Key Benefits:
133. Federal law amending the Data Protection Act 2000 and the Security Policy Act (DSG-Novelle 2010)
The National Council has decided:
Article 1
Amendment of the Data Protection Act 2000
The Data Protection Act 2000-DSG 2000, BGBl. I n ° 165/1999, as last amended by the Federal Law BGBl. I n ° 2/2008, shall be amended as follows:
1. In the table of contents the line is deleted
| " § 2 |
Responsibility " |
2. In the table of contents § 22:
| " § 22 |
Rectification of the register and legal succession " |
3. In the table of contents is inserted according to § 22:
| " § 22a |
Procedures for verifying compliance with reporting requirements " |
4. In the table of contents is inserted in accordance with § 31:
| " § 31a |
Accompanying measures in appeal proceedings " |
5. In the table of contents is inserted in accordance with § 50:
" 9a. Section: Video surveillance
| § 50a |
General |
| § 50b |
Special obligation to log and delete |
| § 50c |
Reporting requirements and registration procedures |
| § 50d |
Information by labelling |
| § 50e |
Right of information " |
6. § 4 (1) Z 4 reads as follows:
| " 4. |
Contracting entities: natural or legal persons, persons communities or bodies of a local authority, or the business apparatus of such bodies, if they have taken the decision alone or together with others to make the data available to them (Z 8), regardless of whether they use the data themselves (Z 8) or ask a service provider (Z 5) to use it. They shall also be deemed to be contracting entities if the service provider (Z 5) responsible for the production of a work makes the decision to use data for this purpose (Z 8), unless it has been expressly prohibited from doing so or the agent has the right to make use of the data. to decide on its own responsibility by means of legislation or rules of conduct on its use; " |
|||||||||
7. § 4 (1) Z 5 reads:
| " 5. |
Service providers: natural or legal persons, persons communities or bodies of a local authority or the business apparatus of such bodies, if they use data only for the production of a work carried out by them (Z 8); " |
|||||||||
8. In § 4 para. 1 Z 7 the parenthesis shall be deleted. "(formerly" data processing ")".
9. § 4 (1) Z 8 reads:
| " 8. |
Use of data: any kind of handling of data, i.e. both processing (Z 9) and the transmission (Z 12) of data; " |
|||||||||
10. § 4 (1) Z 9 reads:
| " 9. |
Processing of data: determining, collecting, storing, storing, ordering, comparing, modifying, linking, multiply, querying, issuing, using, transferring (Z 11), locking, deleting, destroying or any other type of handling of Data with the exception of the transmission (Z 12) of data; " |
|||||||||
11. § 4 para. 1 Z 10 deleted.
12. § 4 (1) Z 11 reads:
| " 11. |
Transfer of data between contracting entities and service providers within the scope of the contract (Z 5); " |
|||||||||
13. § 4 (1) Z 12 reads:
| " 12. |
Transfer of data: the transfer of data to recipients other than the person concerned, the contracting authority or a service provider, in particular the publication of data; in addition, the use of data for another the task of the contracting authority; " |
|||||||||
14. In Section 8 (1), the phrase "In accordance with § 1 (1) existing protection-worthy interests of secrecy" through the phrase "Legitimate Interests of Secrecy" replaced.
15. In § 8 para. 2, second sentence, the word "such" through the phrase "lawfully published" replaced.
16 . In § 8 (4), the point at the end of the Z 3 is given by the word "or" and then the following Z 4 is added:
| " 4. |
the transfer of data for the purpose of reimbursement of an indication to a competent authority for the prosecution of the offences indicated (omissions). " |
|||||||||
17. In § 12 para. 1, first sentence, the word order "Member States of the European Union" through the phrase "States Parties to the European Economic Area" replaced.
18. § 13 para. 2 Z 2 last sentence reads:
" In particular, contractual assurances of the recipient as well as unilateral pledges by the applicant (§ 19 paragraph 2) in the permit application on the closer circumstances of the use of data abroad can be of importance. Unilateral pledges made by the applicant will be binding on the applicant with the registration by the Data Protection Commission. "
19. § 13 (3) deleted. The previous paragraphs 4 to 7 shall be given the sales designations 3 to 6.
20. § 16 (1) reads:
"(1) The Data Protection Commission shall keep a register of the contracting entities with the data applications they run for the purpose of informing the parties concerned."
21. The last sentence of Section 16 (3) is deleted.
22. § 17 (1) reads:
" (1) Each adjudicating entity shall, unless otherwise specified in paragraphs 2 and 3, have a notification to the Data Protection Commission with the content set out in § 19 for the purpose of registration in the data processing register before the application of a data application. . This obligation to notify also applies to circumstances which subsequently effect the inaccuracy and incompleteness of a message (change report). For manual files there is a reporting obligation only if the contents meet at least one of the facts of § 18 paragraph 2 Z 1 to 3. "
23. According to Article 17 (1), the following paragraph 1a is inserted:
" (1a) The notification shall be submitted in electronic form by means of the Internet application to be prepared by the Federal Chancellor. Identification and authentication can be carried out, in particular, by the citizen card (§ 2 Z 10 of the eGovernment Act, BGBl. I n ° 10/2004). More detailed provisions on identification and authentication shall be included in the regulation to be adopted pursuant to section 16 (3). A message in the form of e-mail or in non-electronic form is permissible for manual files as well as for a longer technical failure of the Internet application. "
24. In accordance with § 19 (1) Z 3, the following Z 3a is inserted:
| " 3a. |
the declaration of whether the data application complies with one or more of the facts referred to in Article 18 (2) (1) to (4) or section 50c (1), second sentence, for the prior inspection obligation, and " |
|||||||||
25. The previous paragraphs 2 and 3 of § 19 become para. 3 and 4. The following paragraph 2 is inserted in § 19:
" (2) The provider may, upon submission of the notification or thereafter until the conclusion of the registration procedure, promise that he will submit to certain conditions or conditions during the operation of the data application or that the data application shall only be limited to a limited period of time. shall be operated. Such a commitment shall be legally binding on the client with the registration by the Data Protection Commission. A registration may only be made if the promised edition, condition or limit is determined in such a way that it could also be pronounced by the Data Protection Commission pursuant to § 21 paragraph 2. "
26. § § 20 to 22 together with the headings are:
" Examination and improvement process
§ 20. (1) Messages from data applications which do not meet one of the facts of Section 18 (2) (1) to (4) after the contracting authority has been specified are to be examined only for their completeness and plausibility by means of automation. If the message is not erroneous, then it must be registered immediately.
(2) If an error of the notification is found during the automation-assisted test, the contracting authority shall be given the opportunity to improve it. At the same time, it should be pointed out that the notification is deemed not to have been brought in, if there is no improvement or if there is no improvement in the notification. In the latter case, the provider may submit the notification in writing, following the printed error message of the Data Protection Commission, which has to examine the notification of mangeless in the sense of Section 19 (4).
(3) Notifications which the client has referred to as a pre-inspection obligation or which have not been accepted by the customer in the course of the Internet application (§ 17 paragraph 1a) must be checked for lack of respect in the meaning of section 19 (4).
(4) In the event that the examination in accordance with section 19 (4) gives a defect in the notification, the client shall be required to apply the improvement within two months after the notification has been received, with a reasonable period of time being set. In the case of improvement, reference should be made to the legal consequences of non-compliance as set out in paragraph 5.
(5) If the improvement order is not complied with, the registration of the notification shall be rejected by a written notification. The communication shall include:
| 1. |
the points in which the improvement order has not been fulfilled and |
|||||||||
| 2. |
the notice that a request can be made within two weeks of notification to the Data Protection Commission to agree on the rejection with the decision. |
|||||||||
| Improvements shall not be taken into account after the notification has been sent. |
||||||||||
Registration
§ 21. (1) Notifications in accordance with § 19 shall be entered in the data processing register if:
| 1. |
the examination procedure pursuant to section 20 (1) has not resulted in an error, or |
|||||||||
| 2. |
the examination procedure in accordance with section 20 (2) and (3) has not resulted in a lack of notification of the notification; or |
|||||||||
| 3. |
after having received a notification under the Data Protection Commission for a period of two months, without any request for improvement in accordance with Section 20 (4), have been received or |
|||||||||
| 4. |
the adjudicating entity has made the improvements (§ 20 (2) and (4)). |
|||||||||
| The information on data security measures contained in the report shall not be shown in the register. |
||||||||||
(2) In the case of data applications which are subject to prior checking in accordance with § 18, the results of the examination procedure may be used to inform the contracting authority of conditions, conditions or time-limits for the acceptance of the data application by the customer, insofar as this is necessary for the protection of the interests of the persons concerned protected by this Federal Law.
(3) The adjudicating entity shall be notified in an appropriate manner by the implementation and the content of the registration.
(4) Each adjudicating entity shall be assigned a registration number when registering for the first time.
(5) If the automation-assisted examination in accordance with § 20 (1) has not resulted in any error of the notification, a note shall be included in the registration that the message content has only been tested with support for automation.
Rectification of the register and legal succession
§ 22. (1) Any deletions from the register and other changes to the register shall be made on the basis of a notification of change of the registered adjudicating entity or on its own account in the cases of paragraph 2, section 22a (2) and section 30 (6a) of the register. Such changes shall be apparent for a period of seven years.
(2) In the event of any changes in the name or address of the contracting authority to be notified to the Data Protection Commission on the basis of official information, the entries shall be rectified by its own motion. If the omission of the legal basis of the contracting authority arises from an official publication, it shall be deleted from the register on its own merits. In addition, a registered data application should be deleted if the operation has expired (Section 19 (2), § 21 (2)) or if the Data Protection Commission is aware that the data application is no longer operated on a permanent basis.
(3) Corrections or deletions pursuant to paragraph 2 are to be provided without further investigation proceedings by mandate (§ 38).
(4) The legal successor of a registered adjudicator may take over individual or all registered notifications of the right-of-law if he/she has made a correspondingly credible legal successor within six months of the effectiveness of the succession. Declaration to the Data Protection Commission. The legal successor may also, upon request, be transferred the register number of the legal successor if the legal successor has ceased any processing of personal data in order of order. "
27. In accordance with § 22, the following § 22a and title shall be inserted:
" Procedures for verifying compliance with reporting requirements
§ 22a. (1) The Data Protection Commission may at any time check the fulfilment of the reporting obligation by a contracting entity. This applies both to the lack of a registered message in the sense of section 19 (4) and to the illegal omission of notifications.
(2) In the event of a failure to comply with the obligation to notify, as a result of the lack of registration of a registered notification (paragraph 1). 1) or omission of the notification, which goes beyond the cases of § 22 para. 2, is to carry out a procedure for the correction of the data processing register. The proceedings shall be initiated by a reasoned order of proceedings to be sent to the contracting authority with a contract for improvement (Section 20 (4)) or a request for resignation (Section 17 (1)) within the time limit set.
(3) If a request for improvement is not complied with in accordance with the procedure referred to in paragraph 2, the deletion of the notification shall be provided with a communication from the Data Protection Commission. If this is technically possible, the deletion can be reasonable with regard to the purpose of the data application and is sufficient for the production of the lawful state, even only to parts of the message.
(4) If a request for resignation granted in accordance with paragraph 2 is not complied with and the omission of a notification is proven contrary to § 17 para. 1, the further operation of the data application shall be notified by the Data Protection Commission to the extent that: it deviates from the register status, to prohibit and, at the same time, to report to the competent authority pursuant to section 52 (2) (1) (1).
(5) The procedure referred to in paragraph 2 alone gives the inappropriateness or non-compliance with data security measures declared in accordance with § 19 (1) Z 7, this is to be noted with communication and, at the same time, a reasonable period of time for the production of sufficient data security. Within this period, the contracting authority shall inform the Data Protection Commission of the measures taken. If these are not sufficient, the deletion of the data application shall be available.
(6) The introduction and the state of an amending procedure as referred to in paragraph 2 shall apply in the case of registered notifications in the data processing register up to the setting or up to the manufacture of a legitimate state by means of measures in accordance with paragraphs 3 to 6. appropriate to note. "
28. According to Article 24 (2), the following paragraph 2a is inserted:
" (2a) If the contracting authority is aware that data from one of its data applications has been used systematically and seriously unlawfully and that the data subject is at risk of damage, he shall immediately inform the persons concerned in an appropriate manner. This obligation does not exist if, in the light of the threat of only minor damage to the parties concerned, or the cost of informing all the parties concerned, the information requires a disproportionate effort. "
28a. In § 24 (4), after the word "duty to inform" the phrase "according to paragraph 1" inserted.
29. § 26 (1) reads:
" (1) An adjudicating entity shall provide information on the data processed to that person or community to any person or group of persons who requires this in writing and has the appropriate form to identify their identity. With the consent of the client, the request for information can also be submitted verbally. The information has the processed data, the information about its origin, any recipients or recipients of a transfer, the purpose of the use of the data as well as the legal bases for this purpose in a generally comprehensible form. At the request of a person concerned, names and addresses of service providers shall also be disclosed if they are entrusted with the processing of their data. If no data are available to the person of the information advertiser, the announcement of this circumstance is sufficient (negative information). With the consent of the information advertiser, an oral information may be given, instead of written information, with the possibility of inspection and of the copy or undertaking. "
30. In § 26 (2) to (7) the word shall be "Affected", equal in which grammatical form, by the word "Information advertiser" in the correct grammatical form.
31. At the end of Section 26 (7), the following sentence is added:
"This period shall not apply if the request for deletion of the information provider is to be in accordance with § 27 (1) Z 2 or § 28."
32. § 26 (8) reads:
" (8) The extent to which a data application for a person or community of persons with regard to the data processed to it can be viewed by law shall have the right to be informed in accordance with the provisions of the law of the right to view the data. Provisions. For the procedure of inspection (including denial thereof), the provisions of the law which provide for the right of access shall apply. Elements of an information referred to in paragraph 1, which are not covered by the right of inspection, may nevertheless be invoked under this Federal Act. "
33. § 26 (10) reads:
" (10) In the event that the data processing is carried out for the purpose of fulfilling the contract for a third party (Section 4 (1) Z 4 last sentence), the information provider may first request his/her request for information. also to those who have applied the production of the work. In so far as it is not known to him, he shall inform the information advertiser of the name and address of the actual client within two weeks, in order to ensure that the information provider is entitled to his right of information pursuant to paragraph 1 against the said person. can do it. If a request for information is sent to a service provider, and if it can be recognized that the information advertiser is mistaken for the client of the data application he is using, the service provider shall immediately send the request for information to the supplier. forward the contracting authority and inform the information advertiser that no data will be used on his behalf. The contracting authority shall, within eight weeks from the date of the request for information to the service provider, provide the information advertiser with information or give reasons in writing as to why it is not or is not granted in full. In those areas of enforcement entrusted with the performance of the tasks referred to in paragraph 2 (2) (1) to (5), it is necessary to refrain from providing information insofar as this is necessary to protect public interests. However, if, as a further consequence, the request is made directly to the adjudicating entity, the latter shall proceed in accordance with paragraph 5. However, for operators of information composite systems only § 50 para. 1 applies. "
34. In Section 28 (2), the word "File" by "Data Application" replaced.
35. In accordance with Section 28 (2), the following paragraph 3 is added:
"(3) § 27 (4) to (6) shall also apply in the cases referred to in paragraphs 1 and 2."
