The protection of your data is important to us. The City of Aachen relies on a graduated information model in order to offer you maximum transparency:
1. this general data protection notice informs you about the technical framework, hosting, IT security and your basic rights as a data subject.
2. you will find subject-specific information directly in the respective online service or in the corresponding data protection notices. These regulate the specific details (e.g. which data is collected for a resident parking permit or an order for a certificate, the specific legal basis of the specialist procedure and the deletion periods there). You can download these instructions under Downloads in the respective online service of the service portal.
3. responsible person and data protection officer
The controller within the meaning of the GDPR and other national data protection laws of the member states as well as other data protection regulations is the:
City of Aachen, The Lord Mayor
Market, 52058 Aachen
Phone: +49 (0)241-432-0
E-mail: stadt.aachen@mail.aachen.de
The data protection officer of the City of Aachen can be contacted as follows:
Audit department
Data Protection, Information and IT Security" department
Aureliusstraße 2, 52064 Aachen
Phone: +49 (0)241-432-1471
E-mail: datenschutz@mail.aachen.de
If you have any questions about data protection, please contact the Data Protection Officer's office by e-mail or telephone.
1 Technical provision & IT infrastructure
The City of Aachen uses modern information technologies to provide online services in order to make administrative processes transparent and user-friendly:
- Hosting: The technical infrastructure is operated by regio iT GmbH, Lombardenstraße 24, 52070 Aachen, Germany, as a processor bound by instructions in accordance with Art. 28 GDPR;
- IT security: We use technical measures to protect against manipulation in accordance with Art. 32 GDPR. Uploaded documents are automatically checked for malware. Infected files are rejected immediately;
- Identification: When using identification services (e.g. BundID), the data protection notices of the respective portal operators also apply;
- Accessibility: Technically necessary information from your browser is processed to provide accessible functions (e.g. screen reader optimization);
2 Collection and origin of the data (server log files)
For technical reasons, your web browser automatically transmits information that is stored in server log files when you access our online services. This is absolutely necessary for the:
- correct display and full functionality of the services;
- Ensuring the stability and security of IT systems;
- Early detection and defense against attempted misuse or illegal access patterns (e.g. DDoS attacks);
The following data is collected automatically:
- IP address: This is anonymized immediately after collection by shortening, so that a personal reference can no longer be established. The unabridged IP address is only stored temporarily if this is absolutely necessary to clarify specific security incidents or to defend against attacks;
- Device information: Information on the operating system used, browser type and version and screen resolution of your end device;
- Usage data: Visited subpages within the service, the length of stay and the date and time of access;
- Referrer URL: The page from which you accessed our online service (if your browser sends this information);
Legal framework conditions: Data transmission is encrypted (SSL/TLS). This log data is not merged with other data sources (e.g. your application data). The log data is automatically deleted after 30 days at the latest, unless it needs to be retained for longer for evidentiary purposes due to a security incident.
Legal basis: Art. 6 para. 1 lit. e GDPR i.V.m. § Section 3 DSG NRW (performance of a task carried out in the public interest to ensure IT security).
2.1 Use of cookies and web analysis (Matomo)
2.1.1 Cookies
In order to provide the full functionality of our online services and to make their use secure and convenient, we use technically necessary cookies and local storage technologies of your browser (web storage).
- Technically necessary functions: We only use functional technologies that are absolutely necessary for the operation of the online forms. These include so-called session cookies as well as local / session storage entries;
- Purpose: These are used for technical session management. They ensure that your entries are retained across multiple form pages during completion and that your session can be securely assigned to your end device;
- Storage duration: Session cookies only contain an anonymous session ID and are automatically deleted as soon as you close your browser. Entries in the web storage (session storage) are also automatically deleted at the end of the browser session;
- Legal basis: The storage of information in the user's terminal equipment and access to information already stored in the terminal equipment is carried out in accordance with Section 25 (1) TDDDG. Consent is not required in accordance with Section 25 (2) No. 2 TDDDG, as the cookies and web storage technologies used are absolutely necessary to technically provide the information you have expressly requested. Separate consent via a "cookie banner" is therefore not required for these technically mandatory functions.
Note: You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases or generally exclude them. If you deactivate cookies, however, the functionality of our online forms may be restricted.
2.1.2 Web analysis (Matomo)
We evaluate usage data in anonymized form in order to design and optimize our online services in line with requirements. We use the Matomo analysis software for this purpose.
- No cookies: The analysis is carried out by default without the use of cookies. No information is stored on your end device that enables recognition beyond the current visit;
- Anonymization: Your IP address is anonymized by shortening (masking) immediately after collection and before it is stored. This makes it impossible to identify you personally;
- Legal basis: Access to technical information on your terminal device is carried out in accordance with Section 25 (1) TDDDG. Consent is also not required here in accordance with Section 25 (2) No. 2 TDDDG. The subsequent statistical evaluation takes place on the basis of Art. 6 para. 1 lit. e GDPR i.V.m. § 3 DSG NRW. Our interest lies in the statistical evaluation of the use of our online services in order to continuously improve digital administration for citizens.
- Hosting: The data is processed on behalf of the City of Aachen by regio iT GmbH as a processor bound by instructions in accordance with Art. 28 GDPR exclusively on servers in Germany. The data will not be passed on to third parties;
Note: You can prevent web analysis by activating the "Do-Not-Track" function in your browser. Our systems are configured to respect this signal and do not transmit any data to Matomo.
3 Purposes & legal bases of data processing
Depending on the nature of your request, your personal data is processed on the basis of different legal bases of the General Data Protection Regulation (GDPR) and supplementary national regulations. The following table provides an overview of the bases used:
Legal basis | Description / Purpose |
Art. 6 para. 1 lit. e and c GDPR in conjunction with. § Section 3 DSG NRW and the relevant specialist laws (e.g. SGB II, BMG, BauO NRW) | Performance of public duties / legal obligations: If the form is used to provide an administrative service, the processing is carried out in accordance with the aforementioned legal bases. Please refer to the subject-specific section for the specific standard. |
Art. 6 para. 1 lit. b GDPR | Contract fulfillment: Forms the legal basis for contracts, pre-contractual measures and quasi-contractual relationships (e.g. for renting rooms) |
Art. 6 Abs. 1 lit. a DS-GVO | Consent: In cases where use is voluntary, your consent serves as the legal basis (e.g. newsletter subscription) |
§ 25 TDDDG | Basis for technically mandatory cookies or web storage entries |
4 Storage period & deletion
Your data will only be stored for as long as is necessary for the respective purpose or due to statutory retention periods:
- Log data: These are stored for a maximum of 30 days to ensure IT security and then automatically deleted;
- Application data in the online system: The data you enter in the form will be deleted from the online data entry system no later than 6 months after completion of the process. This retention serves to ensure the traceability of the transmission process and to eliminate technical transmission errors.
- Specialist office storage: As soon as your data has been transferred to the specialist procedures of the City of Aachen, the statutory retention and archive periods there apply (e.g. according to the municipal budget ordinance or special specialist laws). Depending on the issue, these can range from a few months to several years. Details on this can be found in the subject-specific section.
5 Obligation to provide data
When using our online forms, you must provide the personal data that is absolutely necessary to process your request or to fulfill the legal requirements.
- Marking: Mandatory fields are clearly marked in the form (usually with an asterisk "*");
- Legal consequence: The obligation to provide information arises from the obligations to cooperate under the relevant specialist laws (e.g. § 17 of the Federal Registration Act, § 93 of the Fiscal Code or § 60 SGB I);
- Consequence of non-provision: Without the provision of the required data, it is generally not possible for the City of Aachen to process your application or provide the requested service;
6 Your rights as a data subject under the GDPR
You have the following rights vis-à-vis the City of Aachen with regard to your personal data:
- Right of access (Art. 15): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain access to this data and further information;
- Right to rectification (Art. 16): You have the right to demand the immediate correction of incorrect data or the completion of your data stored by us;
- Right to erasure (Art. 17): You can request the erasure of your data. This right is not unrestricted, in particular if statutory retention obligations (e.g. according to the NRW Archive Act or tax law deadlines) or overriding public interests prevent deletion;
- Right to restriction of processing (Art. 18): You may request the restriction of processing if, for example, the accuracy of the data is contested, the processing is unlawful or you have objected to the processing;
- Right to data portability (Art. 20): If the processing is based on consent or a contract, you have the right to receive your data in a structured, commonly used and machine-readable format;
- Right to object (Art. 21): If the data processing is carried out for the performance of a public task (Art. 6 para. 1 lit. e GDPR), you may object on grounds relating to your particular situation;
- Protection against automated decision-making in individual cases (Art. 22): You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you. As a rule, decisions at the City of Aachen are made by staff; if a specialist procedure deviates from this, you will be informed separately;
- Right of revocation (Art. 7 para. 3): Once you have given your consent, you can withdraw it at any time with effect for the future. This does not affect the lawfulness of the processing carried out up to the point of withdrawal;
7 Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with the competent supervisory authority if you believe that your personal data is being processed unlawfully:
State Commissioner for Data Protection and Information Security North Rhine-Westphalia (LDI NRW)
P.O. Box 20 04 44, 40102 Düsseldorf | E-Mail: poststelle@ldi.nrw.de
You can find the online complaints portal at: https://www.ldi.nrw.de/kontakt/online-beschwerde