We give the highest priority to data protection and data security. The protection of your personal data while you use our website and web services is therefore very important to us. This data protection declaration explains what information we collect on our servers during your visit to our website and how this information is used. This website is operated by the Generalzolldirektion (GZD) [Central Customs Authority].
The Customs Administration provides uniform access to customs administrative procedures through the Customs Portal. In order to process applications and enquiries, the customs authorities must process personal data in order to fulfil their tasks properly.
"Personal data" means any information relating to an identified or identifiable natural person. In the taxation procedure, data is also personal if it can be assigned to a corporate body (e.g. association, corporation), an association of persons, any assets or a deceased natural person, section 2a Abgabenordnung (AO) [German Fiscal Code].
For further terms used in the context of this data protection declaration, we refer to the definitions in Article 4 General Data Protection Regulation (GDPR).
The following information relates to the processing of personal data collected and processed during the use of the Customs Portal of the customs administration (www.zoll-portal.de). In addition we inform you about your rights regarding data protection and the contact persons for questions and complaints in this regard.
The website www.zoll-portal.de is published by the Generalzolldirektion (GZD) [Central Customs Authority].
Generalzolldirektion
Václav-Havel-Platz 6
53121 Bonn
Personal data is processed by the GZD, the main customs offices and, on behalf of the GZD, by ITZBund (Article 28 GDPR).
If you have any questions regarding data protection and further information on the data protection declaration, please contact the data protection officer of the GZD:
Behördlicher Datenschutzbeauftragter der Generalzolldirektion
Am Propsthof 78 a
Václav-Havel-Platz 6
Phone: +49 228 303-12200
datenschutz.gzd@zoll.bund.de
You can address any questions regarding the data protection of individual administrative services to the customs authority responsible for your case.
In principle, the main customs offices with the customs offices belonging to them and, in payment transactions, the federal treasury offices are responsible for processing personal data. In certain cases, personal data of companies and citizens are also processed by the GZD.
In addition, you can contact the data protection officers of the customs authorities that are dealing with your request.
Contact details can be found at www.zoll.de in the customs offices section under contact.
When you access the Customs Portal electronically, the following personal data is processed:
When using the Zoll-Ident app, the following personal data is transmitted from the Customs Portal to the Zoll-Ident app and processed there:
When using the Zoll-Ident app, the following information is transmitted from the Zoll-Ident app to the Customs Portal and processed there:
The German federal and state governments are required by the Onlinezugangsgesetz [Act to Improve Online Access to Administrative Services] to additionally make their administrative services accessible electronically via dedicated online portals.
We process personal data only to the extent necessary to provide a functioning website as well as our content and services.
ELSTER certificates are used as an alternative access method within the framework of the statutory provisions (section 8 OZG, sections 29c, 30(4) No. 1 AO). To establish your identity, data from the German Federal Central Tax Office and corresponding data stored by the tax offices for the taxation procedure are retrieved in an automated procedure with your consent and transmitted to the eGovernment service with your consent.
Registration is required to set up a user account. Personal data is stored in the accounts of Customs Portal for the purpose of using it for various e-government services of the customs administration. Data processing is conducted pursuant to Article 6 Para. 1 a) and e) and Article 9 Para. 2 a) and g) GDPR, section 29 b and c AO, section 85 AO, section 88 AO and section 8 Onlinezugangsgesetz (OZG) [Online Access Act].
Accordingly, we are permitted to process the data required for the performance of a task incumbent upon us (e.g. tax collection).
As part of the registration process, consent must be given for the processing of some personal data pursuant to section 8(3) OZG.
For individual online services, the relevant legal bases for this service shall apply in each case.
Users can delete their electronic access to the Customs Portal at any time. In this case, the data stored in the account of the Customs Portal will be deleted.
If you do not use your account for a longer period of time, you will receive a request asking whether the account may be deleted.
Personal data processed for specific administrative services are only stored for as long as they are necessary for the taxation and collection procedure or for the enforcement procedure. The limitation periods (sections 169 to 171 AO and sections 228 to 232 AO) are the standard for this. In principle, this means the deletion takes place four or five years after the end of the year in which the tax assessment notice was issued or in which the claim became due for payment for the first time.
However, storage may take place beyond the specified time in the event of a (potential) legal dispute with you or other legal proceedings or if longer storage is provided for by legal regulations to which we are subject as the responsible party. If the storage period prescribed by legal regulations expires, personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this. We may also store personal data concerning you in order to process them for future tax proceedings (section 88a AO).
