257. Regulation of the Federal Chancellor on the data processing register set up by the Data Protection Commission (Data Processing Register-Ordinance 2012-DVRV 2012)

On the basis of § 16 (3) and § 61 (8) of the Data Protection Act 2000 (DSG 2000), BGBl. I n ° 165/1999, as last amended by the Federal Law BGBl. I No 51/2012, shall be arranged:

table of contents

Section 1 General
§ 1.	Scope
§ 2.	Definitions
Section 2 Establishment and content of the data processing register
§ 3.	Establishment of the data processing register
§ 4.	Contents of the data processing register
Section 3 Access to and access to the data processing register
§ 5.	Access to the data processing register
§ 6.	Inspection in the data processing register
Section 4 Messages to the data processing register
§ 7.	Form of notification
§ 8.	The occasion and date of the notification
§ 9.	Contents of the message
§ 10.	Contributions to the notification
§ 11.	Registration
§ 12.	DVR number and registration certificate
§ 13.	Automatic registration of messages
Section 5 Identification and authentication
§ 14.	Identification and authentication in DVR-Online
§ 15.	Representation of the contracting authority
6. Information composite systems
§ 16.	Directory of information composite systems
Section 7 Management of the data processing register
§ 17.	Rectification of the data processing register
§ 18.	Acquisition of DVR number in case of legal succession
§ 19.	Retention of contents of the data processing register and of the registration files
8. Section Registration and registration in case of operational malfunctions and manual files
§ 20.	Scope
§ 21.	Reports in case of operational malfunctions and manual files
§ 22.	Registration in case of operational malfunctions and manual files
Section 9 Final provisions
§ 23.	Procedural rules
§ 24.	entry into force
Appendix 1	Contents of the DVR-Online-Form and the form "Information on the client"
Appendix 2	Contents of the DVR online form and the form "Reporting of a data application"
Appendix 3	Contents of the DVR online form (electronic sample) and the form "Reporting of a sample application"
Appendix 4	Contents of the DVR-Online-Form and the form "General data on data security measures taken"

Section 1

General

Scope

§ 1. This Regulation lays down the rules for the establishment and management of the data processing register, the access and inspection of the data processing register, the registration of data applications in the data processing register and the list of Information composite systems.

Definitions

§ 2. For the purposes of this Regulation:

1.		Data-processing registers: the registers of the clients with the data applications operated by the Data Protection Commission pursuant to Article 16 (1) of the German Data Protection Act (DSG 2000);
2.		Notification: Input according to § 17 DSG 2000 to the Data Protection Commission for the purpose of registration in the data processing register;
3.		Registered message: messages recorded in the data processing register, consisting of the Annexes 1 to 3 ;
4.		DVR-Online: Internet application for the reporting of data applications to the Data Protection Commission and the management of the data processing register at the Data Protection Commission;
5.		DVR-Online forms: the content of the forms of the Appendix 1 to 4 corresponding forms used in DVR online;
6.		DVR number: register number assigned by the data processing register;
7.		bPK: area-specific person identification according to § § 9 et seq. of the eGovernment Act-E-GovG, BGBl. I n ° 10/2004, in the version of the Federal Law BGBl. I No 111/2010.

Section 2

Establishment and content of the data processing register

Establishment of the data processing register

§ 3. The data processing register is set up at the Data Protection Commission and is conducted in the form of the Internet application DVR-Online. The customer of the data processing register shall be the Data Protection Commission.

Contents of the data processing register

§ 4. (1) The data processing register shall consist of:

1.		the registered notifications of clients and data applications,
2.		a separate list of information systems and
3.		the registration files.

(2) The registration act shall include:

1.		the non-registered message, consisting of the DVR online forms and forms, as well as the attached supplements,
2.		Improvement orders,
3.		Approval requirements according to § 13 DSG 2000,
4.		Modesty of the Data Protection Commission, subject to conditions granted in accordance with Section 21 (2) of the German Data Protection Act (DSG 2000) during the examination procedure
5.		Other charges of the Data Protection Commission in the registration procedure, and
6.		Notice pursuant to Section 20 (5) of the DSG 2000 on the refusal of registration.

Section 3

Access to and access to the data processing register

Access to the data processing register

§ 5. Access to the data processing register takes place in accordance with technical and organisational possibilities via DVR-Online. In the event of an operational malfunction and manual files, access shall be ensured in accordance with technical and organisational possibilities in an alternative way.

