Version 21.06.2024

Information on the processing of personal data in accordance with Art. 12 (1), first sentence, EU General Data Protection Regulation

The first sentence of Article 12(1) of the EU General Data Protection Regulation (GDPR) states: "The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 (...) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, (...)". This obligation is met by

as the data controller by providing the following information.

Translation, authoritative document

This text is an translation of the German privacy declaration at https://info.pca.dfn.de/doc/datenschutz.html

The German text is authoritative.

Description of the service DFN-PKI

DFN-Verein organises a public key infrastructure with the service DFN-PKI to issue, distribute and validate digital certificates. Advanced certificates based on the X.509 standard are used.

What is personal data required for?

DFN-PKI uses personal data to manage the life cycle of X.509 certificates. The data can be contained in issued certificates, be required as contact information or as audit proof to prove the trustworthiness of the DFN-PKI.

Personal data is also required to manage applicant representatives.

Which data is stored and processed?

• On pki.pca.dfn.de and ra.pca.dfn.de (web pages and Web Services): IP addresses, timestamps, provided that users use functions related to the certificate life cycle, such as sending a certificate request or submitting a request. Additionally for applicant representatives only: Name of the applicant representative
• Data to be included in certificates
  • For user certificates: First name(s), surname(s), e-mail addresses, organization and department names. Group names or pseudonyms (if applicable)
  • For server certificates: The server names (FQDN)
• Contact information: First name(s), surname(s), e-mail addresses, organization and department names
• Certificate and application data:
  • Public key
  • Fingerprint of the public key
  • PIN entered by user
  • Serial number of the issued certificate
  • Signature, date
  • For user certificates: The last 5 digits of the serial number of the identification document (For certificates in security level "Grid": The complete serial number)
  • Date and signature of the approving applicant representative
• Applicant representatives data:
  • First name(s), surname(s), e-mail addresses, organisation and department names, organizational address and phone number
  • The last 5 digits of the serial number of the identification document (For certificates in security level "Grid": The complete serial number)
  • Signature
  • Further documents from identity verification checks, e.g. PostIdent
  • E-mail addresses for distributing service information

What is the legal basis on which the data are processed?

In the case of a user certificate, your personal data is lawfully processed on the user‘s initial consent to data processing for the purpose of certifcate issuing by the data controller pursuant to Art. 6 para. 1 letter a) GDPR. All data collected is required for the management of the life cycle of X.509 certificates, with the effect that participation is possible only if the information is provided in its entirety. You may additionally also consent to the publication of your certificate. You can withdraw your consent at any time. The possibility to participate ends with the withdrawal of your consent. Despite the withdrawal, the processing of your data between the granting of consent and the time of revocation remains lawful. Your data will be deleted following the withdrawal, if there are no obstacles to deletion (e.g. retention periods). The deletion of published data is practically impossible due to the distribution. For legal reasons, we are required to publish the serial numbers of revoked certificates after their revocation.

In the case of a server certificate, personal data is processed in accordance with Article 6, paragraph 1, letter b), in order to implement the contract between DFN-Verein and the particular participant institution. The data will be deleted after termination of the contractual relationship, provided there are no obstacles to deletion. For legal reasons, we are required to publish the serial numbers of revoked certificates after their revocation.

In the case of applicant representatives, personal data is processed in accordance with Article 6, paragraph 1, letter b), in order to implement the contract between DFN-Verein and the particular participant institution. The data will be deleted after termination of the contractual relationship, provided there are no obstacles to deletion.

To whom and how personal data is disclosed?

The following data will be published:

• The serial number of certificates that have been revoked
• The certificates with the contained data, if the certificate owner has given consent to the publication. Deletion of published data on distributed systems of third parties is not possible.
• Server certificates are uploaded to the Certificate Transparency Log Server upon approval for publication at the time of certificate issuance. These log servers are operated by third parties. A publication cannot be undone.

As part of the management of the life cycle of X.509 certificates, all personal data is processed by data processor DFN-CERT Services GmbH, Nagelsweg 41, 20097 Hamburg. The processing there is based on an data processing agreement between DFN-Verein and DFN-CERT Services GmbH.

When is the data deleted?

The data is deleted when it is no longer required to manage the life cycle of the respective X.509 certificate.

Deletion of published data is practically impossible due to their distribution.

Information on the use of Cookies and local browser storage:

If you use the web interface of the DFN-PKI, cookies are only set if the user allows this in the settings of his browser and if the cookie is necessary for the website‘s functionality. Only session cookies are used that do not contain any personal data. They are used to uniquely manage HTTP requests of users logged in at the same time and to keep some configuration options . These cookies are automatically deleted when the browser is closed. Using the website is not possible without the acceptance of session cookies.

When applying for a certificate, data is stored in the cache of your browser ("LocalStorage") depending on the chosen application procedure. This includes:

• User certificates: First name(s), surname(s), e-mail addresses, organization and department names. Group names or pseudonyms (if applicable).
• For server certificates: The server names (FQDN) and contact information (First name(s), surname(s), e-mail addresses, organization and department names).
• For all types of certificates: Public key, password protected private key, password protected revocation PIN, request number, date of application.

Rights of the data subject:

Article 15 of the GDPR provides for a right of access, and thus the right of a data subject to request confirmation as to whether personal data concerning him or her are being processed and, where appropriate, to obtain access to the personal data and information, including the purposes of processing, categories of personal data concerned, the source of the data, recipients, the duration of processing and his or her rights as a data subject.

Article 16 of the GDPR defines the right to request the rectification of inacurate personal data and taking into account the purposes of the processing, to have incomplete personal data completed.

Article 17 para. 1 GDPR provides - with certain exceptions - the right to request the deletion of data. Article 17 para. 2 GDPR regulates a "right to be forgotten" if the responsible body has published the data to be deleted.

In certain cases, Article 18 of the GDPR also provides that processing of personal data may be restricted - for example, if the data controller no longer needs the data, but the data subject needs them to assert, exercise or defend legal claims.

The right to data portability in accordance with Article 20 GDPR entitles, under certain conditions, to receive a copy of personal data in a customary and machine-readable file format. The copy is limited to data provided by the data subject.

Under Article 77 of the GDPR, any data subject has the right to lodge a complaint with a supervisory authority if he or she considers the processing of his or her personal data is infringes the GDPR.

Contact details of the data protection officers at DFN-Verein: