This statement explains why the German Emissions Trading Authority (DEHSt) at the German Environment Agency processes personal data, the way in which DEHSt collects and processes personal data and protects the use of this information and what rights you may exercise in relation to your data.
DEHSt collects and processes personal data as part of the EU ETS Registry management and is therefore liable under Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of data and repealing Directive 95/46/EC (General Data Protection Regulation).
This statement concerns the accounts in the German part of the Union Registry of the EU ETS, which are managed by DEHSt as the national administrator and processor. For data protection responsibilities of the European Commission (The Commission), DEHSt refers to the following Privacy Statement.
Information by the European Commission
Why do we process your data?
The Union Registry and the EU Transaction Log (EUTL) were established under Directive 2003/87/EC founding a scheme for greenhouse gas emission allowance trading within the Community (EU ETS), Decision 406/2009/EC of the European Parliament and of the Council on the effort of Member States to reduce their greenhouse gas emissions to meet the Community’s greenhouse gas emission reduction commitments by 2020 (ESD) and by Regulation (EU) No 525/2013 of the European Parliament and of the Council of 21/05/2013 on a system for monitoring greenhouse gas emissions and for reporting these emissions and other climate protection information at Member State and Union level. They ensure the accurate accounting of all emission allowances issued under the EU ETS. They keep track of the ownership of allowances held in electronic accounts that are administered by the Member States (the 28 Member States of the EU and the 3 States from EFTA-EEA). The functioning of the Union Registry and the EUTL, as well as the rights and obligations of central administrators, national administrators and users are regulated by Regulation (EU) 389/2013 (Registry Regulation).
According to Article 4(2) and Article 5(2) of the Registry Regulation, the Commission acts as central administrator of the Union Registry. However, since Member States manage the accounts that fall under their jurisdiction. The priority collection and processing of personal data in the ETS section of the Union Registry is carried out by the account owners and the national administrators of the Member States. According to Section 19(1) of the Greenhouse Gas Emissions Trading Act (TEHG), the German Environment Agency (and DEHSt as a division of UBA) is responsible for the implementation and therefore also acts as the national administrator. According to Article 8(1) of the Registry Regulation, in its function as the national administrator, DEHSt is limited to the administration of the Union Registry accounts in the German part of the Union Registry. The Registry Regulation stipulates that the technical infrastructure be only provided by the central administrator. Therefore, the European Commission acts as the responsible authority under Article 4(7) GDPR while DEHSt acts as the processor in accordance with Article 4(8) GDPR. However, DEHSt also processes personal data exported from the Union Registry using its own applications and is therefore responsible in this area.
The purpose of this processing is in order to implement the EU ETS, it is necessary to open accounts in the Union Registry and to appoint authorised representatives to operate these accounts. DEHSt must collect and process personal data in order to check applications for new accounts made by legal entities or natural persons and to verify natural persons appointed as authorised representatives.
The processing is legal and necessary for the fulfilment of a legal obligation according to Article 6(1)(c) GDPR as well as for the performance of a task in the public interest under Article 6(1)(e) GDPR.
Which data do we collect and process?
The personal data collected and processed by national administrators refer to the account holder (insofar as it is a natural person) or the authorised representatives and managers of the account holder (insofar as they are legal entities). The personal data is:
- Name and Surname
- Personal ID number
- Date and place of birth
- Professional address
- Professional contact data
- Telephone, fax and mobile phone number
- Email address
- Title and professional function
- Expiry date of the ID document
- Evidence of opening a bank account
- Accreditation certificate of the verifiers (only for verifier accounts)
- if needed, authorisation of the account holder to appoint an ordinary person to be the authorised representative of the account
The national administrator collects some data via certain documents. However, the documents in question will be destroyed after verification and the data will not be saved. These documents include:
- Evidence of address of permanent residence
- Criminal record
The data is collected directly from the data subject and the provision of this data is mandatory in order to be registered in the Union Registry. We do not collect data that falls under Article 9 of Regulation (EU) 679/2016.
Personal data is collected at the European level exclusively in a database and in application log files shared by both the Union Registry and the EUTL. DEHSt receives your personal data and documents via the Virtual Post Office (VPS) and stores them digitally in its in-house filing system.
How long do we keep your data?
DEHSt only keeps the data for the time necessary to fulfil the purpose of collection or further processing or for the period stipulated by law.
The storage duration of your data in the DEHSt is based on the requirements of the Registry Directive for the processing and administration of documents in federal ministries. For administrative purposes, Annex 5 to this Directive provides for a retention period of ten years after the end of the calendar year in which the administrative operation was finally completed.
In case of official investigations initiated for legal processes, the investigating authorities may request that the data be stored as evidence for longer periods until the legal decision is made.
How do we protect your data?
The data stored on DEHSt’s servers falls under Germany’s data protection standard of basic protection. We refer to the German Federal Office for Information Security (BSI). The companies commissioned by DEHSt are also bound by contractual clauses regarding the processing of their data on behalf of DEHSt as well as by confidentiality obligations in accordance with obligatory law (law on the formal obligation of non-civil servants).
Who has access to your data and to whom is it disclosed?
Your personal data is accessible to selected employees of the European Commission as well as to DEHSt’s employees responsible for processing.
Data on account holders who have been refused an account pursuant to Article 22(2)(a)-(c) and data on authorised representatives whose appointment has been refused according to Article 24 (5) are passed on to the Commission and other national administrators in accordance with Article 110(7) of the Registry Regulation. These include national administrators from countries outside the European Union such as Iceland, Lichtenstein and Norway. The notification takes place by directly uploading the data to an SFTP server, the security standards of which are the responsibility of the Commission. Furthermore, the national administrator may grant law enforcement authorities and other specific institutions read-only access to the Union Registry pursuant to Article 110(2).
In addition, DEHSt uses its own data processing system to process the data exports provided by the European Commission in accordance with Article 108(2). For software testing and verification purposes, the software developer Dr. Lippke & Dr. Wagner GmbH also has access to anonymised data.
In accordance with Article 110 of Regulation 389/2013, Member States and EU institutions may obtain access to the data stored in the Union Registry and in the EUTL if this is necessary for the performance of their tasks. The Commission shall provide this access to the Member States and EU institutions through the Security Directorate of its Directorate-General for Human Resources and Security. EUROPOL has a permanent read-only access to the data stored in the Union Registry and in the EUTL for the purpose of the performance of its tasks in accordance with Council Decision 2009/371/JI. EUROPOL must constantly keep the Commission informed of the use it makes of the data.
What are your rights and how can you exercise them?
According to Article 15 GDPR you have the right to information from the data controller. Furthermore, Article 16 GDPR gives you the right to correct your data, Article 17 GDPR the right to delete it, Article 18 GDPR the right to limit the processing, Article 20 GDPR the right to data transferability and Article 21 GDPR the right to object to data processing. If you wish to exercise your rights or submit a complaint, please contact the data controller directly.
Should you have any questions and requests for information or would like to exercise your other rights, please contact the data controller at the following contact information:
German Environment Agency
German Emissions Trading Authority (DEHSt)
Phone: + 49 (0) 30 8903-5050
Fax: + 49 (0) 30 8903-5010
Should you have any comments or questions, concerns or complaints about the collection and use of your personal data, please contact the following:
Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Data Protection Officer of the German Environment Agency
Phone: + 49 (0) 30 8903-5141