long will my data be stored?
Your data will be stored by Terminland on servers in Germany for the purpose of scheduling appointments. The servers are located at an ISO 27001 and ISO 9001-2015 certified data centre.
In order to document the process in relation to the advisory activity, the data collected will be stored by VBL for three years and will then be erased at the end of the year. Data collected within Terminland will be erased at the end of the following year.
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) (e) or (f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the regulatory authority in accordance with Art. 77 GDPR. You can contact the regulatory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Information about data protection law for the use of Cisco Webex in accordance with Art. 13 and Art. 14 GDPR.
Version: 14.05.2021
VBL has introduced the Cisco Meetings application (hereinafter referred to as Cisco Webex) offered by Deutsche Telekom Business Solutions GmbH for location-independent, digital collaboration within VBL and with external discussion partners.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder
(VBL. Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed?
We process your personal data exclusively for the purpose of digital business communication within VBL and with external discussion partners on the basis of the following legal bases:
- For VBL employees in accordance with Art. 88 (1) GDPR, Section 26 (4) 1 BDSG in conjunction with the framework service agreement for the use of technical solutions for digital collaboration (DV DZL)
- If you take part in meetings organised by VBL due to contractual/legal obligations, we will use Cisco Webex due to our internal organisation and will process your data in accordance with Art. 6 (1) (b) or (c) GDPR
- In all other cases,
- we invite you to meetings required within the scope of the collaboration in accordance with Art. 6 (1) (f). We offer Cisco Webex for digital meetings due to our internal organisation and our invitation to meetings will involve the processing of your work e-mail address and name. We process these data in the interest of working with you or your employer. You can opt out if you do not want to receive Webex invitations.
- we process your data when you participate in a meeting in accordance with Art. 6 (1) (a) GDPR on the basis of your consent: You can join a meeting once we've invited you to the meeting. You join on the basis of your consent, which you declare by actively entering your name or an alias and opening the session. Participation is voluntary and your consent can be withdrawn at any time with future effect by leaving the session.
For the fulfilment of contractual obligations (Art. 6 (1b) GDPR).
Your personal data are processed (Art. 4 (2) GDPR) in order to fulfil a contract with you. This also includes processing operations which are necessary to carry out pre-contractual measures (such as making an appointment in advance of the consultation).
Which data processing is required?
Personal data required to set up VBL user account for employees and organisers of VBL meetings:
- Full name
- Work e-mail addresses
The following data are processed when communicating via Cisco Webex:
- Username/name entered when using
- E-mail addresses
- Device name, geospatial data, information about the operating system/browser, client version, time zone, domain name, hardware type, IP address (when used via VBL systems/business devices, generally not individual-related
- Organisation ID (Universal Unique Identifier)
- Endpoint MAC addresses
- Activity logs
- Communication content data (video, audio, presentation material)
Voluntary disclosure of further data:
If a VBL user account has been set up for you, you can insert a picture. Inserting an image is voluntary and is not required for use, your order or your employment relationship.
Images can be added or deleted at any time with no legal consequences.
Is processing possible for other purposes?
On the basis of a (sub)commissioned data processing contract, personal data are processed within the scope of the order and on the instructions of VBL in order to provide the conference tool.
Where does VBL get my data from and who receives it?
The data required to set up a user account are available to VBL within the context of your employment relationship, your order and your legal or contractual obligation.
Additional data will be collected from you within the scope of our communication.
Deutsche Telekom Business Solutions GmbH and Cisco International Limited receive the data listed above on the basis of a (sub)commissioned data processing contract.
Does VBL transfer data to any third countries/international organisations?
Data are transferred to countries outside the EU or the EEA (third countries) for billing purposes or for the purpose of service analysis. Within this context, the following data are transferred to the USA:
For billing purposes:
- Host name (first name, surname, email address)
- Webex meeting site address (URL)
- Webex meeting start/end time
For the purpose of service analysis:
- Telemetry data of the clients
These data are expected to be processed exclusively within the EU from the 2nd half of 2021.
All other data mentioned above – in particular data generated by the participants, such as split screen contents – are processed by the subcontractor Cisco International Limited, which is based in Great Britain, at the data centre closest to VBL (Frankfurt/Amsterdam/London) in accordance with the contractual agreement with Telekom Business Solutions GmbH. The data centre in London will also be replaced soon.
