Data protection

Information of Finance Agency on data protection in accordance with the EU General Data Protection Regulation pursuant to Art. 13, 14 DSGVO.

We are pleased that you are visiting our website and thank you for your interest in German Government securities, our company and our website.

Compliance with the pertinent data protection provisions is second nature to us, and we consider the protection of your privacy to be of the utmost importance. For this reason, it is important for us to provide you with information about the categories of personal data we collect, when we collect such data, how long we store such data and for which purposes such data are used.
We have structured our information according to different purposes so that you can immediately access the part of the information that is relevant to you.

1. Data controller and data protection officer

Federal Republic of Germany – Finance Agency
Olof-Palme-Straße 35
60439 Frankfurt am Main
Telefon: +49 (0) 69 25 616 0
Telefax: +49 (0) 69 25 616 14 76


Our Data Protection Officer can be contacted at:
Federal Republic of Germany – Finance Agency
- Data Protection Officer -
Olof-Palme-Str. 35
60439 Frankfurt / Main


2. Purposes of the processing

A) Data processing on the website

The Finance Agency processes the personal data of the visitors to its website in order to provide general information on what the Finance Agency does as well as to enable visitors to contact the Finance Agency.

Categories of data

We process the personal data that we receive when you use our website, when responding to your enquiries and when you subscribe to our newsletters.

a) Data processing on our website

Every time you visit our website or retrieve a file from our website, data on this access is stored and processed temporarily in a log file.
In detail this processing and storing comprises the  following data:

  • request details and target address (protocol version http method, referrer, useragent-string),
  • ip-address,
  • name of the accessed file and retrieved data volume (requested URL incl. query string, size in bytes),
  • message whether the access was successful (http status code).

b) Newsletter subscription

When you subscribe to a newsletter, we record your email address, the newsletter you have selected, and the date and time of your registration.
To make sure that the newsletter was expressly requested by you, the subscription procedure involves an additional confirmation email containing a link to complete the registration process (double opt-in). When you register, an unencrypted confirmation email with a link to complete the registration is generated and sent to the email address you provided. The data required for you to receive the newsletter, along with the confirmation email itself (double opt-in), will only be stored once you click the link in the email. The data will only be stored for the duration of your subscription and solely for the purpose of sending the newsletter.
Should you no longer wish to use our services, you can unsubscribe from our newsletters at any time. A corresponding link can be found at the end of each newsletter.


Cookies are small text files which, depending on your browser settings, are stored on the hard drive of your computer when you visit our website. These cookies do not retrieve any information about you stored on your hard drive and do not interfere with your computer or its files. Most browsers are configured to automatically accept cookies. However, you can generally deactivate the storage of cookies or configure your browser so that it notifies you that cookies have been set.
The Finance Agency is legally obliged to determine whether you are located in the USA, Canada, Australia, Japan, Hong Kong or any other jurisdiction in which the purchase or sale of German Government securities is subject to legal restrictions. This will determine which products and services we may offer you.
We use a splash screen to perform this query. If the information you provide indicates you are not subject to any trading restrictions, we will set a session cookie. This session cookie remembers your self-assessment and is set when you visit the ‘Private Investors’ and ‘Institutional Investors’ sections. The session cookie prevents the splash screen from being reopened each time a page is accessed. The cookie is used exclusively to give you access to legally protected areas of the site. Setting this cookie is therefore strictly necessary according to Article 5(3) of Directive 2002/58 in order to make the website available to you in accordance with the law.

Purpose and legal basis of data processing

a) Data processing on the basis of consent in accordance with article 6(1)(a) and article 7 General Data Protection Regulation (GDPR)

The information provided by you voluntarily when you subscribe to our newsletters and when you request documents for delivery is processed on the basis of your consent. You have the right to withdraw your consent at any time with future effect. This also applies to consent given by you before the entry into force of the GDPR on 25th May, 2018.

b) Data processing for the performance of a task in the public interest pursuant to Art. 6 (1)(e) GDPR

Informing the public about borrowing and debt management pursuant to the Federal Government Debt Management Act (BSchuWG) and the stabilisation measures of the Financial Market Stabilisation Fund (FMS) and the Economic Stabilisation Fund (ESF) pursuant to the Stabilisation Fund Act (StFG) of the Federal Republic of Germany.
If personal data is processed for the purpose of IT security, this processing also serves the public interest. Your personal data will be processed for the assertion of legal claims or the investigation of criminal offences if this is necessary in individual cases for the performance of the public tasks of the Finance Agency.

