Data Processing Register Regulation 2012 - Dvrv 2012

Original Language Title: Datenverarbeitungsregister-Verordnung 2012 - DVRV 2012

Read the untranslated law here: https://www.global-regulation.com/law/austria/2997371/datenverarbeitungsregister-verordnung-2012---dvrv-2012.html

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
257. Regulation of the German Chancellor about the data processing register that is equipped with the data protection Commission (data processing register regulation 2012 - DVRV 2012)

On the basis of § 16 para 3 and § 61 para 8 of the data protection Act 2000 (DSG 2000), Federal Law Gazette I no. 165/1999, as last amended by the Federal Act Federal Law Gazette I no. 51/2012, is prescribed:

Table of contents



1st section General information



§ 1.



Scope



§ 2.



Definitions



2. section establishment and contents of the data processing register



§ 3.



Establishment of the data processing register



§ 4.



Contents of the data processing register



3. cut off access and insight into the data processing register



§ 5.



Access to the data processing register



§ 6.



Inspection of the data processing register



4. cut off messages to the data processing register



§ 7.



Form of the message



§ 8.



Occasion and time of the message



§ 9.



The message content



§ 10.



Supplements to the message



§ 11.



Registration



§ 12.



DVR number and proof of registration



§ 13.



Automatic registration of messages



5. section identification and authentication



§ 14.



Identification and authentication in DVR online



§ 15.



Representation of the customer's



6 article information network system



§ 16.



Directory of information network system



7 section of the data processing register



§ 17.



Correction of the data processing register



§ 18.



Acceptance of the DVR number in succession



§ 19.



Storage of the content of the data processing register, and the registration files



8 section notification and registration for manual files and operating errors



§ 20.



Scope of application



§ 21.



Messages for manual files and operating errors



section 22.



Registration for manual files and operating errors



9 section final provisions



section 23.



Rules of procedure



§ 24.



Entry into force



Appendix 1



Content of the DVR-online form and of the form "Information on the payer"



Appendix 2



Content of the DVR-online form and the form "Message a data application"



Appendix 3



Content of the DVR-online form (electronic design) and of the form "Message a sample application"



Appendix 4



DVR-online form and content of the form 'General information to adopted data security measures' 1 section

General information

Scope

§ 1. This regulation governs the establishment and management of the data processing register, access and the consultation of the data processing register, the registration of data applications in the data processing register, as well as the directory of the joint information system.

Definitions

§ 2. Are the purposes of this Regulation: 1. data processing register: by the data protection Commission pursuant to § 16 para 1 DSG 2000 to leading register of the client with data applications operated by them;

2. message: Input in accordance with section 17 DSG 2000 to the Privacy Commission for the purpose of registration in the register of data processing;

3. registered message: in the data processing register recorded messages, consisting of appendices 1 bis3;

4. DVR-online: Internet application for the reporting of data applications to the data protection Commission and management of the data processing register with the data protection Commission;

5. DVR-online forms: the content corresponding to the forms of Appendix 1 bis4 and used in the DVR-online forms;

6. DVR number: by register number assigned to the data processing register;

7 bPK: sector-specific personal identifier in accordance with §§ 9 ff of the E-Government Act E-GovG, Federal Law Gazette I no. 10/2004, as amended by Federal Law Gazette I no. 111/2010.

2. section

Establishment and contents of the data processing register

Establishment of the data processing register

§ 3. The data processing register is set by the data protection Commission and DVR online is run in the form of the application. Principal of the data processing register is the data protection Commission.

Contents of the data processing register

4. (1) the data processing register consists of: 1 the messages on client and data applications, 2. registered a separate Directory of information network system, and 3. the registry files.

(2) in the Registry Act to record are: 1 the unregistered message, consisting of the DVR-online forms and forms, as well as the connected side dishes, 2. improving orders, 3. permit notifications in accordance with article 13 DSG 2000, 4. decisions of the data protection Commission requirements, DSG has been granted 2000 on the occasion of the examination procedure in accordance with section 21, para. 2, 5. other decisions of the data protection Commission in the registration process, and 6 announcement according to § 20 paragraph 5 DSG 2000 on the refusal to register.