How long will my data be stored?
The data in your VBL user account will be stored for as long as you are employed by VBL/you have a cooperation with VBL and as long as the application is used.
All other data will be deleted 90 days after the meeting has ended.
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) (e) or (f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the regulatory authority in accordance with Art. 77 GDPR. You can contact the regulatory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Information about data protection law for the use of FastViewer in accordance with Art. 13 and Art. 14 GDPR.
Version: 30.07.2021
VBL uses the FastViewer service from FastViewer GmbH in Neumarkt for location-independent, digital collaboration within VBL and external discussion partners.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder
(VBL. Pension Institution of the Federal and State Governments)
Hans-Thoma-Strasse 19
76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer will answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-Mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed?
We process your personal data exclusively for the purpose of digital business communication within VBL and with external discussion partners on the basis of the following legal bases:
- For VBL employees in accordance with Art. 88 (1) GDPR, Section 26 (4) 1 BDSG in conjunction with the framework service agreement for the use of technical solutions for digital collaboration (DV DZL)
- If you take part in meetings organised by VBL due to contractual/legal obligations, we will use FastViewer due to our internal organisation and will process your data in accordance with Art. 6 (1) (b) or (c) GDPR
- In all other cases,
- we invite you to meetings required within the scope of the collaboration in accordance with Art. 6 (1) (f). We offer FastViewer for digital meetings due to our internal organisation and our invitation to meetings will involve the processing of your work e-mail address and name. We process these data in the interest of working with you or your employer.
- we process your data when you participate in a meeting in accordance with Art. 6 (1) (a) GDPR on the basis of your consent: You can join a meeting once we've invited you to the meeting. You join on the basis of your consent, which you declare by actively entering your name or an alias and opening the session. Participation is voluntary and your consent can be withdrawn at any time with future effect by leaving the session.
Which data processing is required?
The following data are processed when communicating via FastViewer:
- Username/UserID
- E-mail address
- IP address
During a session, the following information about the session are saved in an online log: Username, timestamp.
Where does VBL get my data from and who receives it?
The data required to invite you to participate in a FastViewer session are available to VBL within the context of your employment relationship, your order and your legal or contractual obligation.
Additional data will be collected from you within the scope of our communication.
The video conference provider FastViewer GmbH processes the personal data listed above on the basis of a commissioned data processing contract.
Does VBL transfer data to any third countries/international organisations?
No data are transferred to countries outside the EU or the EEA (third countries).
How long will my data be stored?
Your data will only be stored for as long as is necessary to fulfil the purpose or to meet legal retention requirements. The technically required personal data are temporarily stored and are deleted as soon as the purpose of the processing no longer applies.
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) (e) or (f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you make use of your rights, we will check that the legal requirements are met.
You also have the right to lodge a complaint with the regulatory authority in accordance with Art. 77 GDPR. You can contact the regulatory authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to control by the
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
(Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Version: 12.12.2022
The following information provides an overview of the collection, processing and use of your data during the initiation or management of a rental relationship.
Who is the data controller?
VBL. Versorgungsanstalt des Bundes und der Länder (Pension Institution of the Federal and State Governments), Hans-Thoma-Strasse 19, 76133 Karlsruhe
Who should I contact?
VBL's Data Protection Officer can answer any questions you have about data protection
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-mail datenschutz@vbl.de
For what purpose and on what legal basis are my data processed?
Your personal data are processed for the following purposes:
- Management of prospective tenants
- For the proper execution of tenancies
- For billing purposes
This takes place on the basis of the following legal bases:
- For prospective tenants with your consent in accordance with Article 6 (1) a) GDPR. You can withdraw your consent at any time. We store the data required for tenant selection and contract initiation in accordance with Article 6 (1) b) GDPR.
- For tenants in accordance with Article 6 (1) b) GDPR for the proper execution of the rental relationship and on the basis of legal obligations in accordance with Article 6 (1) c), such as reporting obligations under the Bundesmeldegesetz (German Federal Registration Act) and the accounting obligation under the HGB (German Commercial Code).
Which data processing is required?
