Data protection information i-Kfz app
The Kraftfahrt-Bundesamt (KBA) takes the protection of your personal data seriously. The KBA wants you to know when it collects which data and how it uses it. It has taken technical and organizational measures to ensure that it and the external service providers it commissions to perform its tasks comply with data protection regulations.
Data protection is the protection of privacy. The aim of data protection is to safeguard the fundamental right to informational self-determination. In order to achieve this goal, any processing of personal data of natural persons must be carried out in accordance with the EU General Data Protection Regulation (GDPR), the sector-specific data protection regulations and the German Federal Data Protection Act (BDSG). This means that personal data may only be processed for specific, clear and legitimate purposes. Only as much data may be processed as is absolutely necessary for the respective purpose. In addition, the data must always be kept accurate and up to date. It must only be possible to identify the data subject for as long as is necessary to achieve the respective purpose. From an organizational and technical point of view, the data must be adequately protected against unauthorized access, loss, destruction and damage.
These requirements naturally also apply to data processing by the KBA. The variety of tasks performed by the KBA, the volume and sensitivity of the data processed and the advancing digitalization with its ever-new processing possibilities mean that data protection is becoming increasingly important.
1. Legal basis and purpose of data processing
The KBA processes personal data when performing the tasks assigned to it by law in accordance with Section 2 (1) no. 2 of the Federal Motor Transport Authority Act (KBAG). The content and purpose of the data stored in the KBA's registers are defined by law (see also the comments on section 1.6).
A second exemption regulation to the Vehicle Registration Ordinance (FZV) was enacted for the issuing of a digital vehicle registration certificate (DFZ), which came into force on 01.02.2025. The KBA operates the i-Kfz app in the performance of its public duties in accordance with Section 1 of the second exemption regulation to the Vehicle Registration Ordinance (2. FZVAusnV). The purpose of processing your data is therefore to fulfill the public task assigned to the KBA by the legislator, namely the provision of the digital vehicle registration certificate.
In order to fulfill the KBA's task of providing an application for mobile devices, personal data is processed based on Article 6(1)(c), (3) GDPR in conjunction with the 2. FZVAusnV.
To provide the DFZ, the KBA processes the data from the Central Vehicle Register (ZFZR) in accordance with Article 6(1)(c), (3) GDPR in conjunction with the 2. FZVAusnV in conjunction with Section 32 (1) no. 1 Road Traffic Act (StVG).
The KBA is the competent authority for the provision of the DFZ in accordance with Section 3 (1) and (2) of the 2. FZVAusnV. The content of the DFZ is based on the details of the already issued registration certificate Part I (ZB I) in accordance with Section 2 (2) of the 2. FZVAusnV.
Personal data of the applicant is also processed when an image of the DFZ is forwarded in the app. These are required for the identification of the respective data record in the ZFZR. This is lawful pursuant to Article 6(1)(c), (3) GDPR in conjunction with Section 2 (2) and Section 3 (1) of the 2. FZVAusnV.
Pursuant to Section 5 of the 2. FZVAusnV, the KBA must immediately mark the DFZ displayed in the app as invalid as soon as information on the invalidity of the ZB I is available in the ZFZR based on notifications from the competent authorities to the KBA. This requires regular evaluation of the notifications from the registration authorities. The changes for a DFZ resulting from the notifications are then recorded in a database from which they are retrieved at regular intervals by the Bundesdruckerei (bdr) and processed further in accordance with the instruction.
To fulfill this task, the KBA therefore processes the necessary vehicle and owner data on the basis of Article 6(1)(c), (3) GDPR in conjunction with Section 5 of the 2. FZVAusnV in conjunction with Section 32 (1) no. 1 StVG.
Logging within the scope of the DFZ is carried out in accordance with Section 36 (6) sentences 1, 2 and 7 StVG. The purpose is also to fulfill the accountability obligation of the KBA pursuant to Article 5(2) GDPR, according to which the controller must be able to demonstrate compliance with the principles for the processing of personal data within the meaning of Article 5(1) GDPR.
For the operation of the app, the KBA uses the bdr as a processor within the meaning of Article 28 GDPR.
1.1. What data does the KBA store / process when issuing a DFZ?
In addition to the technical data required for the proper operation of the app, the DFZ processes the personal data that is stored in the ZFZR and processed for the issue of the registration certificate Part I (Section 33 (1), Annex 6 of the StVG). These are
- Personal data (surname last name, surname name component,
- surname at birth, surname at birth name component, first name, religious name, stage name, date of birth, place of birth, gender, doctorate),
- Identifying data (user ID, DFZ number, identification number ZFZR entry, license plate number, vehicle identification number (VIN), registration certificate Part I number, registration certificate B1 form number),
- Free text field in the ZB I (Remarks Exceptions),
- Free text field for naming images of the DFZ (name of DFZ image),
- Logging data.
For identification in the app with the eID function, your personal data from the ID card or electronic residence permit will also be processed. These are used to compare them with the contents of the ZFZR. Only then will a DFZ be issued and displayed in your i-Kfz app.
Furthermore, technical data such as the device identifier and the DFZ number for identifying the DFZ for loading, updating including invalidation and for forwarding and deleting a DFZ are transmitted to the ZFZR and stored there.
The retrievals from the registers are recorded as required by law in the form of logging data of the retrievals, the data used during the retrieval, the identifier of the retrieving office, the retrieved data itself and the time stamp.
1.2. The recipients or categories of recipients who have already received or will receive my data in the future
The external recipient is Bundesdruckerei GmbH (Kommandantenstraße 18, 10969 Berlin) as a processor pursuant to Article 28 GDPR. The KBA ensures that suitable technical and organizational measures are implemented at the service provider to guarantee the security of the processing of your data.
Your personal data may be disclosed to the following subcontractors at Bundesdruckerei under certain circumstances:
| Name and address of the subcontractor | Description of the partial services | Location of the service provision |
|---|---|---|
| Maurer Electronics GmbH, Hollerithallee 20a 30419 Hannover |
| Germany |
Maurer Electronics Split d.o.o.,
|
| Germany, Croatia |
| Myra Security GmbH Landsberger Straße 187 80687 Munich |
| Germany |
| Interact Tele Service AG Gebrüder-Boll-Straße 1c 17033 Neubrandenburg |
| Germany |
Inco Sp. z o.o.
|
| Poland |
ComConsult GmbH
|
| Germany |
| Sozialhelden e.V. Invalidenstraße 65 10557 Berlin |
| Germany |
| Schlesinger Group Germany GmbH (Sago) Neuhauser Str. 27 80331 Munich |
| Germany |
| D-Trust GmbH Kommandantenstraße 15 10969 Berlin |
| Germany |
Holders who have a DFZ in the i-Kfz app can pass the DFZ on to other people via a provisioning token in the form of a QR code or deep link. This is the responsibility of the digital vehicle document owner and is outside the KBA's responsibility under data protection law.
1.3. Duration of storage
Users can initiate the deletion of data in the DFZ app themselves by selecting the corresponding function on their smartphone. If you delete the DFZ in the application on your smartphone, it will also be deleted at the Bundesdruckerei.
If you wish to delete an image in the application of a third party, you can also select the corresponding function in your own application and have all images deleted. An image can also be issued for a limited period.
Unless the ZFZR provides grounds for the deletion of the personal data, the controller or processor will not delete the DFZ on their own initiative. If a DFZ becomes invalid due to an update in the ZFZR, the DFZ is grayed out in the app and can no longer be accessed. Deletion must still be carried out by the user.
The logged data is deleted after 6 months in accordance with Section 36 (6) sentence 7 StVG.
1.4 Rights of the data subject
As the data subject of a data processing operation, you have the following rights:
- If your personal data is processed, you have the right to obtain information about the personal data stored about you (Article 15 GDPR).
- If incorrect personal data is processed, you have the right to rectification (Article 16 GDPR).
- If the legal requirements are met, you can request the erasure or restriction of processing (Article 17 and 18 GDPR).
- If you have consented to the data processing or a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Article 20 GDPR).
- If you have consented to the processing of your personal data and the processing is based on this consent, you can revoke this consent at any time with effect for the future. This does not affect the lawfulness of the data processing carried out based on the consent until revocation.