Inspection in the data processing register

§ 6. (1) Registered registrants are registered, consisting of the Annexes 1 to 3 , as well as the separate list of information systems.

(2) The registration act shall be subject to review if the user is credited with the fact that he is concerned and, in so far as the overriding interests of the client or of other persons are not preventable, contrary to the protection of the person concerned. Data security measures shall not be covered by any inspection.

Section 4

Messages to the data processing register

Form of notification

§ 7. (1) The notification as well as the accompanying supplements shall be made available in electronic form via DVR-Online. A message in the form of e-mail or in non-electronic form is only available under the conditions of the 8. Section allowed. Manual files can be reported either in electronic form via DVR-Online or under the conditions of the 8. Section is introduced.

(2) Identification and authentication is required for the introduction of messages as well as for the processing of improvement orders.

(3) In order to participate in an information composite system, which has already been registered on the basis of a notification by at least two contracting entities, further contracting entities may subsequently report in the scope of section 19 (1) (3) to (7) and (2) of the DSG 2000 to a reference by taking over the contents of the notification of an already registered client, if they wish to participate in exactly the same extent.

The occasion and date of the notification

§ 8. For the purpose of the registration, the client has to report a data application of the Data Protection Commission pursuant to § § 17 and 19 of the German Data Protection Act 2000:

1.		its identity and legal bases (legal power or legal competence) for the first-time notification of a data application to the Data Protection Commission,
2.		any data application subject to notification prior to its inclusion;
3.		any change in a registered data application, including the legal bases, before the amended data application is received;
4.		any change in the name or other name or address of the contracting entity, immediately after the date of the change;
5.		the entry of a reason for the deletion of a registered data application, in particular the omission of its legal basis, immediately after it has occurred,
6.		the omission of an appropriate legal basis for the activities of the contracting authority which are relevant in connection with the registration, immediately after the entry of its legal effectiveness.

Contents of the message

§ 9. For each new or change report concerning a data application, the information in the DVR-Online-Form is according to the Appendix 2 , in the case of a sample application, the DVR online form shall be used to indicate the information provided in accordance with the Appendix 3 be fully specified. If a client reports to the Data Protection Commission for the first time or if he reports any changes to the information on the client, he/she has in addition in the DVR-Online-Form the information according to the Appendix 1 to complete. The general information on the data security measures taken pursuant to Section 19 (1) (7) of the German Data Protection Act (DSG 2000) shall be provided via the DVR-Online-Form in accordance with Appendix 4 to the Data Protection Commission.

Contributions to the notification

§ 10. In particular, the reports shall be annexed:

1.		in the case of data applications in the public sector, proof of the legal competence of the contracting authority and any other necessary legal basis for the data application, insofar as the existence of such data is not beyond doubt,
2.		in the case of data applications in the private sector, proof of power for the performance of the work of the contracting authority or, where no power is required for that purpose, a justification in this respect.

Registration

§ 11. (1) The registration is carried out by taking over the DVR-Online forms, which have been completed on the occasion of the notification via DVR-Online and which are possibly improved in the registration procedure according to Appendix 1 to 3 to the data processing register in accordance with § 4 (1) Z 1.

(2) The registration shall be effected immediately as soon as

1.		the examination procedure has resulted in the admissibility of the registration, or
2.		two months since the notification has been submitted to the Data Protection Commission without any request for improvement in accordance with Section 20 of the German Data Protection Act (DSG 2000), or
3.		the adjudicating entity has made the necessary improvements in full and in due time.

(3) Obligations for the acceptance of a data application which were granted to the client pursuant to § 21 paragraph 2 of the German Data Protection Act (DSG 2000) on the occasion of the registration with the data protection commission, shall be subject to the registration of the number of foes in the customer's information on the DVR-Online submitted form according to Appendix 2 to make clear of its own motion. The content of the opposition is in the register as a supplement to the Appendix 2 .

(4) Messages which the client has referred to as a pre-inspection obligation or which have not been made available via DVR-Online via DVR-Online are to be considered for lack of respect within the meaning of Section 19 (4) of the DSG 2000. If the examination in accordance with Section 19 (4) of the German Data Protection Act (DSG 2000) results in a defect of the notification, the client shall be required to apply the improvement within two months after the notification has been received, and a reasonable period of time shall be set. In the case of an improvement order, it should be pointed out that if the order for improvement is not complied with, the registration of the notification is to be rejected by a written notice. The communication shall include:

1.		the points in which the improvement order has not been fulfilled and
2.		the notice that a request can be made within two weeks of notification to the Data Protection Commission to agree on the rejection with the decision.
Improvements shall not be taken into account after the notification has been sent.