Storage period

We store your personal data for as long as such data are required for the stated purpose or for as long as statutory retention provisions apply. The weblog data collected when you visit our website is stored for a period of four weeks. Subsequently, your IP address is anonymized for evaluation at a later point in time, enabling us to continually analyse and optimise the information we provide on the Internet. After this process, we are not able to establish a direct link to you personally.
If you have subscribed to a newsletter, we store the data for as long as you receive the newsletter. Should you unsubscribe from the newsletter, your data will be deleted immediately.

Recipients or categories of recipients of personal data

The Finance Agency makes use of other agencies to carry out its tasks, e.g. a web hosting service provider.

Data processing in a third country

Your data will not be transferred outside the EU.

External links

For further information, we have provided links on our website that point to third-party websites.
The Federal Republic of Germany - Finance Agency does not have any influence over the contents and structure of these third-party websites. Please be aware that the statements made in this Privacy Notice do not apply to third-party websites.

B) Social media presence of the Finance Agency on LinkedIn

The Finance Agency's social media presence on LinkedIn serves the purpose of public relations. On LinkedIn, Finance Agency reports on the work of the agency with its own posts.
With the Finance Agency's LinkedIn presence, we provide you with general information about the tasks of the Finance Agency and enable you to contact the Finance Agency via comments or direct messages. The data processing is based on Art.6 para.1 lit. e) DSGVO.

In all other respects, LinkedIn processes your personal data on its own responsibility. We reserve the right to delete individual contributions and comments at any time. The published data can be viewed by users of the platform worldwide.

C) Business partners in purchasing and finance and their employees

a) Financial management

Data subjects are employees and suppliers / service providers.
The Finance Agency processes personal data of the employees of its service providers in order to ensure the execution of payment transactions, the preparation of the balance sheet and P&L as well as the preparation of the budget statement in accordance with the Federal Budget Code (BHO). For this purpose, debtors and creditors are managed in an ERP system.
The data is deleted after ten years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO) or Section 10 (2) of the Federal Agency for Financial Market Stabilisation’s (FMSA) Statutes.
Recipients of the data are internal addressees, auditors, tax advisors, the Federal Audit Office, legal and technical supervisors and the tax office.
No data processing takes place outside the EU.
The legal basis for data collection is derived from section 238 of the German Commercial Code (HGB), section 41 of the German Limited Liability Companies Act (GmbHG) and, for the FMSA, section 105 of the Federal Budget Code (Bundeshaushaltsordnung) and section 10 of the FMSA's Statutes (Satzung) from the BMF's individual Instruction on the Implementation of the Stabilisation Fund Act (StFG).

b) Purchasing

Those affected are suppliers/service providers and bidders.
In order to supply the Finance Agency with goods and services necessary for the performance of its service mandate, personal data of the suppliers/service providers and, if applicable, their employees entrusted with the performance of the service provision are processed.
The deletion period is ten years in accordance with § 257 HGB and § 147 AO.
Recipients of the data are internal addressees, auditors, the legal and technical supervisory authorities and DTVP Deutsches Vergabeportal GmbH.
No data processing takes place outside the EU.
The legal basis is derived from section 3a (2a) sentence 2 StFG, section 2 (1) Federal Government Debt Management Act (BSchuWG; legal and technical supervision BMF), Act against Restraints of Competition (GWB), Public Procurement Regulation (VgV), Bundeshaushaltsordnung, FMSA-Neuordnungsgesetz (FMSANeuOG), Verordnung über die Neuordnung der Aufgaben der Finanzmarktstabilisierung, statutes of the FMSA as well as from StFG, the BMF's individual Instruction on the Implementation of the Stabilisation Fund Act (StFG), agency agreement, section 8 (3) Regulation on the Delegation of Authority concerning the ESF (WSF-ÜV).

D) Counterparties from transactions on the financial market and their employees

a) Transactions (via trading platforms as well as via telephone)

The Finance Agency processes personal data of the employees of its counterparties in order to be able to document and prove business transactions. In this context, all phone calls as well as chats conducted on communication media authorised by the Finance Agency for trading purposes are recorded. These recordings can also be evaluated if there are indications of criminal behaviour.

b) Obligations under Foreign Trade Law

The Finance Agency processes personal data in particular of legal representatives and beneficial owners of its counterparties in order to fulfil its obligations under foreign trade law.

Legal basis and storage period

The legal basis for the execution of transactions is § 1 section 1 of the Federal Debt Management Act (BSchuWG) and for the telephone recording as well as the recording of chats § 1 sections 5-8 BSchuWG. The storage period for the telephone recording as well as the recording of the chats is 5 years according to § 1 section 6 BSchuWG. The data will be deleted before the expiry of 5 years if it is determined that they are not necessary for the protection of the Federal property and its special funds. The duration of storage of data collected under the Foreign Trade and Payments Act depends on the duration of the respective business relationship.