36. According to Article 30 (2), the following paragraph 2a is inserted:
" (2a) If a permissible entry in accordance with paragraph 1 or a reasonable suspicion as referred to in paragraph 2 relates to a reporting data application (file), the Data Protection Commission may review the fulfilment of the reporting obligation and, if necessary, after § § 22 and 22a. "
Section 30 (5) reads as follows:
" (5) Information provided to the Data Protection Commission or its agents in the field of inspection may be used solely for the purposes of control in the context of the enforcement of data protection provisions. This also includes the use for the purposes of judicial proceedings by the clerk or the Data Protection Commission pursuant to § 32. Moreover, there is a duty of secrecy also in relation to courts and administrative authorities, in particular tax authorities; this, however, with the proviso that, if the investigation is suspected of a criminal act in accordance with § § 51 or 52 of this Federal Law, a punishable act in accordance with § § 118a, 119, 119a, 126a to 126c, 148a or § 278a of the Criminal Code, BGBl. No 60/1974, or a crime with a custodial sentence of a maximum of five years, is to be reported, and in respect of such crimes and offences also requests pursuant to Section 76 of the Code of Criminal Procedure, BGBl. No. 631/1975. '
38. § 30 (6) reads:
" (6) In order to establish the lawful condition, the Data Protection Commission may, unless measures are taken in accordance with sections 22 and 22a or under paragraph 6a, make recommendations and, if necessary, a reasonable time limit for compliance with the provisions of the Data Protection Commission. . If such a recommendation is not complied with within the time limit laid down, the Data Protection Commission may, depending on the nature of the breach of its own motion, in particular:
| 1. |
Repay a criminal complaint in accordance with § § 51 or 52, or |
|||||||||
| 2. |
in the event of serious infringements by contracting entities in the private sector, bring an action before the competent court in accordance with Article 32 (5), or |
|||||||||
| 3. |
in the case of infringements of contracting entities which are bodies of a local authority, the competent supreme body concerned. This institution shall, within a reasonable time limit not exceeding 12 weeks, either ensure that the recommendation of the Data Protection Commission is complied with, or inform the Data Protection Commission of the reasons why the Commission has not complied with the Recommendation has not been complied with. The statement of reasons may be brought to the attention of the public in a suitable manner by the Data Protection Commission, in so far as this does not preclude the secrecy of the public. " |
|||||||||
39. According to Article 30 (6), the following paragraph 6a is inserted:
" (6a) If, through the operation of a data application, there is a significant direct danger to the persons concerned for protecting the confidentiality of the persons concerned (danger in default), the Data Protection Commission may notify the continuation of the data application. pursuant to § 57 (1) of the General Administrative Procedure Act 1991-AVG, BGBl. No. 51, prohibit. If this is technically possible, reasonable in view of the purpose of the data application and seems to be sufficient to eliminate the danger, the continuation can also only be partially prohibited. If an insignation is not immediately followed, the criminal complaint shall be refunded in accordance with Section 52 (1) (3) (3). An amending procedure pursuant to section 22a (2) shall be adjusted in accordance with the legal force of an under-sawing pursuant to this paragraph. The data application shall be deleted from the register in the scope of the subsac. "
40. § 31 together with headline reads:
" Complaint to the Data Protection Commission
§ 31. (1) The Data Protection Commission shall recognise the complaints of persons or groups of persons who claim in their right to information pursuant to § 26 or § 50 (1), third sentence, or in their right to the presentation of an automated Individual decision pursuant to section 49 (3) shall be infringed in so far as the request for information (the request for presentation or disclosure) does not relate to the use of data for acts in the service of the legislation or the jurisdiction.
(2) The Data Protection Commission shall also recognise the complaints of persons or groups of persons who claim to have been infringed in their right to secrecy (§ 1 para. 1) or in their right to judge or to erasure (§ § 27 and 28). if the claim is not to be invoked before a court pursuant to § 32 (1) or is directed against an institution in the service of the legislation or the jurisdiction.
(3) The complaint shall contain:
| 1. |
the name of the law deemed to be infringed; |
|||||||||
| 2. |
where this is reasonable, the name of the legal entity or the institution to which the alleged infringement is attributed (respondent), |
|||||||||
| 3. |
the facts from which the infringement is derived, |
|||||||||
| 4. |
the grounds on which the allegation of illegality is based, |
|||||||||
| 5. |
the desire to establish the alleged infringement and |
|||||||||
| 6. |
the information required to assess whether the complaint has been submitted in good time. |
|||||||||
(4) In addition, a complaint pursuant to paragraph 1 shall be based on the underlying request for information (the application for presentation or notification) and a possible reply from the respondent. In addition, a complaint pursuant to paragraph 2 shall be followed by the underlying request for a rectification or erasure, and a possible reply from the respondent.
