Data protection information for the website www.service.wirtschaft.nrw

For the provision of our website, we process the following information on the basis of Art. 6 (1) (e) GDPR in conjunction with § 6 (1) EGovG NRW in the context of public relations, which your browser transmits to us:

• date and time of retrieval,
• the name of the Internet service accessed, the resource accessed and the action used,
• query made by the client,
• amount of data transferred,
• report whether the retrieval was successful,
• IP address of the calling device,
• Client information (including browser, operating system).

Data processing is necessary for the provision of information on this website.

This data is stored in log files or log files about the time of the visit to the website. This serves the defense and analysis of attacks on the Internet infrastructure of MWIKE and its communication technology. Log files are kept for up to 48 hours directly and exclusively accessible to administrators. After that, they are only indirectly available via the reconstruction of backup tapes and are finally deleted after six weeks. In the case of attacks on communication technology, they are needed to initiate legal and criminal prosecution. A transfer in other cases does not take place. MWIKE does not merge this data with other data sources. The collection of data for the provision of the website is absolutely necessary for the operation of the website. The legal basis in this respect is Art. 6 (1) sentence 1 lit. e GDPR in conjunction with § 3 (1) DSG NRW.

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your computer and assigned to the browser used. This allows certain information to flow to the entity that sets the cookie (here through us). The following cookies are currently used on https://service.wirtschaft.nrw/:

(1) Technically Necessary Cookies

While you are active on a website, a session cookie is temporarily stored on your computer, where a session identifier is stored. For example, it prevents you from having to log in again every time you change pages. Session cookies are deleted when you log out or lose their validity once your session has expired automatically.

Access to your terminal device for the storage of cookies is based on § 25 para. 2 no. 2 TDDDG. It is technically necessary to be able to provide you with the applications. The legal basis for the processing of personal data using these technically necessary cookies is Article 6(1)(e) GDPR in conjunction with Section 3(1) DSG NRW.

(2) Use of "Matomo" (web analysis) including statistics cookies

With regard to the use of the website, MWIKE performs web analytics using the ‘Matomo’ service – a free web analytics software available at https://matomo.org/ under the GPL (GNU General Public License). Cookies are used for this purpose. The data processed to carry out the usage analysis includes:

• Two bytes of the IP address of the calling system of the:user:in;
• information about the operating system and browser used;
• Geo-information;
• the URL accessed;
• the website from which the individual page accessed was accessed (referrer site);
• the subpages accessed from the website accessed;
• the length of time spent on the website;

The software is set so that it does not store the IP addresses completely, but masks them immediately after collection by two bytes (e.g.: 192.168.xxx.xxx). The IP address is thus immediately anonymized in this process, so that no longer any reference to the data subject of the:the user:in can be established. An anonymised evaluation of the data is then carried out for statistical purposes. The software ‘Matomo’ runs exclusively on the servers of the website www.service.wirtschaft.nrw, operated by our hosting service provider, the municipal data centre Minden-Ravensberg/Lippe (KRZ Lemgo). The above-mentioned data will only be stored there. Neither the information generated about the use of the website nor the personal data on which it is based will be passed on to third parties. The legal basis for the use of cookies to access information in your terminal equipment is your consent pursuant to Section 25 (1) TDDDG. The processing of the above-mentioned personal data, which we can collect using cookies, is also based on your voluntary and informed consent, but in accordance with Article 6(1)(a) of the GDPR. You can revoke your consent at any time by sending an e-mail to wsp-support@digitales.nrw.de. The lawfulness of the data processing up to the time of the revocation remains unaffected. If you have set your browser so that your visit is generally not recorded by statistics software, "Matomo" respects this preset.

This website uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads allows us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). In addition, targeted advertisements can be displayed based on the user data available on Google (e.g. location data and interests) (targeting of target groups). We, as the website operator, can evaluate this data quantitatively, for example by analyzing which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.

For the use of this program, we have concluded a contract with Google LLC for order processing. We remain responsible.