3. section

Access and insight into the data processing register

Access to the data processing register

§ 5. Access to the data processing register is carried out in accordance with technical and organizational possibilities through DVR online. In the event of a malfunction, as well as for manual files is in accordance with technical and organisational possibilities on an alternative way to ensure access.

Inspection of the data processing register

6. (1) publicly available registered are messages, consisting of appendices 1 bis3, as well as the separate Directory of joint information system.

(2) in the Registry Act access be granted, if the insight satisfactorily demonstrate that he is a data subject, and hinder not overwhelming as far as worth protecting confidentiality interests of the customer or any other person is. The information on data security measures subject to any inspection.

4 section

Messages to the data processing register

Form of the message

The message, as well as the accompanying side dishes are § 7 (1) to engage in electronic form via DVR online. A message in the form of E-Mail or in non-electronic form is permitted only under the conditions of the section 8. The message manual files may be inserted either in electronic form via DVR online or under the conditions of the section 8.

(2) for insertion of messages, as well as for the processing of improving orders, identification and authentication is required.

(3) to take part in a joint information system, which has already been registered on the basis of a message by at least two clients, more Contracting entities in the result can Z 3 to 7 and para. 2 2000 on a reference through acquisition of the contents of the message of a previously registered principal limit the message in the scope of § 19 para 1 DSG, if she seek participation in the exactly the same extent.

Occasion and time of the message

§ 8. For the purpose of registration, the principal of a data application of the data protection Commission pursuant to §§ 17 and 19 has to sign DSG 2000: 1 its identity and its legal bases (legal authority or legal jurisdiction) the first message of a data application to the data protection Commission, 2. each reportable data application prior to their start, 3. Every modification of a reportable, already registered data application together with the legal bases before recording the amended data application , 4. any change of the name or the other name or the address of the customer, immediately after the occurrence of the change, 5. enter a reason for the cancellation of a registered data application, in particular the Elimination of its legal basis, immediately after it happened, 6 the absence of an appropriate legal basis for that in connection with the registration activities of the customer, immediately after their legal effectiveness.

The message content

§ 9. Each new or change message on the application of a data are for the DVR-online form according to the annex 2 fully specify; the message of a sample application data are for that purpose in the DVR-online form according to the annex 3 fully specify. A client logs for the first time to the data protection Commission or it reports changes to the information on the payer, so he has in addition in the DVR-online form to fill in the details after Appendix 1. Z 2000 are 7 DSG pursuant to section 19 para 1 to advertising General information about the data security measures taken to transmit via the DVR online form in accordance with annex 4 to the data protection Commission.

Supplements to the message

§ 10. The message is especially to settle: 1 data applications of the public area the legal responsibility of the client and any other necessary legal bases for the data application, as far as is to prove their presence no doubt, 2. data applications of the private area is proof of authority for the pursuit of activities of the customer or if required for this no power, a relevant rationale.

Registration

§ 11 (1) registration is by taking over the filled out on the occasion of the message about DVR-online and in the registration process at most improved DVR-online forms in accordance with Appendix 1, bis3 in the data processing register pursuant to § 4 paragraph 1 Z 1.

(2) the registration shall be effected as soon as 1 immediately.

the examination procedure which has resulted in admissibility of the registration or the requested improvements fully and on time has made 2 two months from the receipt of the message at the Privacy Commission have elapsed without having an improvement order under section 20 has been granted DSG 2000, or 3. the principal.

(3) requirements for the making of a data application, DSG 2000 on the occasion of the registry with notice of the data protection Commission has been granted the customer pursuant to § 21 para 2, are by virtue can be seen by an entry in the permit number in the form submitted by the client via DVR online in accordance with Appendix 2. The phrase content is to reflect in the registry as a supplement to Appendix 2.