The personal data from account of the Customs Portal are processed for the various electronic administrative services of the customs administration. The customs administration only receive the data required to process your application or request.
We may only disclose to other persons or bodies (e.g. to tax courts or other authorities) any personal data that we have become aware of in a tax or non-tax procedure if you have consented to this or if the disclosure is permitted by law.
The technical operation of www.zoll-portal.de is carried out by ITZBund. The personal data you provide when using our website will therefore be processed by ITZBund on behalf of the GZD (Art. 28 GDPR).
Each time you access the customs administration's website, data is temporarily stored and processed in a log file. The data is stored for a maximum period of two weeks.
This information stored comprises:
Storage of this data is necessary in order to enable the provision of the website to the user's computer, for the optimisation of our website and for reasons of technical security, in particular in order to prevent any attempted attacks.
Additionally, this information is assessed in anonymous form for statistical purposes. Any other use or disclosure to third parties does not take place.
We reserve the right, in the event of serious violations of our terms of use and in the event of unauthorised access or attempted access to our servers with the aid of individual data records, to involve law enforcement authorities and have personal data derived accordingly.
The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.
The legal basis for the analysis of website use for statistical purposes is Art. 6(1)(e) GDPR.
The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Therefore, users are not entitled to object to this.
Our website uses the following cookies. Cookies are small text files that are stored on your computer and stored by your browser.
We only use cookies on our website that are technically required.
| Name | Purpose/Use | Validity period |
|---|---|---|
| lbc | Load balancing cookie - used to ensure that a user’s requests are processed by the same server for the duration of the session. | Duration of the user session |
JSESSIONID, adlersessionid, kraftstsessionid, ifgsessionid, eorisessionid, dsgvosessionid | Session allocation - is used to identify the user's session at the application as it progresses. | Duration of the user session |
| AL_SESS-S | Session handling at reverse proxy - is used to identify the user's session at the network component at the application as it progresses. | Duration of the user session |
| cookieConsent | Setting for web analytics - used to store the decision to terminate web analytics. | 5 days |
The following technically necessary cookies are also used in the help area of our website.
| Name | Purpose/Use | Validit period |
|---|---|---|
| AL_BALANCE-S | Load balancing cookie at reverseproxy - used to ensure that a user’s requests are processed by the same server for the duration of the session. | Duration of the user session |
| JSESSIONID | Session allocation - is used to identify the user's session at the application as it progresses. | Duration of the user session |
| AL_SESS-S | Session handling at reverse proxy - is used to identify the user's session at the network component at the application as it progresses. | Duration of the user session |
The duration of the user session refers to the browser and not the duration of the user session in the Customs Portal. In the process, different browsers may end the session in different ways. In the case of some browsers, it is sufficient to close the given window, while in other cases, you need to close the whole browser to delete the session cookies.
Most browsers are set to accept cookies automatically. However, you can deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent.
Our cookies do not damage your computer and do not contain viruses.
The legal basis for the use of cookies is Article 6(1)(e) GDPR in conjunction with section 29b(1) AO.
Open cookie settings:
We use the open source software Matomo as a tracking tool to analyse and statistically evaluate the use of the website if you have consented to the use of cookies and similar technologies for this purpose via the "Web analytics settings" banner. The information generated by this on website activity is compiled into non-identifiable visitor profiles. The information is used to evaluate the use of the website and to enable us to structure our website in line with user needs. Information is not passed on to third parties. In no case will the IP address be linked to any other data relating to the user. The IP addresses are anonymised so that they cannot be identified (IP masking). The legal basis for analysing website activity information for statistical purposes is Article 6(1)(e) GDPR in conjunction with section 29b(1) AO.
The following data from you will be collected anonymously after providing consent:
Web analytics is deactivated in the default setting. You can decide at any time whether you agree to the collection of data for statistical purposes, view or change your previously made decision via the "Web analytics settings" link in the lower area of the www.zoll-portal.de website.
According to Sections 5 and 5a of the Act on the Federal Office for Information Security (BSI Act - BSIG), the Federal Office for Information Security (BSI) is responsible for defending against malware and threats to the federal communications technology and its components. For this purpose, the Federal Office has to analyse the data generated at the interfaces of the federal communications technology and process data generated through the operation of the federal communications technology insofar as this is required to detect and defend against malware.