If Google transfers personal data to a server in the USA, this is done on the basis of an adequacy decision by the European Commission on the EU-U.S. Data Privacy Framework (DPF) and Google's certification according to the DPF. At the same time, the data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a DSVGO and § 25 para. 1 TDDDG. You can revoke your consent at any time by sending an e-mail to wsp-support@digitales.nrw.de.

MWIKE offers online services via the Wirtschafts-Service-Portal.NRW (hereinafter also referred to as ‘WSP.NRW’ or ‘the Portal’). An "online service" is an offer that enables the provision of one or more electronic administrative services. The online service is used to electronically fill in online forms for administrative services provided by the Federal Government or the Länder, to disclose this data to the competent specialist authority and to transmit electronic documents and information on administrative procedures to you as a user. At the end of the application via an online service, your application (and the personal data contained therein) is transmitted to the body responsible for your administrative service (e.g. an authority of the municipality in which you are resident), where the actual administrative procedure takes place. In the following sections, we inform you about the central processing steps in connection with the use of online services offered by us.

In order to be able to use an online service offered via the WSP.NRW, you must identify or authenticate yourself in advance via a user account (external service). For this purpose, natural persons are currently

• "My business account" (ELSTER), and
• the ‘Bund.ID’

available.

To carry out identification and authentication, you will be directed to the website of the respective user account. You first leave the WSP or the environment of the respective online service in order to return to the WSP.NRW and thus to the selected form after identification/authentication, under the responsibility of another body under data protection law.

The identification and authentication process generates a JWT token (UUID), which is stored locally in the end device of the user in the form of a cookie and for confirmation in the portal. The token is used to assign the received identification data to the respective process. The validity of the cookie is limited to one hour, provided that no further "activity" is carried out by clicking or entering text.

If you have given your consent to the provider of the respective user account, personal data can be transferred from the user account to the application form. These are regular:

• first name(s);
• surname;
• Name of birth;
• date of birth;
• E-mail address;
• phone number.

The ‘My Business Account’ (ELSTER) is available for identification/authentication for individual entrepreneurs, companies or organisations as the applicant. In this respect, company-related data may arise, which, however, are not personal data within the meaning of Art. 4 No. 1 GDPR.

In addition, the IP address used is processed. The processing of the above data serves to identify you as the applicant and to enable the further use of the respective online service. The processing of the data takes place on the legal basis of Art. 6 (1) (e) GDPR in conjunction with § 14 (4). p. 1 WiPG NRW.

After identification with the help of a user account, you can complete the application offered in the respective online service and upload any necessary supporting documents.

If you so wish and the technical requirements are met, the evidence required for the processing can also be obtained directly from the competent public authorities and forwarded to the competent authority in the technical procedure in accordance with the provisions of § 7 WiPG NRW fully automated and electronically through the portal.

The nature and extent of the personal data processed in this context depend in detail on the respective desired administrative performance. The information required in the online service (hereinafter referred to as ‘application data’) always depends on the information required by the body responsible for the technical procedure for the implementation of the respective procedure in accordance with the respective requirements of the technical law. Application data are in particular the following categories of personal data:

• Data entered in forms, e.g.:
  o Personal details/master data of the applicant
  o Information on employed persons (personal data of third parties)
  o Contact details
  o information on the scope of tasks;
  o Information on the planned activity

• Data contained in supporting documents (documents to be submitted with the application). Evidence may include:
  o Copy of identity card
  o Permission to use a professional title
  o Display permission
  o Proof of qualification
  o Company's articles of association
  o Extract from the commercial register
  o Information on reliability and financial circumstances
  o Permits for use incl. operating description for commercial installations
  o Operating concept

Your application data will be temporarily stored until it is sent to the competent authority. This will allow the application to be continued at a later stage. The data is also available if an involuntary termination occurs due to technical faults or connection problems. The legal basis for the processing in this respect is Article 6(1), first sentence, point (e), of the GDPR in conjunction with Section 14(4). p. 1 WiPG NRW.