DVR number and registration certificate

§ 12. (1) Each client shall be assigned a DVR number when registering for the first time. Only one DVR number may be assigned to one and the same client.

(2) A client may only lead a DVR number. In those cases in which a DVR number is to be carried out in accordance with § 25 of the German Data Protection Act (DSG 2000), it is to be carried out as a seven-digit number with the more detailed designation "DVR". Additions to the DVR number, which are used for the internal designation of data applications on the part of the client, are permissible; however, they must be designed in such a way that the DVR number remains recognizable as such.

(3) The Data Protection Commission shall notify the contracting authority of the registration of a reported data application.

Automatic registration of messages

§ 13. (1) Messages from data applications which are not subject to prior checking in accordance with § 18 (2) or § 50c DSG 2000 after the client has been specified are to be checked for their completeness and plausibility only with the help of automation. For this purpose, it is examined, in particular, whether the client did not specify the conditions for prior checking in the sense of § 18 (2) or § 50c DSG 2000. If the message is not erroneous, then it must be registered immediately.

(2) If an error of the notification is found during the automation-assisted test, the contracting authority shall be given the opportunity to improve it. At the same time, it should be pointed out that the notification is deemed not to have been made, if there is no improvement, or if it insists on the introduction of the unimproved report. In the latter case, the provider may submit the notification in writing, following the printed error message of the Data Protection Commission, which has to examine the notification of mangeless within the meaning of Section 19 (4) of the German Data Protection Act (DSG 2000).

Section 5

Identification and authentication

Identification and authentication in DVR-Online

§ 14. (1) The identification and authentication is carried out when registering for DVR-Online with the Citizen Card or via the Business Service Portal or on technical requirements, which also include the inclusion of applications of local authorities, other bodies of public law or other public functions of concerned institutions (portal network).

(2) It is necessary to ensure that all available technical implementation of the Citizen Card can be used, including by means of a mobile telephone (Handy-Signature).

Representation of the contracting authority

§ 15. If a declaration is to be made to the data processing register, and if it is not possible to use the citizen card with power of representation, and if no other requirement is used in accordance with § 14 (1), the following must be provided: Right of representation for this client is requested and proven by the Data Protection Commission. The rights of the person authorized to represent the professional party in accordance with § 10 (1) of the General Administrative Procedure Act 1991-AVG, BGBl. No. 51/1991, in the version of the Federal Law BGBl. I No 100/2011, remain unaffected.

6.

Information composite systems

Directory of information composite systems

§ 16. (1) The Data Protection Commission shall submit to the Data Protection Commission noti cations concerning data applications which are subject to participation in an information composite system, the Data Protection Commission shall have a DVR-Online-led list of the to create information-based systems which shall contain the information referred to in paragraph 2 at the latest.

(2) The list of information composite systems shall contain the following information:

1.		the name and purpose of the information system,
2.		the legal basis of the system,
3.		Name or other name and address, telephone number and e-mail address of the operator,
4.		List of contracting entities participating in the information system,
5.		in the Appendix 2 under points 7 to 9, reporting requirements relating to the whole information system, and
6.		any conditions, conditions or deadlines for the management of the information system, which were granted by the Data Protection Commission pursuant to Section 21 (2) of the German Data Protection Act (DSG 2000).

(3) The Data Protection Commission may order the registration of further information, in so far as this is necessary for the purpose of organizing and guiding the directory of information systems.

(4) Further information pursuant to Section 50 (2) of the German Data Protection Act 2000 shall be provided at the request of the contracting entities of their designated representative.

Section 7

Management of the data processing register

Rectification of the data processing register

§ 17. (1) The Data Protection Commission shall, on official notice, become aware of the fact that a registered client has died or underwent, the deletion from the data processing register shall be carried out on its own merits.

(2) The Data Protection Commission may, in the absence of a written error or equivalent, appear to be on a mistake or evidently solely on the technical malfunction of an automation-assisted data-processing system. Data processing registers shall be corrected at any time by official. The contracting authority concerned shall be notified of the rectification.