A brief overview of the processing of your personal data for the aforementioned purpose can be found here:
| Name of the processing | Category of personal data | Data subjects | Processing purpose | Storage period |
|---|---|---|---|---|
| Malware detection system | Data generated at the interfaces of the federal communications technology | Employees of the federal administration, email senders | Defence against malware and threats to the federal communications technology | For analysis |
| System for log data analysis | Log data generated during the operation of the federal communications technology | Employees of the federal administration, website visitors, email senders | Defence against malware and threats to the federal communications technology | For analysis |
| System for logging data analysis | Logging data generated through the operation of the federal communications technology | Employees of the federal administration, website visitors, email senders | Defence against threats to the federal communications technology and its components | For analysis |
In order to fulfil its statutory task, the BSI operates the malware detection system. The malware detection system automatically analyses the incoming and outgoing communication traffic and forwards any potential attacks it detects for analysis. During the collection, personal data that is generated at the interfaces of the federal communications technology, such as IP addresses, may also be processed.
Purpose and legal basis
On the basis of Article 6 (1) (e), (2) and (3) GDPR in conjunction with Section 5 (1) and (3) BSIG, the BSI is entitled to store the data for the purpose of detecting and protecting against attacks on the BSI’s Internet infrastructure and on the entire communications technology of the federal government beyond the time of your visit or the start of communication. This data is analysed and is required to defend against malware, threats arising from the malware found, or to detect and defend against other malware, Section 5 (3) sentence 2 BSIG.
Recipients of the personal data
Personal data analysed within the scope of Section 5 (3) BSIG is only transmitted to other authorities in accordance with Section 5 (5) and (6) BSIG. No data is disclosed in other cases. The BSI does not combine this data with other data sources.
Transfer to third countries
The BSI does not transfer your personal data to countries outside the EU or the EEA or to international organisations.
Storage period
The automated analysis of the interface data is carried out without delay, and the data is deleted immediately and without trace after the comparison has been completed, unless analysis is required in accordance with Section 5 (3) BSIG. If such analysis is required, the data is deleted as soon as it is no longer required for the performance of tasks.
System for log data analysis
In order to fulfil its statutory task, the BSI operates a system for the analysis of log data.
For this purpose, the BSI has to collect and automatically analyse log data generated during the operation of the federal communications technology, insofar as this is required to detect, contain or eliminate malfunctions or errors in the federal communications technology or attacks on the federal information technology. Within the meaning of the BSIG, log data is control data from an information technology log for data transmission which is transmitted independently of the content of a communication process or stored on the servers involved in the communication process and is required to ensure communication between the recipient and sender. Log data may contain traffic data in accordance with Section 3 no. 30 of the Telecommunications Act (Telekommunikationsgesetz) and usage data in accordance with Section 15 (1) of the Telemedia Act (Telemediengesetz), Section 2 (8) BSIG. Common processed log data includes, in particular, log files from servers or firewalls and header data from communication logs such as IP, ICMP, TCP, UDP, DNS, HTTP and SMTP.
Purpose and legal basis
If the log data contains personal data, on the basis of Art. 6 (1) (e), (2) and (3) GDPR in conjunction with Section 5 (1) and (3) BSIG, the BSI is entitled to store the data for the purpose of detecting and protecting against attacks on the BSI’s Internet infrastructure and on the entire communications technology of the federal government beyond the time of your visit. This data is analysed and is required to defend against malware, threats arising from the malware found, or to detect and defend against other malware, Section 5 (3) sentence 2 BSIG.
Recipients of the personal data
Personal data analysed within the scope of Section 5 (3) BSIG is only transmitted to other authorities in accordance with Section 5 (5) and (6) BSIG. No data is disclosed in other cases. The BSI does not combine this data with other data sources.
Transfer to third countries
The BSI does not transfer your personal data to countries outside the EU or the EEA or to international organisations.
Storage period
The automated analysis of the log data is carried out without delay, and the data is deleted immediately and without trace after the comparison has been completed. If there are actual indications that, in case of confirmation of a suspicion under Section 5 (3) sentence 2 BSIG, the log data may be required to defend against threats posed by the malware found or to detect and defend against other malware, it is stored for a maximum of 18 months, Section 5 (2) sentence 1 BSIG. If the suspicion under Section 5 (3) sentence 2 BSIG is confirmed, the data is deleted as soon as it is no longer required for the performance of tasks.
In order to fulfil its statutory task, the BSI operates a system for the analysis of logging data.