(4) messages, which the contracting authority has referred to vorabkontrollpflichtig or were brought by this legitimately does not have DVR online, are a defect within the meaning of § 19 para 4 to check DSG 2000. Examination reveals an irregularity of the message, according to § 19 para 4 2000 DSG receipt of the message to apply the improvement under setting a reasonable period of time is the principal period of two months after. On behalf of improvement, it is to point out that the registration of the message by giving written notice to reject is for the case that is not met the improvement order. In the communication are to: 1 the points where the improvement order was not fulfilled, and 2. the note that an application may be made within two weeks from the notification to the data protection Commission, about the rejection with decision to deny.

Refund after sending the notice improvements are not taken into account.

DVR number and proof of registration

Section 12 (1) is any contracting authority to allocate a DVR number at initial registration. Only a DVR number may be assigned to one and the same Contracting Authority.

(2) a contracting authority may carry only a DVR number. In those cases where according to § 25 DSG 2000 to do a DVR number is, it is a seven-digit number with the close marking "DVR". Additions to the DVR number, which serve the internal designation of data applications on the part of the customer are allowed; they are however to make that the DVR number as such remains recognizable.

(3) the data protection Commission has to inform the contracting authority the registration of reported data application.

Automatic registration of messages

Messages from data applications that are DSG 2000 according to the instructions of the client of any prior inspection according to § 18 para 2 or § 50c, are § 13 (1) to examine only automatically for completeness and plausibility. For this purpose, it is checked in particular, whether the contracting authority none of the conditions for a prior checking 2000 specified DSG in the sense of § 18 para 2 or § 50 c. The message is therefore not incorrect, it is so to register immediately.

(2) an error of message is found in the automation-supported examination, the opportunity to improve to give is the contracting authority. He noted at the same time to point out that the message is considered not appropriate, if no improvement is made or if he insists on the introduction of the unenhanced message. In the latter case the consignors can submit in writing the message printed out error of the data protection Commission under connection, which has to check the message on a defect within the meaning of § 19 para 4 DSG 2000.

5. section

Identification and authentication

Identification and authentication in DVR online

14. (1) the identification and authentication is logging in to DVR-online with the citizen card, through the corporate service portal or technical requirements that allow also the involvement of applications of local authorities, other bodies of governed by public law or other institutions fastened State tasks (Portal Federation).

(2) it is to ensure that all available technical implementations of the citizen card can be used including those using mobile phone (mobile signature).

Representation of the customer's

Paragraph 15 should be represented a message to the data processing register and use the citizen card with power of Attorney is not possible and is used also no other requirement in accordance with article 14, paragraph 1, the right of representation for these clients with the data protection Commission must be applied for and assigned to. The rights of the person entitled to the professional representation of Parties according to § 10 para 1 of the General administrative procedures Act 1991 - No. 51/1991, as amended by Federal Law Gazette I no. 100/2011, remain AVG, BGBl.

6 article

Joint information system

Directory of information network system

Section 16 (1) of the data protection Commission received messages about data applications that have the participation of a joint information system to the content, the Privacy Commission has to create a run via DVR-online directory of joint information system that contains the information referred to in paragraph 2 to each date.

(2) the list of the joint information system shall contain the following information: 1. identification and purpose of information system, 2. legal basis of the system, 3. name or other name and address, telephone number and E-Mail address of the operator, 4. list of participating in the joint information system contracting authority, 5. the logon information required in Appendix 2 under point 7 to 9 with reference to the entire information system as well as 6 any requirements , Conditions or time limitations for the leadership of the joint information system, has been granted DSG 2000 pursuant to § 21 para 2 of the data protection Commission.

(3) the data protection Commission may order the registration of other information insofar as this is necessary to the proper organization and keeping of the register of the joint information system.

(4) other information pursuant to § 50 para 2 DSG 2000 must be entered at the request of the contracting authority or its designated representative.

7 section

Maintaining the data processing register

Correction of the data processing register

Section 17 (1) becomes aware, that a registered contractor is died or perished from the data protection Commission official pronouncements of, is the deletion from the register of data processing carried out by virtue.