- You have the right to object to the processing of your data at any time for reasons arising from your particular situation if the processing is carried out exclusively based on Article 6(1)(e) or (f) GDPR (Article 21(1) sentence 1 GDPR).
You also have the option of lodging a complaint with the supervisory authority responsible for the KBA in accordance with Article 77 GDPR. To do so, please contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI): Graurheindorfer Str. 153, 53117 Bonn, www.bfdi.bund.de, e-mail: poststelle@bfdi.bund.de
In this respect, the BfDI is the supervisory authority responsible for the KBA.
1.5 Information about the origin of the data
The personal data originates from the ZFZR and is provided by the KBA as the body responsible for issuing the DFZ. In addition, the use of the DFZ in the i-Kfz app generates technical data that is stored in the systems of the Bundesdruckerei either temporarily or for the duration of the use of the DFZ.
The personal data from identification with the eID function originates from your identity card or electronic residence permit.
Other personal data beyond the extract from the ZFZR is entered by you.
1.6 Automated decision-making including profiling in accordance with Article 21 GDPR
Automated decision-making or profiling does not take place during data processing by the KBA.
1.7 Transfer of personal data to a third country or to an international organization
To use the DFZ, it is necessary to use the app. By downloading the app from the respective app store on your smartphone, your personal data is transferred to the USA.
If you download the app via the Google Play Store (Android), your personal data will be processed based on Article 6(1)(c) and (e) GDPR in conjunction with Section 1 (1) of the 2. FZVAusnV and the transfer based on Article 45(3) GDPR in conjunction with the Data Privacy Framework (adequacy decision) in conjunction with the certification of Google LLM.
If you download the app via the Apple App Store (iOS), data may be transferred to all Apple data centers (including in non-EU countries without an adequate level of data protection, particularly the USA) without suitable guarantees within the meaning of Article 46 GDPR. In its ruling of 16.07.2020, Ref.: C-311/18 (“Schrems II”), the ECJ found that an adequate level of data protection cannot be guaranteed in the USA. This is only guaranteed if the data recipient is certified in accordance with the Data Privacy Framework. However, Apple is not certified under the Data Privacy Framework. On the one hand, there is therefore a risk of access to the transferred data by US security authorities without the possibility of effective legal remedies. On the other hand, there are no enforceable data subject rights. The transfer therefore only takes place with your express consent on the basis of Article 49(1)(a) GDPR.
The KBA has no influence on the data collected and data processing procedures, nor is the full extent of the data collection, the purposes of the processing or the storage periods known. The KBA also has no further information on the deletion of the data collected by the app store operator.
Further information on the purpose and scope of data collection and its processing by the respective app store operator can be found in the data protection information of these operators provided below. There you will also find further information on your rights in this regard and setting options to protect your privacy: Apple App Store (iOS): https://www.apple.com/de/legal/privacy/data/de/app-store/ and Google Play Store (Android) https://poli-cies.google.com/privacy
2. Processing of personal data when contacting the KBA
If you contact the KBA when using the support service, your personal data will be used for communication and stored for this purpose.
Your personal data will be processed depending on the contact method you choose. A distinction is made here between contact by telephone, e-mail, contact form, letter and fax.
2.1 Contact by e-mail
Contact with the KBA by e-mail is possible via various functional mailboxes in addition to the employees' personal business e-mail addresses. In the specialist departments, the data you send (e.g. surname, first name, address), but at least the e-mail address and the information contained in the e-mail, including any personal or personally identifiable data you provide, will be stored for the purpose of contacting you and processing your request in accordance with the time limits applicable to the storage of documents in the Rules of Procedure of the Federal Motor Transport Authority (GO-KBA) in conjunction with the filing instructions or the department-specific legal regulations.
If the KBA receives a message from you by e-mail, it assumes that it is entitled to reply by e-mail. Otherwise, you must expressly inform the KBA of another form of communication. If (further) personal or personal-related data is to be transmitted in the course of the reply, the communication/reply will take place exclusively by post.
This data is processed based on Article 6(1)(e) GDPR in conjunction with Section 3 BDSG. Processing the personal data transmitted by you is necessary for the purpose of processing your request.