For this purpose, the BSI has to process logging data generated through the operation of the federal communications technology, insofar as this is required to detect, contain or eliminate malfunctions, errors or security incidents in the federal communications technology or attacks on the federal information technology, provided this does not conflict with the confidentiality protection interests or overriding security interests of the bodies concerned. Within the meaning of this Act, logging data means records of technical events or states within information technology systems. Logging data is used to detect, contain or eliminate malfunctions or errors in the federal communications technology or to detect, contain or eliminate attacks on the federal communications technology in accordance with Section 2 (8a) BSIG.
Purpose and legal basis
If the logging data contains personal data, on the basis of Art. 6 (1) (e), (2) and (3) GDPR in conjunction with Section 5a sentence 1 BSIG, the BSI is entitled to process the data in order to defend against threats to the federal communications technology and its components, including technical infrastructure that is necessary for the operation of the federal communications technology.
Recipients of the personal data
Within the authority, only the departments that need your data to fulfil the above-mentioned purposes will have access to it. Beyond this, the BSI will only disclose your data if it is legally required or authorised to do so by law or by court order. No further disclosure to third parties will take place without your consent. The BSI does not combine this data with other data sources.
Transfer to third countries
The BSI does not transfer your personal data to countries outside the EU or the EEA or to international organisations.
Storage period
The automated analysis of the logging data is carried out without delay, and the data is deleted immediately and without trace after the comparison has been completed. If there are actual indications that, in case of confirmation of a suspicion under Section 5a sentence 3 and 5 (3) sentence 2 BSIG, the logging data may be required to defend against threats posed by the malware found or to detect and defend against other malware, it is stored for a maximum of 18 months, Sections 5a sentence 3, 5 (2) sentence 1 BSIG. If the suspicion under Sections 5a sentence 3 and 5 (3) sentence 2 BSIG is confirmed, the data is deleted as soon as it is no longer required for the performance of tasks.
If you are under 18 years of age, you should not submit personal data to us without the consent of your parents or guardians. We do not request any personal data from children and minors. We do not knowingly collect such data and do not pass it on to third parties.
You have various rights under the General Data Protection Regulation. You can find details in particular in Articles 15 to 18 and 21 GDPR.
You can request information about your personal data processed by us pursuant to Article 15 GDPR. In your request of access to personal data you should specify your concern in order to make it easier for us to compile the necessary data. Therefore, the request should contain as much information as possible on the specific administrative procedure (type of tax, year).
Please note that your right to information may be restricted in certain circumstances under statutory provisions.
In accordance with Article 15(5) GDPR, the information is always provided free of charge.
If the information concerning you is (no longer) accurate, you may request that it be corrected pursuant to Article 16 GDPR. If your data is incomplete, you may request that it be completed.
In the Customs Portal you have the possibility to correct your data yourself.
If personal data is taken from authentication methods such as the ELSTER certificate or the eID function of the new ID card or the electronic residence permit, this data often cannot be changed by us. In these cases, the data in the authentication method has to be changed at the competent authorities (e.g. tax office at ELSTER).
You can request the deletion of your personal data under the conditions of Article 17 GDPR. Your right to deletion depends, among other things, on whether we still need the data relating to you in order to fulfil our tasks.
For the deletion of the account, please refer to the comments under "Data erasure and storage duration".
Within the framework of the provisions of Article 18 GDPR, you have the right to request the restriction of the processing of data relating to you in certain cases.
This right can be used instead of an actually existing erasure right if this cannot be fulfilled due to the existence of special circumstances within the meaning of section 32f AO. The restriction does not prevent data processing if there is an important public interest in the processing (e.g. legal and equal taxation).
Pursuant to Article 21 GDPR, you have the right, for reasons arising from your particular situation, to object at any time to the processing of the data concerning you. However, we cannot comply with this right if there is an overriding public interest in the processing of the data or if a legal provision obliging us to process the data exists (e.g. carrying out the taxation procedure).
If you have consented to the processing of your personal data, you can revoke this consent at any time with this action taking effect in the future. The lawfulness of the data processing up to the revocation of the consent is thereby not affected.
If you wish to make use of the aforementioned rights, please contact the Data Protection Officer of the Generalzolldirektion [Central Customs Authority]. You will find the contact details under the heading "Responsible authority and data protection officer".
If you are of the opinion that we have not complied with your request or have not complied with it in full, you can lodge a complaint with the Federal Commissioner for Data Protection and Freedom of Information.
Contact details – to be used exclusively for the purpose of lodging a complaint:
Die/Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstr. 30
53117 Bonn
Phone: +49 228 997799-0
Fax: +49 228 997799-550
poststelle@bfdi.bund.de