(2) the data protection Commission can rectify anytime by virtue or comparison thereof that, apparently on a mistake or apparently only on technically poor operation of an automation-supported computer based mistakes in the data processing register. The affected contracting authority is to notify of the correction.

Acceptance of the DVR number in succession

§ 18. The legal successor of a registered principal cannot accept individual or all registered messages of the legal predecessor if he makes an according to credible made statement to the data protection Commission of succession within six months of the effectiveness. Also DVR number of the legal predecessor can be transferred at the request of the successor in title, if the predecessor has set any processing of personal data in the client property.

Storage of the content of the data processing register, and the registration files

§ 19 content of the data processing register registered messages on client and data applications that are available and stored on electronic data carriers in paper form, must be stored only in electronic form. The existing only in paper form contents of the data processing register must be kept still.

8 section

Notification and registration for manual files and operating errors

Scope of application

Section 20 (1) a message in the form of E-Mail or in non-electronic form is allowed only for manual files, as well as one as far as their contents Z 2000 meet at least one of the facts of the § 18 para 2 1 to 3 DSG and are therefore subject for more than 48 hours continuously ongoing technical failure of DVR online. That case is equal kept with such continuously ongoing technical failure, in which the technical failure in one for more than 48 hours over a period of several hours reviewed ongoing period occurs. For the cases of such malfunction and for the notification of reportable manual files the provisions of the 3rd-5th section with the changes listed in §§ 21 and 22 shall apply.

(2) the periods running for an improvement of the message is suspended for the duration of a technical failure. There is the possibility, in case of longer than 48 hours continuous technical failure the improvement in the form of E-Mail or in non-electronic form to submit one.

Messages for manual files and operating errors


Section 21 (1) to report operating problems and manual file has forms with the contents of plants 1-4 to put the data protection Commission, whose formal structuring is set by the data protection Commission according to the respective requirements. The forms are also available in electronic form to make available. The notifying parties have to submit their reports using established forms. As far as this is technically possible in accordance with technical and organisational possibilities of the customer and within the framework of a malfunction, messages in electronic form are to introduce.

(2) for each new or change message on a data application form is "Message a data application" referred to in annex 2 and the form of 'General information to adopted data security measures' in accordance with Appendix 4 complete; When the message of a sample application form "Message a sample application" in accordance with Appendix 3 for that purpose should be used. A client reports for the first time to the data protection Commission, he in addition to fill in the form "Information on the payer" in accordance with Appendix 1. This form is to use updates of information on the payer.

(3) a message has no handwritten and original signature, so the Privacy Commission can apply, if it has doubts that the message came from the customer referred to therein, a confirmation by a to be within an appropriate period written attaching handwritten and urschriftlicher signature. After fruitless expiry of the period specified by the data protection Commission is attaching no longer to treat.

Registration for manual files and operating errors

§ 22 (1) registration is through acquisition of forms presented on the occasion of the message and if necessary improved in the registration procedure in accordance with Appendix 1 to 3 in the data processing register pursuant to § 4 paragraph 1 Z 1. The registration has to be done as soon as 1 has resulted in the examination of the admissibility of the registration or 2 two months from the receipt of the notification to the data protection Commission have elapsed without having an improvement order under section 20 has been granted DSG 2000, 3. the principal on time has made the required improvements immediately.

(2) requirements for performing a data application, DSG 2000 on the occasion of the registry with notice of the data protection Commission has been granted the customer pursuant to § 21 para 2, are to make his/her own initiative can be seen by an entry in the permit number in the form submitted by the contracting authority in accordance with Annex 2. The phrase content is to reflect in the registry.

(3) any modification of the registry is to inform the customer in writing.

(4) each contracting authority is to allocate a DVR number at initial registration. This number will be announced the contracting authority in writing. Only a DVR number may be assigned to a customer.