2.2 Contact us via the contact form
If you use the contact form on the KBA website for communication, you must provide your surname and first name as well as your e-mail address. Your request cannot be processed without this data. Providing your address is optional and enables the KBA to process your request by post if you wish. In addition, the date and time of your request will be transmitted to the KBA.
If the Office receives a message from you via the contact form, it assumes that it is entitled to reply by e-mail. Otherwise, you must expressly inform the KBA of another form of communication. If (further) personal or personal-related data is to be transmitted in the course of the reply, the communication/reply will take place exclusively by post.
The content of the KBA contact form is transmitted via an encrypted https connection.
The processing of the data transmitted via the contact form and the content, which may also contain personal data transmitted by you, is carried out based on Article 6(1)(e) GDPR in conjunction with Section 3 BDSG for the purpose of contacting you and processing your request. Your data transmitted to the KBA will be stored in accordance with the periods applicable to the storage of documents in the Rules of Procedure of the Federal Motor Transport Authority (GO-KBA) in conjunction with the filing instructions or the sector-specific legal regulations.
When using the contact form, the content of the data fields is transmitted exclusively to the KBA. By activating the checkbox, you acknowledge its privacy policy. The processing of personal data serves to answer your inquiry in accordance with Article 17 of the German Basic Law (Grundgesetz). The IP address is used exclusively in the context of state law enforcement and security measures in compliance with the legal requirements.
If you do not agree to the processing of your data, you can cancel the process at any time. Your message will then not be sent.
2.3 Contacting the KBA by fax
It is also possible to contact the KBA by fax.
The data transmitted by you by fax, including the content, which may also contain personal or personal-related data transmitted by you, will be processed for the purpose of establishing contact and processing your request on the basis of Article 6(1)(e) GDPR in conjunction with Section 3 BDSG. The data will be stored by KBA employees in accordance with the time limits for the storage of documents set out in the Rules of Procedure of the Federal Motor Transport Authority (GO-KBA) in conjunction with the filing instructions or the sector-specific legal regulations.
2.4 Contact by letter
If you contact the KBA by post, the data you provide (e.g. surname, first name, address) and the information contained in the letter (any personal or personally identifiable data you provide) will be stored for the purpose of contacting you and processing your request in accordance with the time limits applicable to the storage of documents in the Rules of Procedure of the Federal Motor Transport Authority (GO-KBA) in conjunction with the filing instructions or the sector-specific legal regulations.
The data is processed on the basis of Article 6(1)(e) GDPR in conjunction with Section 3 BDSG.
3. Data security
All data transmitted by you personally on the KBA website is encrypted using the generally accepted and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard that is also used in online banking, for example. You can recognize a secure TLS connection by the s appended to the http (i.e. https://..) in the address bar of your browser or by the lock symbol at the bottom of your browser.
The KBA uses suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Its security measures are continuously improved in line with technological developments.
Suitable technical and organizational measures have also been implemented for the i-Kfz app to ensure the security of processing in the app.
4. Up-to-dateness and amendment of this data protection information
This data protection information is currently valid and was last updated in July 2025.
Due to the further development of the KBA app and offers or due to changed legal or official requirements, it may become necessary to change its data protection information. You can call up the current data protection information at any time in the app or on the website at www.kba.de and print it out if necessary.
5. Contact and contact person
5.1. Contact details of the KBA as the responsible authority:
Postal address:Kraftfahrt-Bundesamt
24932 FlensburgPhone: +49 461 316-0
Fax: +49 461 316-1650E-mail: kba@kba.de
If you have any problems or questions about the DFZ, you can contact DFZ support at any time at 213-support@kba.de or by phone: 0461 316-1238
5.2. Contact details of the data protection officer:
If you have any questions about data protection, please contact our data protection department:
Postal address:Kraftfahrt-Bundesamt
Data protection
24932 FlensburgE-mail: datenschutz@kba.de
You can contact our data protection officer:
Postal address:Kraftfahrt-Bundesamt
Data protection
24932 Flensburg
Phone: +49 461 316-2327
Fax: +49 461 316-272327E-mail: bdsb@kba.de