Personal data required for prospective tenants administration and the proper management of a tenancy:
For prospective tenants:
- First and last name, address
- Telephone number
- E-mail address
- Tenant self-disclosure (family circumstances, number of people living in the household, date of birth, occupation and length of service, income, proof of income)
- Copy of ID card: only if a rental agreement is concluded and the identity verification required for this purpose cannot be carried out on site
Additional data for tenants:
- Bank details for direct debit payments
- Rent amount, balance, operating costs
- Consumption data and operating costs according to the Operational Costs Ordinance (BetrKV) and Heating Costs Ordinance (HeizKV)
- Correspondence during the tenancy, contract start and end dates
Voluntary disclosure of further data:
The provision of additional data is optional and voluntary. For this reason, please only send data to VBL if you consider this to be absolutely necessary.
Where does VBL get my data from and who receives it?
For prospective tenants:
Data required for the selection process are collected during contract initiation when you provide your self-disclosure.
For renters:
The data required to properly manage a tenancy will be collected from you during the contract initiation or preparation of the tenancy agreement.
Officials and authorities only receive the data if this is required by law or if VBL needs to comply with its legal obligations.
In the event of maintenance work/damage to the property, tradesmen and insurance companies will receive your data in order to carry out the maintenance work or repair the damage.
Our property management department stores and processes the data within the scope of its administrative work. A billing company will also receive your data for the purpose of preparing the heating bill.
Does VBL transfer data to any third countries/international organisations?
No data are transferred to countries outside the EU.
How long will my data be stored?
Data of prospective tenants will be erased if no contract is concluded and if there are no legal retention or verification periods preventing their erasure. As a rule, the data are erased approximately six weeks after the selection process is complete.
Data from prospective tenants who have given their consent to the storage of their data for a period longer than six weeks is usually erased approximately six months after completion of the selection process.
If you send us copies of your ID card when the contract is concluded, these copies will be erased or destroyed immediately after comparison with the information in the rental contract.
In the case of an existing contractual relationship, the data are stored in accordance with the statutory storage regulations. If the contractual relationship is terminated, the data will be erased after the statutory retention period has expired.
What rights do I have under the GDPR?
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG (German Federal Data Protection Act)) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also restrict processing (Art. 18 GDPR) and request erasure (Art. 17 GDPR and Section 35 BDSG) of these data. In addition, you have the right to data portability (Art. 20 GDPR).
In cases where processing takes place on the legal basis of Art. 6 (1) e) or f), you have the right to object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). If you assert your rights, we will check that the legal requirements have been met.
You also have the right to lodge a complaint with the Regulatory Authority in accordance with Art. 77 GDPR. You can contact the Regulatory Authority if you believe that your rights have been violated during the collection, processing or use of personal data by VBL.
Who is the responsible data protection supervisory authority?
As an institution under public law, VBL is subject to monitoring by the
Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Strasse 153
53117 Bonn
E-Mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de
Data protection on our website.
Version: 16.07.2021
Summary.
Each time a user accesses the website www.vbl.de and each time a file is accessed, the Federal and State Pension Fund (VBL) collects and processes data about this process and temporarily saves it in a log file. These data are only saved for security reasons and are then erased. They will not be used for any other purpose or passed on to third parties.
VBL only collects and uses personal data (e.g. name, email address) outside of the registration and use of the My VBL customer portal if you enter these data in an input field or send them by email in order to make a request to VBL (e.g. when using the call-back-service) or when using a service or an offer (e.g. when using an online computer) and sending data to VBL. These data are entered voluntarily by you. Your personal data will only be used for a specific purpose (e.g. to process the requested callback).
Data protection framework.
VBL collects, processes and uses personal data in compliance with data protection regulations, in particular the Telemedia Act (TMG), the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In doing so, VBL takes into account the principle of data minimisation; i.e. personal data are only collected and processed to the extent necessary to provide the services and to perform the tasks.
The employees of VBL are bound to secrecy. In accordance with the legal requirements, VBL has taken the necessary technical and organisational measures to protect personal data.
Collection and use of personal data.
Each time a VBL page is accessed on the internet, data about this process are saved in a log file. VBL cannot use these data to identify you. The VBL cannot detect which user has accessed which data. Essentially, the following data are stored:
- operating system used
- browser used
- Access time
- IP address
- Access failure
The stored data are used exclusively for data security purposes. The IP address is stored for seven days for security purposes (in order to identify DOS attacks). It will not be passed on to third parties for commercial or non-commercial purposes.