In individual cases, a fee is to be paid for the processing of an administrative service via the WSP.NRW, insofar as the specialist law provides for this. If this is the case, at the end of the use of the respective online service (here all entries are checked for completeness) a forwarding to the payment system of the payment service ePayBL, which is specifically available for the public administration to process such payments. For the data processing that takes place here, the operator of the service is the independent data protection controller. The PayPage of the payment system is set up, on which you can choose between different payment methods. The information on the payment made is sent to the portal and from there forwarded to the responsible body. You will receive a receipt from the online service for the payment made.

The legal basis for the associated processing of personal data is point (e) of the first sentence of Article 6(1) of the GDPR in conjunction with the first sentence of Paragraph 14(4) of the WiPG NRW. As part of the performance of MWIKE's tasks, it is necessary to assign the respective payment to the appropriate process, to identify any errors in the process and to inform you accordingly. This is the only way to ensure proper management of the respective administrative performance.

Your data processed by us in connection with the use of an online service will be transmitted to the bodies responsible for the respective technical procedure for administrative services within the scope of the statutory provisions.

In trade registration proceedings, the required data are additionally forwarded to the receiving authorities according to § 14 para. 8 GewO (tax offices, DGUV, IHK, HWK, immigration authority, customs, etc.). The legal basis for this disclosure of your personal data is point (e) of the first sentence of Article 6(1) of the GDPR in conjunction with the first sentence of Paragraph 14(4) of the WiPG NRW. It is necessary in order to enable the processing of the administrative service requested by you by the body responsible for the technical procedure in each case.

The responsibilities in the technical procedure are based on the relevant legal regulations (specialist law). For example, the Trade Office is the competent authority for registering a trade. Upon transmission of your data to the competent body in the technical procedure, the data protection liability of MWIKE ends. For the processing of your data in the subsequent procedure, the responsible body under data protection law is responsible for the processing of personal data within the meaning of Art. 4 No. 7 GDPR. Information about the data processing taking place there (according to Art. 13 and Art. 14 GDPR) can be obtained from the respective competent authority.

After the completion of the procedure by the competent body, the final declaration of the authority (e.g. a decision / administrative act) will be announced to you regularly using the return channel of the WSP.NRW. If the competent authority in the technical procedure sends the declaration or the decision to the portal (and thus the MWIKE), it will be added to your ‘WSP.NRW mailbox’ and you will receive a notification to the e-mail address you have provided with the content that a message is available for retrieval in the portal. For security reasons, these notifications do not contain further information about the procedure.

The legal basis for this processing of your personal data is point (e) of the first sentence of Article 6(1) of the GDPR in conjunction with the first sentence of Paragraph 14(4) of the WiPG NRW. It is necessary to enable the notification of the final decision via the portal in accordance with the legal measures.

If there is a declaration finalising the administrative procedure, the data will be deleted from the portal no later than three months thereafter (Section 14(4), third sentence, of the WiPG NRW).

In addition, the data in the portal will be automatically deleted if you do not use it for more than six months (§ 14 (5) sentence 1 WiPG NRW). This does not affect the possibility of deleting the data itself (Section 14 (5) sentence 2 WiPG NRW).

A single sign-on (SSO) via other identification and authentication services (see section 4.a above) is possible via the ‘Login’ button (at the top right of the website).

Within your own area (“My WSP”), you have several functions available after logging in:

• references to possible upcoming maintenance services of the WSP.NRW or also essential changes, such as the shutdown of an authentication service;
• Projects and applications, started at an earlier stage, can reopen and complete the users;
• Ongoing application procedures after submission;
• completed applications are available for reading access and, if necessary, to be able to respond to inquiries from the competent body in the technical procedure;
• Mailbox function for bi-directional exchanges with competent authorities;
• technical functionality for the exercise of the right to data portability pursuant to Article 20 of the GDPR ("GDPR export");

Within the individual area, the so-called ‘data account’ (displayed for you as ‘My data’ area) of the WSP.NRW is also available. Here you have the option to arrange for certain personal data to be stored within the portal for a longer period of time (i.e. beyond the above-mentioned deletion periods provided for by law) in order to facilitate future application.