(5) The supervisory powers conferred on the Data Protection Commission by Section 30 (2) to (4) shall also be conferred on it in appeal proceedings pursuant to paragraphs 1 and 2 of this Article against the respondent. In the same way, there is also a duty of confidentiality in accordance with Section 30 (5) of these procedures.
(6) In the event of the application of a admissible complaint pursuant to paragraph 1 or 2, a control procedure initiated on the basis of an input pursuant to Section 30 (1) on the same subject matter shall be terminated by a corresponding information (Section 30 (7)). However, the Data Protection Commission may, however, also act on its own account during the appeal of the appeal proceedings pursuant to Section 30 (2) if there is a reasonable suspicion of a breach of data protection law that goes beyond the appeal case. Commitments. Section 30 (3) shall remain unaffected.
(7) As far as a complaint pursuant to paragraph 1 or 2 proves to be justified, the consequence of that complaint shall be to give effect to the infringement and to establish the infringement. Is a committed violation in the right to information (para. 1) to be attributed to a contracting entity of the private sector, it shall, upon request, bear in addition the-if necessary re-reaction to the request for information pursuant to Article 26 (4), 5 or 10 to the extent necessary to ensure that the person concerned has been informed of the Right of infringement. In so far as the complaint proves not to be justified, it must be dismissed.
(8) A respondent, against which a complaint has been filed for infringement in the rights pursuant to § § 26 to 28, may, until the conclusion of the proceedings before the Data Protection Commission, by reactions to the appellant pursuant to § 26 (4) or § 27 (4) subsequently eliminate the alleged infringement. If such reactions of the respondent appear to the Data Protection Commission as being subject to the complaint, it has to hear the appellant. At the same time, it should be made aware that the Data Protection Commission will cease the proceedings if it fails to state within a reasonable period of time why it has at least partially infringed the alleged infringement. as not deemed to be disposed of. If such a statement by the appellant changes the case to its nature (Section 13 (8) of the AVG), the withdrawal of the original complaint and the simultaneous submission of a new complaint shall be deemed to be the case. In this case, too, the original appeal proceedings must be formally set and the appellant should be notified of this. Late statements are not to be taken into account. "
41. In accordance with § 31, the following § 31a and title shall be inserted:
" Accompanying measures in appeal proceedings
§ 31a. (1) If an admissible complaint relates to a reporting data application (file) pursuant to § 31 para. 2, the Data Protection Commission may review the performance of the reporting obligation and, if necessary, proceed in accordance with § § 22 and 22a.
(2) In the context of a complaint pursuant to Section 31 (2), the Appellant's power shall be credibly impaired by the use of his/her data to be protected by the use of his/her data, the Data Protection Commission may, according to Article 30 (6a) .
(3) If the accuracy of data is contentious in a procedure pursuant to section 31 (2), a notice shall be affixed by the respondent to the conclusion of the proceedings. If necessary, this shall be ordered by the Data Protection Commission at the request of the appellant with a notice of mandate.
