Sicherheitsüberprüfung von Personen mit sicherheitsempfindlicher Tätigkeit in der Wirtschaft Durchführung für Sabotageschutz

Persons who are employed in security-sensitive positions in companies must undergo a security check as part of preventive personnel sabotage protection. As a company, you must apply for the check.

In the economy, there are facilities whose impairment poses serious risks to the life or health of

• the life or health of large sections of the population
• public safety or order, or
• the defense readiness of the Bundeswehr and allied armed forces.

Persons who carry out security-sensitive activities there must undergo a security check in preventive personnel sabotage protection before taking up their work.

The following are affected:

• Companies that are responsible for setting up or operating the digital radio system for authorities and organizations with security tasks
• Companies commissioned by the Federal Information Technology Center (ITZBund) to set up or operate federal information and communication technology
• Companies commissioned with the development or operation of foreign information and communication technology
• Telecommunications companies that have to maintain transmission paths and telecommunications services for services under the Postal and Telecommunications Security Act
• Control centers of electricity transmission system operators and selected electricity distribution system operators
• Companies that operate compressor stations and import stations for gas measurement and pressure reduction of imported gas volumes at network interconnection points in the gas network between a network operator abroad and a network operator in Germany
• Companies directly involved in the construction, maintenance or repair of defense vehicles, defense equipment or naval vessels
• Incident companies of the upper class or equivalent operating areas (only if they are not adequately protected against unauthorized access by organizational or technical measures and this is documented in the security report)
• Railroad control centers
• Dangerous goods companies with security plans in accordance with subsection 1.10.3.2 ADR, RID or ADN
• Service providers who are to work for the companies listed above at their security-sensitive locations (e.g. cleaning companies, craft firms)

It is not a security-sensitive activity in the economy if companies send personnel to

• institutions established under public law, such as ministries, the German Bundestag or the German Bundesbank, or
• military security areas, such as air bases, barracks or naval arsenals.

The Federal Ministry of Economics and Climate Protection (BMWK) is generally responsible for security checks in the non-public sector.

Companies whose personnel work in connection with the BOS digital radio at security-sensitive locations of the federal government have the security check carried out by the Federal Agency for the Digital Radio of Authorities and Organizations with Security Tasks (BDBOS).

The security check is intended to individually assess whether a person can be assigned a security-sensitive activity at a security-sensitive location. Or whether there is a security risk that would prevent such an activity.

To this end, the Federal Office for the Protection of the Constitution (BfV) takes the following measures as a participating authority in the security clearance procedure:

• security-related assessment of the information in the security declaration, taking into account the findings of the federal and state constitutional protection authorities
• unrestricted information from the Federal Central Criminal Register and the Central Commercial Register
• Inquiries to
  • the Central Register of Public Prosecutors,
  • the Federal Criminal Police Office
  • the Federal Police and
  • the federal intelligence services
• where necessary
  • Requests to
    • the Central Register of Foreigners,
    • foreign security authorities and
    • other appropriate bodies if security-relevant findings require this and questioning of the person concerned is not sufficient or the questioning conflicts with interests worthy of protection
  • Inspection of publicly visible websites and the publicly visible part of social networks
  • Interview with the data subject in the event of security-relevant findings.

Security risks exist if the following indications actually exist after the review:

• Doubts about the necessary reliability of the person concerned in the performance of their security-sensitive activities,
• a particular threat, in particular the concern of blackmailability, in the event of possible attempts to initiate or recruit by criminal organizations, extremist or terrorist organizations, or
• doubts that the person concerned is committed to the free democratic basic order within the meaning of the Basic Law and is prepared to stand up for its preservation at all times.

At the request of the competent authority, an update of the security declaration or a repeat check is carried out alternately every 5 years.

A security clearance can only be waived if

• recognition of another check is possible, for example background checks under aviation security or nuclear law or extended security checks in personnel security or
• the requirements of the final statutory exceptions are met, for example in the case of a short-term assignment of no more than 4 weeks at a security-sensitive location, provided that the person who has not been vetted is permanently accompanied by a vetted person.