In particular, this concerns data from forms that have already been filled in. You can view, supplement or delete the data stored in this way at any time. You can use this information from previous procedures to make it easier to enter your information.

The legal basis for this optional processing of your personal data is your voluntary and informed consent, Art. 6 (1) (a) GDPR. You implicitly give this consent by actively initiating storage in the My Data section. You can revoke this consent at any time with effect for the future by writing an e-mail to wsp-support@digitales.nrw.de. The lawfulness of the data processing up to the time of the revocation remains unaffected. Alternatively, you can arrange for the deletion of this data yourself at any time.

For your contact with the Ministry, we offer you contact forms or the use of e-mail addresses. If you use these contacts, the input of personal data takes place on a voluntary basis.

Persons under the age of 16 should not transmit any personal data to us unless the consent of the parents or guardians (carriers of parental responsibility) has been granted (Article 8(1) GDPR). The consent must then be expressly noted in the message (Article 8(2) GDPR). We do not request personal data from children and adolescents. We do not knowingly collect such data.

If you use a contact form, your IP address, a time stamp and a technical ID of your request will be processed regularly in this context in addition to the information you have entered. We only use the personal data you may have entered for the purpose you have requested and only within the state government or the authorities, departments and institutions commissioned with the respective service.

We delete personal data that we receive by e-mail or contact form as soon as the processing is no longer necessary for the purpose of processing your request or in connection with the administrative processes triggered by it, unless there are different retention obligations. We are guided by the annex to the file regulations for the division of the Ministry of Economic Affairs, Industry, Climate Protection and Energy of the State of North Rhine-Westphalia (AktO); See circular of the Ministry of the Interior of the State of North Rhine-Westphalia No 51-17.05 of 25 July 2016.

The processing is carried out on the basis of Art. 6 para. 1 sentence 1 letter e GDPR in conjunction with § 3 para. 1 DSG NRW and is necessary to process your request.

All data processing in connection with the WSP.NRW takes place on the servers of the municipal data center Minden-Ravensberg / Lippe (KRZ Lemgo). This is certified according to BSI ISO 27001 certificate on the basis of IT basic protection. WSP.NRW uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content (e.g. via the contact form).

The data processing takes place with the correspondingly agreed security requirements in the context of a data processing agreement (DPA) pursuant to Article 28(3) with the KDN – umbrella association of municipal IT service providers, Mühlenstraße 51, 53721 Siegburg.

MWIKE remains responsible for data processing.

A further AVV exists with d-nrw AöR, Rheinische Str. 1, 44137 Dortmund, insofar as these are within the scope of their legally regulated tasks (in particular the further development, technical project control, maintenance and servicing of the WSP. NRW, including a platform for the operation of business-related EfA services) may come into contact with personal data.

As part of the preparation of a fee notice, we transfer certain personal data (see section 2.c above) to the operator of ePayBL, a payment processing component of the ePayBL developer community. This is the state enterprise Sächsische Informatikdienste (SID), Dresdner Straße 78 A, 01445 Radebeul.

We transfer the personal data contained in your application to the body responsible for the desired administrative performance in the technical procedure (see Section 2.d)). In trade registration proceedings, the required data are additionally forwarded to the receiving authorities pursuant to § 14(8) GewO (e.g. tax offices, DGUV, IHK, HWK, immigration authority, customs).

In all other respects, we will treat your personal data confidentially. We do not make your personal data available to third parties, unless you have given your consent or we are legally obliged to pass on the data. Data that has been logged when accessing the website of the Ministry of Economic Affairs or collected for a special service will only be transmitted to third parties outside the state government to the extent that we are obliged to do so by law or by judicial or prosecutorial order or the disclosure is necessary for legal or criminal prosecution in the event of attacks on the state government's Internet infrastructure.

Unless otherwise stated in the preceding sections, we will delete your data as soon as you are no longer required for the above-mentioned purposes and, in particular, legal retention obligations do not preclude this.