Acquisition of DVR number in case of legal succession

§ 18. The legal successor of a registered adjudicator may take over individual or all registered notifications of the right-of-law if he/she has made a correspondingly credible legal successor within six months of the effectiveness of the succession. Declaration to the Data Protection Commission. The legal successor may, upon request, also transfer the DVR number of the legal successor, if the legal successor has ceased any processing of personal data in the order property.

Retention of contents of the data processing register and of the registration files

§ 19. The contents of the data processing register for registered messages about customers and data applications, which are present in paper form and are additionally stored on electronic data carriers, must only be stored in electronic form. The contents of the data processing register which are only available in paper form must be kept.

8. Section

Registration and registration in case of operational malfunctions and manual files

Scope

§ 20. (1) A message in the form of e-mail or in non-electronic form is only for manual files, insofar as their contents meet at least one of the facts of § 18 paragraph 2 Z 1 to 3 DSG 2000 and therefore are subject to reporting requirements, as well as for a longer than 48 hours of continuous technical failure of DVR-Online allowed. Such a continuous technical failure is kept equal to the case in which the technical failure occurs repeatedly over a period of several hours over a period of time which lasts longer than 48 hours. For the cases of such an operational malfunction and for the reporting of manual files subject to reporting requirements, the provisions of the 3. to 5. Section with the amendments referred to in § § 21 and 22.

(2) Fristenlauf for an improvement of the message shall be inhibited for the duration of a technical failure. In the case of a technical failure lasting longer than 48 hours, it is possible to introduce the improvement in the form of e-mail or in non-electronic form.

Reports in case of operational malfunctions and manual files

§ 21. (1) In order to report in the event of malfunctions and manual files, the Data Protection Commission has made forms with the content of the Annexes 1 to 4 , the formal design of which will be determined by the Data Protection Commission in accordance with the respective requirements. The form sheets shall also be made available in electronic form. The notifiers shall be obliged to report their notifications by means of the forms laid down. To the extent that this is technically possible in accordance with the technical and organizational possibilities of the client and in the context of an operational malfunction, notifications shall be submitted in electronic form.

(2) For each new or amending report relating to a data application, a "Data Application Notification" form shall be provided in accordance with Appendix 2 and the "General data on data security measures" form in accordance with Appendix 4 , in the case of a sample application, the form "Notification of a sample application" shall be submitted in accordance with Appendix 3 to use. If a contracting authority reports to the Data Protection Commission for the first time, it shall additionally have the form "Information on the client" in accordance with Appendix 1 to complete. This form shall also be used in the event of changes to information on the payer.

(3) If a notification does not include a personal and original signature, the Data Protection Commission may, if it has doubts that the notification originates from the contracting entity referred to therein, confirm by means of an appropriate one within the appropriate period of time, Apply the deadline to be submitted in writing, with a personal and original signature. After fruitless expiry of the time limit specified by the Data Protection Commission, the application is no longer to be dealt with.

Registration in case of operational malfunctions and manual files

§ 22. (1) The registration shall be made by taking over the forms submitted on the occasion of the notification and, if necessary, improved in the registration procedure, in accordance with Appendix 1 to 3 to the data processing register in accordance with § 4 (1) Z 1. The registration shall be effected immediately as soon as:

1.		the examination procedure has resulted in the admissibility of the registration, or
2.		two months since the notification has been submitted to the Data Protection Commission without any request for improvement in accordance with Section 20 of the German Data Protection Act (DSG 2000), or
3.		the adjudicating entity has made the necessary improvements in due time.

(2) Obligations for the acceptance of a data application which were granted to the client pursuant to § 21 paragraph 2 of the German Data Protection Act (DSG 2000) on the occasion of the registration with the data protection commission are due to the registration of the number of foes in the client's the form submitted in accordance with Appendix 2 to make clear of its own motion. The content of the opposition is to be reproduced in the registration.

(3) The acceptance of the registration must be communicated to the client in writing.

(4) Each client shall be assigned a DVR number when registering for the first time. This number shall be announced in writing to the client. Only one DVR number may be awarded to a client.