Registration in the preventive personnel sabotage protection (vpS) at the BMWK:

In order to be able to carry out security checks, you as a company must first register for preventive personnel sabotage protection. The responsible office requires the following documents for this:

• Informal letter from your management or association management,
  • stating the reason why security checks are necessary, and
  • in which your management names a sabotage protection officer and their representative for the company, stating their official contact details such as telephone and e-mail.

Please note: Sabotage protection officers and deputies may only be persons who

• are not part of personnel administration in the broad sense, i.e. who are not involved in labor law decisions, such as warnings or dismissals, or who are not allowed to issue them themselves,
• are not also company data protection officers and
• are not also contact persons in the company for the prevention of corruption.

If it is not possible to meet these requirements in individual cases, your management or the association management can informally apply for an exception to be granted. In doing so, you must justify why it is not possible for your company to meet the requirements in exceptional circumstances, e.g. micro-enterprise.

The competent authority will also require proof of your security-sensitive activity:

• For companies with their own security-sensitive unit:
  • an informal, brief and comprehensible description of the security-sensitive unit or units
• For external companies, companies without their own security-sensitive unit:
  • Either an excerpt from the contract with the company with a security-sensitive location, stating that the personnel are to be deployed at a security-sensitive location. Care must be taken to ensure that the contracting parties, the validity of the contract and the necessity of the deployment at security-sensitive locations to fulfill the order are expressly stated in the contract extract or
  • an informal confirmation from the company with the security-sensitive location that a security check must be carried out for the external personnel due to the deployment of external personnel at security-sensitive locations.

Registration in the vpS with the BDBOS

• Official letter from your company requesting inclusion in the sabotage protection system:
  • Reason for inclusion
  • Company data: full address, number, e-mail address of the sabotage protection officer
• Designation of the sabotage protection officer

After successful registration, the necessary security checks can be carried out. The BDBOS requires the following documents for this:

• Application for security check, signed by the sabotage protection officer (original)
• Security declaration for preventive personnel sabotage protection (original and copy):
  • the person concerned must complete and sign this
  • the sabotage protection officer must then check the security declaration for completeness and accuracy

The following persons must undergo a vpS security check:

• Persons who are to work in security-sensitive areas at vital and defense facilities
• Persons from service providers who are to work at vital and defense-related facilities in their security-sensitive areas, e.g. cleaning companies, craft companies

There are no costs.

Registration:
You must first register your company for preventive personnel sabotage protection (vpS) with either the BMWK or the BDBOS, depending on your area of responsibility.

• To do this, send an informal letter from the management naming the sabotage protection officer and the person authorized to represent them as well as proof of the security-sensitive activity by post to the BMWK or the BDBOS.
• The BMWK or the BDBOS will confirm the successful company registration to the sabotage protection officer.
• If you register the company with the BMWK, the BMWK will also provide you with a company number. The company number is a double 5-digit number interrupted by a hyphen, each starting with a 2. The sabotage protection officers can use this number to apply for a security check for the person concerned.

Applying for a security check if the BMWK is responsible:

The application for the security check is usually made by the sabotage protection officer of the company in which the person concerned is employed. Exceptions to this rule must be approved in advance by the BMWK or the BDBOS. As a sabotage protection officer, proceed as follows:

• When you register with the BMWK: Open the BMWK Security Forum and download the "Application for sabotage protection", the "Security declaration for sabotage protection" (form S 03 vpS) and the "Completion instructions" (form S 06 vpS).
• Every person who is to be entrusted with the security-sensitive activity must complete and sign the security declaration. The completion instructions (form S 06 vpS) serve as an aid.
• As the person responsible for sabotage protection, you must check the safety declaration of the persons concerned for completeness and accuracy. If necessary, you may consult personnel documents for this purpose.
• For each security check, you as the sabotage protection officer submit an "Application for sabotage protection" and enclose the original and a copy of the security declaration of the person concerned. Submit the documents by post to the BMWK or the BDBOS.
• Make a copy of all documents that you send to the BMWK or the BDBOS beforehand. These copies will remain in your company security file for the person concerned. Security files must be kept separately from personnel files and protected against unauthorized access.
• The BMWK or the BDBOS will check your documents. If they are complete and plausible and there is no obvious security risk or procedural obstacle, the BMWK or the BDBOS will commission the Federal Office for the Protection of the Constitution (BfV) to carry out the security check. Otherwise, you will receive a message - possibly accompanied by a request to make corrections or additions or to have them made by the person concerned.
• The BfV carries out the security check and forwards the findings to the competent authority.
• The BMWK or the BDBOS, as the competent authority, decides whether a security risk stands in the way of the specific security-sensitive activity of the person concerned. In case of doubt, the state's security interests take precedence.
• Before determining a security risk, the BMWK or the BDBOS shall give the person concerned the opportunity to comment on the facts relevant to the decision.
• The BMWK or the BDBOS will inform you of the decision in writing.
• As the sabotage protection officer, you must inform the person being checked of the result of the security check.
• If the BMWK or the BDBOS has completed the security check procedure and no security risk has been identified, you as the sabotage protection officer may entrust the person concerned with the intended security-sensitive activity.

Decisions of a security check that allow an assignment at a security-sensitive location of a company or association are valid until the BMWK or the BDBOS revoke them or the activity at a security-sensitive location is terminated.

A revocation of the decision of the BMWK or the BDBOS on the non-existence of a security risk occurs, for example, if you do not submit the documents for the update or re-verification in due time or if security-relevant findings have occurred during the update or re-verification.

The safety check must be completed without a safety risk being identified before you are allowed to deploy new persons in safety-sensitive positions. Deviations from this are only possible on the basis of statutory exceptions and if previous security or background checks are recognized.

For persons who were already working at the location before it became a security-sensitive location, you must immediately carry out the security checks in preventive personnel sabotage protection.

There are no indications or special features.

• Administrative court action

• Security screening of persons with security-sensitive activities in the economy Implementation for sabotage protection
• Security screening of persons with security-sensitive activities in vital or defense-critical facilities in the non-public sector in companies or associations
• concerns:
  • Companies that are commissioned to set up or operate the digital radio system for authorities and organizations with security tasks
  • Companies commissioned by the Federal Information Technology Center (ITZBund) to set up or operate federal information and communication technology
  • Companies commissioned with the development or operation of foreign information and communication technology
  • Telecommunications companies that have to maintain transmission paths and telecommunications services for services under the Postal and Telecommunications Security Act
  • Control centers of electricity transmission system operators and selected electricity distribution system operators
  • Companies that operate compressor stations and import stations for gas measurement and pressure reduction of imported gas volumes at network interconnection points in the gas network between a network operator abroad and a network operator in Germany
  • Companies directly involved in the construction, maintenance or repair of defense vehicles, defense equipment or naval vessels
  • Incident companies of the upper class or equivalent operating areas, only if they are not adequately protected against unauthorized access by organizational or technical measures and this is documented in the security report
  • Railroad control centers
  • Dangerous goods companies with security plans in accordance with subsection 1.10.3.2 ADR, RID or ADN
  • Service providers who are to work for the companies listed above at their security-sensitive locations, e.g. cleaning companies, craft firms
• It is not a security-sensitive activity in the economy if companies send personnel to public institutions, for example ministries, the German Bundestag, the German Bundesbank or military security areas such as air bases, barracks or naval arsenals.
• Procedure:
  • 1. admission of the company
  • 2. personal check
• Personal checks are carried out at the request of the company's sabotage protection officer
• responsible:
  • Federal Ministry of Economics and Climate Protection (BMWK) or
  • Federal Agency for the Digital Radio of Authorities and Organizations with Security Tasks (BDBOS)