9 section

Final provisions

Rules of procedure

section 23. On the registration procedure is in accordance with article I 2008 - paragraph 2 of the introductory act to the administrative procedure laws IX, Federal Law Gazette I no. 87/2008, as amended by Federal Law Gazette I no. 53/2012, to apply the AVG, as far as the DSG 2000 not specifically determines otherwise.

Entry into force

24. (1) effective this regulation with 1 September 2012; at the same time the data processing register Regulation 2002 - DVRV 2002, Federal Law Gazette II No. 24 / 2002, except force.

(2) at the time of entry into force of this regulation in the data processing register pending cases are to finish in 2002 after the DVRV.

Faymann

Appendix 1

DVR-online form and content of the form "Information on the payer" 1. indication of whether first, change or message of deletion of 2. DVR number (if available) 3. name or any other name and address, also phone number and E-Mail address of contracting authority 4. legal bases of the customer in the sense of § 7 para 1 DSG 2000 5. number of the register for clients that are registered based on their activities in a public register (if available) 6 name or any other name and address of the representative of a customer's , which has no branch in the European Union 7 name, address and E-Mail address of any ad litem 8 name and telephone number of any officer when the principal 9 information about inserts to report Appendix 2

Content of DVR-online form and the form "Message a data application" 1 indication of whether new, modification or message of deletion of (DVR-online form abbreviated deletion message possible) 2nd DVR-number (if one has been allocated) 3. name or any other name and address, telephone number and E-Mail address of contracting authority 4. name, address, and E-Mail address of any representative ad litem 5. name and telephone number of any officer at the principal 6 names and purpose of the data application 7 General information on the application of data concerning : a) special legal basis of the data application, as far as this not already arising from the General legal bases of the client b) belonging to the public or private sector c) existence of automation-assisted or manual data application d) applicability of ex ante control: aa) bb use of sensitive data) criminally relevant data using cc) dd there are available a credit information system) ee participation in a joint information system) video surveillance (pursuant to § 50 c DSG 2000) 8 in the case of , that the application represents the participation of a joint information system: a) designation of entire information system b) legal bases of the entire information systems, where is this not already from details of point 7 a) result and c) name or any other name and address, telephone number and E-Mail address of the operator 9 special circumstances relating to the content of the data application: a) districts of the data application affected and have them processed data types b) in the case of intended submissions : aa) bb the circles of those affected) cc the data types to be transmitted) the corresponding receiver circuits including details of any foreign beneficiaries as well as membership of the delivery recipient to the same joint information system dd) the legal basis of the submissions 10 business numbers of decisions of the data protection Commission, with which requirements, conditions or time limitations pursuant to § 21 para 2 DSG 2000 granted (these are to be entered by the data processing register during the registration) 11 as far as approval of the data protection Commission for data transfers or assignment abroad is necessary , the business number of the approval of the data protection Commission 12 information on the inserts to report Appendix 3

Content of DVR-online form (electronic design) and the form "Message a sample application" 1 indication of whether new, modification or message of deletion of 2. DVR number (if one has been allocated) 3. name or any other name and address, telephone number and E-Mail address of contracting authority 4. designation the pattern application 5. information about the enclosures to the message Appendix 4

Content of the DVR online form and the form "General information for taken safety measures"

It is in particular to specify whether 1 the distribution of tasks between the organizational units and between the employees data usage is explicitly set, 2. is the use of data are based on the valid orders of the arrangement authorized organization units and employees, 3. each employee about his the DSG 2000 and intra-organisational data protection rules including the data safety was taught the obligations, 4. the access permission to the premises of the contractor or service provider , uses data and programs, was regulated and took steps against access from unauthorised use, 5. the access to data and programs and the protection of the disk prior to the access and use by unauthorized persons is regulated, 6 the permission to the data processing equipment is set and each device measures when the machines or programs against the unauthorised use is secured , 7 log is kept so that can track uses of data, such as in particular changes, queries and submissions of data on their admissibility to the necessary extent, running 8 to facilitate the control and evidence documenting the measures taken pursuant to no. 1 to 7.