Some forms in the download centre can be recommended. Within the scope of this functionality, VBL also saves the IP address of the person making the recommendation in order to be able to provide evidence in cases of abuse. In this case, the IP address is also erased after seven days.
Data collected via the website www.vbl.de are either processed by VBL itself or by the provider of the website software at a data centre in the Federal Republic of Germany (FRG) in accordance with its specifications and instructions on the basis of a contract for commissioned data processing and are only used for the purposes described here. No data are processed outside of the territory of the European Union (EU) and the European Economic Area (EEA).
Online services of VBL.
On the Contact page, VBL only collects and processes data which you enter for this purpose and that are required for clear verification and preparation for the meeting. The data will only be used for the purpose of establishing contact.
VBL processes the data provided in the call-back form within the scope of the use of the call-back-service. The call-back-service is aimed exclusively at existing customers, which is why these data are required for clear verification and preparation for a meeting. See Data protection Terminland above for more information.
Information about data processing within the framework of the VBL newsletter is provided in our newsletter.
If you are asked to provide personal data when using the aforementioned functions, there is no legal or contractual obligation to do so. The provision of the data is also not required to conclude a contract. If you do not want to provide the data, the only consequence is that you will not be able to use the functions.
When you use our My VBL customer portal, you can also make (online) consultation appointments, book events and use the offer calculator. The (data protection) information on our portal can be found under My VBL.
The information about data processing in our appointment booking tool can be found above under Data protection Terminland.
Please read Data protection eveeno for information about data protection law relating to event booking.
When you use the online calculator, which provides offers through the offer calculator, VBL collects data such as your surname, first name and insurance number. As VBL is only permitted to submit offers to existing customers in accordance with its Articles of Association, these data are required for clear verification and the preparation of offers.
Website analysis.
No web analysis currently takes place using tracking software, so no cookies are set.
Use of cookies.
You can find more information about all of the cookies used by VBL and how these cookies are handled in our Cookie-Policy.
Information regarding links on the VBL website.
Some pages of the website www.vbl.de contain links to external services and websites. These are optically marked as a link and are highlighted with a corresponding mouse-over function.
VBL is not responsible for the content of external sites and has no influence whatsoever over their design and content. VBL therefore distances itself from all content on these pages.
Information regarding the use of e-mail.
Please note that when using e-mail, the confidentiality of information on the internet is currently not guaranteed without further measures (e.g. encryption). Any content sent in an unencrypted e-mail is no more confidential than information sent by postcard. In order to prevent unauthorised third parties from gaining knowledge of this information, we recommend that you use De-Mail for messages with sensitive content, or send them by post.
If VBL has been provided with e-mail addresses (e.g. to participate in the “VBLnewsletter” newsletter service), these will only be used for this purpose and will not be passed on to third parties.
Rights of data subjects.
Upon request, you will be provided with information about the data stored about you (Art. 15 GDPR and Section 34 BDSG) and can request the rectification of incorrect data (Art. 16 GDPR). If the legal requirements are met, you can also request the restriction of processing (Art. 18 GDPR) or the erasure (Art. 17 GDPR and Section 35 BDSG) of these data and can object to the processing of your personal data (Art. 21 GDPR and Section 36 BDSG). In addition, you have the right to data portability (Art. 20 GDPR).
Data Protection Officer of VBL.
Mr Thilo Mangler
Hans-Thoma-Strasse 19
76133 Karlsruhe
E-Mail datenschutz@vbl.de
Get in touch if you have any questions about data protection at VBL and with possible complaints.
Data protection supervisory authority.
As an institution under public law, VBL is subject to control by the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The BfDI monitors VBL’s compliance with the provisions of the General Data Protection Regulation and the Federal Data Protection Act, as well as other provisions on data protection. You can contact the BfDI if you believe that your rights have been infringed through the collection, processing or use of personal data by VBL (right of appeal).
The address is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
The Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Strasse 153
53117 Bonn
E-mail poststelle@bfdi.bund.de
Internet www.bfdi.bund.de