Data processing in a third country

Personal data processed in the trading platform and in the chats are stored outside the EU. With regard to telephone recording, there is no outsourcing of personal data outside the EU; in this context, access from a third country outside the EU may occur in exceptional cases for the maintenance or servicing of IT systems. Outside the EU, an adequate level of data protection is guaranteed by standard contractual clauses pursuant to Article 46 (2) (c) of the GDPR, binding corporate rules pursuant to Article 47 of the GDPR or a so-called adequacy decision of the Commission pursuant to Article 45 of the GDPR. These can be provided by the Finance Agency upon request.

E) Data processing in the context of application procedures

We store all information provided to us by people who apply for a job in our company. This applies both to applications in response to specific advertisements and to unsolicited applications. The storage period is 6 months from the conclusion of the application process. If you have applied for a specific job, your data will only be made available to the department advertising the job and to the responsible personnel department. The information is available until the end of the storage period, also in order to be able to answer later enquiries (e.g. request for documents, rejections, etc.) in a qualified manner. If necessary, we also process your data to protect our legitimate interests (e.g. to create statistical documentation in anonymised form without reference to a specific or identifiable applicant).
If the application leads to the conclusion of a training or employment relationship, the data will be stored for ten years after the end of the training or employment relationship, unless other regulations stipulate longer retention periods. Applicants are then obliged to supplement data on the establishment of an employment relationship, e.g. social security data. Subsequently, data is transferred with social insurance agencies and the tax authority.
The legal basis for data collection is Art. 88 DSGVO in conjunction with § 26 BDSG as well as other legal requirements that result in storage obligations in the case of the conclusion of employment relationships, e.g. § 147 AO, § 257 HGB.

3. Rights of the data subject

a) Right of access to information (art. 15 GDPR)

You have the right of access to information and the right to receive an electronic copy of your personal data.

b) Right to correction (art. 16 GDPR)

You have the right to correction of your personal data, should such data be inaccurate. This right includes the right to completion of your data, should such data be incomplete.

c) Right to deletion (right to be forgotten) (art. 17 GDPR)

You have the right to deletion of your personal data, in particular where such data are no longer required to fulfil the purpose for which the data were collected. This right also prevails if the underlying legal basis was invalid from the outset or if it ceases to be applicable at a later date.

d) Right to restriction of processing  (art. 18 GDPR)

You have the right to restrict the processing of your personal data if

  • you dispute the accuracy of the data,
  • you object to the deletion of the personal data and instead demand restriction of its use,
  • the data controller no longer needs the personal data for the stated purposes, but you need this data for the establishment, exercise or defence of legal claims,
  • you have objected to the processing of the personal data in accordance with article 21(1) GDPR and it is not or has not yet been established whether the legitimate grounds of the data controller override those of the data subject.

e) Right to data portability  (art. 20 GDPR)

Where you have made personal data available to us, you have the right to receive such data in a structured, commonly used and machine-readable format. If such data are processed on the basis of consent or for the purpose of fulfilling a contract, you also have the right to request that we transfer this data to a third party, where technically possible.

f) Right to object  (art. 21 GDPR)

You have the right to object at any time to the processing of your personal data on grounds relating to your particular situation. This right shall prevail provided the data is processed in accordance with article 6(1)(e) (data processing required to safeguard legitimate interests).

g) Right to lodge a complaint with a supervisory authority (art. 77 GDPR)

If you suppose the processing of your personal data violates your rights you have the right to lodge a complaint with the competent data protection supervisory authority.

Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Str. 153
53117 Bonn


4. Encrypted email communication with the Finance Agency

Information is transmitted openly across the Internet. If no precautions are taken to protect the confidentiality and integrity of the information, unauthorised persons could read or alter your messages. If you want to send and receive confidential messages, we recommend using Pretty Good Privacy (PGP) or GnuPG. You can download the public part of the Finance Agency’s PGP key here:

Public Key

You can find information on PGP encryption on a number of websites, including the homepage of the Federal Office for Information Security (BSI) or of the OpenPGP project. You can send encrypted messages in three steps:

  1. Install GnuPG, PGP or a software programme with similar functionality on your computer.
  2. Download the Finance Agency’s public key on to your computer and add it to your public key ring (pubring.pkr). Next, you can check whether the fingerprint of the key matches the information on this page. Fingerprint: CD0C AD45 9B95 EBF4 84B9 8366 FFE8 053F 9A7C 1E62
  3. Save the information you wish to send in a file (e.g. attachment.txt) and encrypt it with the Finance Agency’s public key.

Version: October 2023