Section 9

Final provisions

Procedural rules

§ 23. The registration procedure is in accordance with Art. 2 of the Introductory Act to the 2008-EGVG administrative procedures law, BGBl. I n ° 87/2008, in the version of the Federal Law BGBl. I No 53/2012 to apply the AVG, unless the DSG 2000 expressly determines otherwise.

entry into force

§ 24. (1) This Regulation shall enter into force on 1 September 2012; at the same time, the Data Processing Register-Regulation 2002-DVRV 2002, BGBl. II No 24/2002, except for force.

(2) At the date of entry into force of this Regulation in the data processing register pending procedures shall be brought to an end in accordance with DVRV 2002.

Faymann

Appendix 1

Contents of the DVR-Online-Form and the form "Information on the client"

1.		Indication of whether it is first, change or submission
2.		DVR number (if any)
3.		Name or other name and address, further telephone number and e-mail address of the client
4.		Legal basis of the client within the meaning of § 7 (1) of the DSG 2000
5.		Number of the register of clients who are registered in a public register on the basis of their activity (if available)
6.		Name or other name and address of the representative of an adjudicating entity which has no establishment in the European Union
7.		Name, address and e-mail address of an all-empowered appointing agent
8.		Name and telephone number of the person who is responsible for the contract
9.		Information on the contributions to the notification

Appendix 2

Contents of the DVR online form and the form "Reporting of a data application"

1.		Indication of whether new, change or submission notification (short DVR online form is possible in the case of a submission message)
2.		DVR number (if one has already been allocated)
3.		Name or other name and address, further telephone number and e-mail address of the client
4.		Name, address and e-mail address of an all-empowered appointing agent
5.		Name and telephone number of the person who is responsible for the contract
6.		Name and purpose of the data application
7.		general information on the data application concerning:
a)			Special legal bases of the data application, insofar as these do not already arise from the general legal bases of the client
b)			Membership to the public or private sector
c)			Exist automation-supported or manual data application
d)			Applicability of ex ante control:
aa)				Use of sensitive data
bb)				Use of criminally relevant data
cc)				Existence of a credit information system
dd)				Participation in an information composite system
ee)				Video surveillance (according to § 50c DSG 2000)
8.		in the case that the data application is to participate in an information composite system:
a)			Name of the entire information system
b)			the legal basis of the whole information system, insofar as these do not already arise from the information on point 7a), and
c)			Name or other name and address, further telephone number and e-mail address of the operator
9.		special information on the content of the data application:
a)			the circles of data subjects affected by the data application and the types of data processed through them
b)			in the case of proposed transfers:
aa)				the circles of the persons concerned
bb)				the types of data to be transmitted
cc)				the associated recipient circles, including information on any foreign recipient countries, and the membership of the intermediary recipients to the same information system
dd)				the legal bases of the transfers
10.		Business figures of the Data Protection Commission's specifications, subject to which conditions, conditions or deadlines have been granted in accordance with § 21 (2) of the German Data Protection Act (DSG 2000) (to be registered by the Data Processing Register on the occasion of the registration)
11.		if the Data Protection Commission is required to obtain a data transfer or a transfer to another country, the data protection commission shall be authorised to do so by the data protection committee
12.		Information on the contributions to the notification

Appendix 3

Contents of the DVR online form (electronic sample) and the form "Reporting of a sample application"

1.		Indication of whether or not new, change or submission
2.		DVR number (if one has already been allocated)
3.		Name or other name and address, further telephone number and e-mail address of the client
4.		Sample Application Label
5.		Information on the contributions to the notification

Appendix 4

Contents of the DVR-Online-Form and the form "General data on data security measures taken"

In particular, it shall indicate whether:

1.		the allocation of tasks in the use of data between the organizational units and between the employees is explicitly defined,
2.		the use of data is bound to the existence of valid orders of the orderly organizational units and employees;
3.		any employee has been informed of his obligations under the DSG 2000 and in accordance with the internal data protection rules, including data security regulations,
4.		access to the premises of the contracting authority or service provider in which data and programmes are used has been regulated and measures have been taken against the access of unauthorised persons,
5.		the access rights to data and programmes and the protection of the data carriers are regulated prior to inspection and use by unauthorised persons,
6.		the authorization for the operation of the data processing equipment is established and each device is secured against the unauthorised entry into service by means of the machinery or programmes used;
7.		protocol, in order to ensure that the uses of data, such as changes, queries and transfers of data, can be traced to their admissibility to the extent necessary,
8.		for the facilitation of control and the protection of evidence, documentation of the measures taken in accordance with Z 1 to 7 will be documented.