Jump to main navigation Skip to Content

DFG Logo: back to Homepage Deutsche Forschungsgemeinschaft

Data protection notice for procurement procedures and business partners of the German Research Foundation (DFG)

We, the Deutsche Forschungsgemeinschaft e. V. (DFG, German Research Foundation) take the protection of personal data and its confidential treatment extremely seriously. Therefore, we wish to inform you about the processing of your personal data in connection with procurement procedures and the potential subsequent business relationship or in connection with business relationships with you or your employer independently of procurement procedures and the rights to which you are entitled. The processing of your personal data takes place exclusively within the framework of the applicable statutory provisions of data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

I. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

2. You can contact our data protection officer as follows:

II. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). For example, this includes information such as name, postal address, e-mail address or telephone number.

III. What personal data relating to me will be processed?

Within the framework of procurement procedures and the potential subsequent business relationship and in connection with business relationships with you or your employer independently of procurement procedures, we only process the personal data relating to you that is connected with the business relationship.

Specifically, this may include:

  • Contact information, including your name, e-mail address, telephone number and postal address
  • Name of the company
  • Information on the non-appealable conviction of persons belonging to the administrative, management or supervisory bodies of the candidate or tenderer or of a member of the consortium of candidates or tenderers
  • Information on the payment of taxes and social security contributions
  • Declaration on the facultative grounds for exclusion pursuant to Section 124 GWB (Act against Restraints of Competition) and self-cleansing
  • Self-declaration on exclusion requirements pursuant to Section 19 para. 1 MiLoG (Act Regulating a General Minimum Wage)
  • Information on the qualification and authorisation to practise the profession
  • Information on economic, financial, technical and professional capacity

IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?

Below, we wish to provide you with an overview of the purposes and legal basis for processing your personal data within the framework of the DFG's procurement procedures:

1. Data processing for purposes of contract fulfilment / for the implementation of precontractual measures

We process your personal data for the preparation and implementation of the DFG procurement procedure and the potential subsequent business relationship and in connection with business relationships with you or your employer independently of procurement procedures. This particularly includes the following purposes, depending on the contract in question:

  • Communication with you
  • Evaluation of suitability and formal requirements for the procurement procedure.
  • Preparation, conclusion, handling and implementation of the contractual relationship between you or your employer and the DFG
  • Compilation of offers, order confirmations and invoices

Data processing takes place in accordance with point (b) of Article 6 Paragraph 1 GDPR, insofar as a business relationship entered into with you or maintained. If you are acting on behalf of a third party, in particular your employer, the data processing is also carried out on the basis of point (b) of Article 6 Paragraph 1 GDPR, based on your contract with your employer.

We erase the data once it is no longer necessary for the purposes pursued by us in connection with the procurement procedure and the potential subsequent business relationship or in connection with business relationships with you or your employer independently of procurement procedures and provided that no other legal requirements, in particular statutory or contractual retention periods, apply.

2. Fulfilment of legal obligations

We also process your personal data in order to comply with legal obligations arising, for example, from the Act against Restraints of Competition (GWB), the Public Procurement Ordinance (VgV) or the Competition Register Act (WRegG) or under commercial, tax, financial or criminal law. We are also required by provisions und public procurement law to publish the name of the company commissioned, among other things. If our contractors are natural persons, the name is only published on the basis of consent (point (a) of Article 6 Paragraph 1 GDPR in conjunction with Section 30 Paragraph 1 Sentence 2 No. 2 Regulation on Sub-Threshold procurement – UVgO). The purposes of the processing are determined by the respective legal obligation. As a rule, the processing takes place in order to comply with state monitoring and information obligations.

To this extent, the data is processed in accordance with point (c) of Article 6 Paragraph 1 GDPR.

We will erase the data once the legal obligation no longer applies and provided that no other legal requirements, in particular statutory or contractual retention periods, apply.

3. Processing in order to safeguard legitimate interests

Where necessary, we also process your personal data in order to safeguard our legitimate interests. We will only process your personal data if this is compatible with your basic rights and freedoms.

This may be applicable in the following cases:

  • Protection and security of IT resources
  • Protection of domiciliary rights
  • Prevention / investigation of criminal offences
  • Procurement procedures in association with other research organisations

To this extent, data processing takes place in accordance with point (f) of Article 6 Paragraph 1 GDPR. Here, our legitimate interests consist in pursuing these aims.

We will erase the data once it is no longer necessary for the purposes being pursued by us and provided that no other legal requirements apply.

V. Will my personal data also be collected from third parties?

We primarily process the personal data which we receive directly from you within the context of procurement procedures and the potential subsequent business relationship or in connection with business relationships with you or your employer independently of procurement procedures. In a few cases, we also obtain your personal data from third parties, for example:

  • from your employer
  • from third parties (e.g. tenderer or tenderer consortia, contracting parties)

If necessary, we will provide you with more precise information about the above in separate form.

VI. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VII. Am I required to provide my personal data?

In connection with procurement procedures, you are required to provide the personal data which is necessary for the preparation and implementation of the procurement procedure and the fulfilment of the associated contractual or statutory obligations, or which we are legally obliged to process. Without this data, you may not be able to participate in the procurement procedure.

VIII. Who has access to my personal data and which recipients obtain it?

Within the DFG Head Office, only those employees who strictly require your personal data in order to carry out their functions or tasks have access to it.

We only pass your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. Possible external recipients include:

  • Processors: Service providers who are used by us for the purpose of project management in implementing procurement procedures, to provide personnel services or who are involved in the maintenance of our IT systems. These processors are carefully selected by us and are regularly audited in order to ensure that your personal data remains protected. The service providers may only process your personal data for the purposes stated by us.
  • Public bodies: Authorities and state institutions, for example public prosecutor's offices, courts or financial authorities, as well as public donors to the DFG to whom we may be required to provide personal data in individual cases.
  • Private bodies: Private bodies to whom we pass on your personal data in accordance with a legal regulation or with your consent, e.g. lawyers, auditors, tax advisers or other research organisations associated with the DFG in connection with a contract procurement procedure. For example, within the framework of the annual financial audit by the DFG's auditors, random samples are taken from the procurement procedures.

IX. Will my personal data be transferred to third countries?

In connection with the procurement procedure and the potential subsequent business relationship and in connection with business relationships with you or your employer independently of procurement procedures, your personal data may be transferred to bodies whose headquarters or data processing location is not in a Member State of the European Union or another Member State of the European Economic Area. In such a case, prior to the transfer, we ensure that either an adequate level of data protection exists (for example by means of an adequacy decision of the European Commission, suitable guarantees, such as the agreement of so-called EU standard data protection clauses of the European Commission with the recipient) or you have given your express consent, with the exception of exemption cases which are permitted by law. You can obtain from us a copy of the provisions agreed in the individual case in order to ensure an adequate level of data protection. Please use the contact details under Number I., 1.

X. For how long will my data be stored?

Please see the relevant section concerning data processing under Number IV. in order to find out for how long your personal data is stored.

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

You have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this.

7. Objection against processing on the basis of a “legitimate interest”

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6 Paragraph 1 GDPR (data processing in accordance with a balancing of interests). Should you raise an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

8. Right to complain to the supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority, which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI. 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.