(4) A client of the public sector shall, in the event of a complaint concerning the breach of the right of information, of the right to rectify or delete the data protection commission, be based on the provisions of § § 26 (5) or 27 (5) of the Data Protection Commission, the latter shall, after verification, have the need for secrecy to safeguard the protected public interests in their proceedings. If it considers that the secrecy of processed data has not been justified in relation to the data subject, the disclosure of the data shall be borne in hand. The competent authority may lodge a complaint against this decision by the Data Protection Commission to the Administrative Court. If no such complaint has been filed and if the Data Protection Commission is not satisfied within eight weeks, the Data Protection Commission shall carry out the disclosure of the data to the data subject himself and the data subject shall be informed by the Data Protection Commission of the data subject. to provide information or to tell him which data has already been corrected or deleted. The first two sentences shall apply in accordance with § 30 of the Regulation. "
Section 32 (1) reads as follows:
" (1) Claims for breach of the rights of a person or community of persons for secrecy, for the right to judge or to be deleted against natural persons, persons communities or entities established in forms of private law , in so far as these entities have not acted in full compliance with the law in the alleged infringement, they shall be asserted in civil law. "
43. § 32 (4) reads:
" (4) For actions and applications for the release of an injunction pursuant to this Federal Act, the Regional Court responsible for exercising the jurisdiction in civil cases is responsible in the first instance, in the latter's sprinkle of the plaintiff (applicant) shall have his or her habitual residence or registered office. Complaints (applications) may, however, also be filed with the regional court, in the course of which the defendant has his habitual residence or registered office or an establishment. "
Section 32 (6) reads as follows:
" (6) The Data Protection Commission shall have a legal dispute on the part of the Data Protection Commission (Section 30 (1)) and is required to protect the interests of a greater number of natural persons protected under this Federal Act. To join the intervener as a secondary intervener (§ § 17 ff ZPO). "
45. In accordance with Article 32 (6), the following paragraph 7 is added:
" (7) On the occasion of an admissible legal action pursuant to paragraph 1, which relates to a data application which is to be notified in the court's opinion, the court may ask the Data Protection Commission for review in accordance with § § 22 and 22a. The Data Protection Commission has to inform the Court of the outcome of the review. This shall also be announced by the court to the parties, provided that the proceedings have not yet been finally terminated. "
46. In § 34 (1) the word "dismiss" by the word "reject" replaced.
47. § 34 (3) reads:
" (3) If a case to be examined by the Data Protection Commission is to be assessed in accordance with § 3 according to the legal order of another Contracting State of the European Economic Area, the Data Protection Commission may the foreign competent authority Request for assistance from the Data Protection Control Unit. "
48. In Section 34 (4), the phrase "Member States of the European Union" by "States Parties to the European Economic Area" replaced.
49. In § 36 (3), the word "Federal Officials" by the word "Bundesservants" replaced.
50. In accordance with Article 36 (3), the following paragraph 3a is inserted:
"(3a) The members of the Data Protection Commission shall exercise this function in addition to the professional activities otherwise provided."
51. § 36 (6) the following sentences are added:
" The membership of the judicial member as well as of the member from the circle of right-handed federal employees also ends when they leave their employment relationships to the federal government, retire or retire to retirement . In the case of judges, the termination of the service is subject to a service allocation according to § 78 of the Judge and Public Prosecutor's Law, BGBl. No 305/1961, same. The membership of the remaining members shall expire on 31 December of the year in which they shall be 65. Full year of life. "
Section 36 (9) reads as follows:
" (9) The members and the replacement members of the Data Protection Commission shall be entitled to the reimbursement of travel expenses (fee level) in order to arrive at the meetings of the Data Protection Commission and for other business trips required in the performance of their duties. 3) by the Federal Chancellor in accordance with the legislation applicable to federal staff. In addition, they are entitled to a remuneration corresponding to the time and the amount of work required to be determined by the Federal Government at the request of the Federal Chancellor. "
53. § 38 (2) the following sentence is added:
"He has the right to inform himself at any time of all matters of the Management Board of the Data Protection Commission of the Chairman and the Managing Member."
(54) § 39 is added to the following paragraph 5:
"(5) Decisions of the Data Protection Commission shall be made by the Chairman."
55. § 40 (1) and (2) are:
" (1) The presentation to the Data Protection Commission pursuant to Section 57 (2) of the AVG is contrary to the decision of the managing member of the Data Protection Commission pursuant to Section 22 (3), § 30 (6a) or § 31a (3) in conjunction with Section 38 (1) of the German Data Protection Act. allowed. An impression of a decision taken pursuant to section 22 (3) shall have suspensive effect.
(2) There is no legal remedy against any seizure of the Data Protection Commission. They are not subject to the repeal or amendment in the administrative procedure. The contracting authorities of the public sector always have party status in proceedings before the Data Protection Commission. The proceedings of the Administrative Court by the parties to the proceedings shall be admissible. However, this does not apply to the contracting authorities of the public sector as respondent in the proceedings pursuant to § 31, unless it is the possibility of an official complaint (Art. 131 (2) B-VG). "
56. According to § 41 (2) Z 4 the following Z 4a is inserted:
| " 4a. |
the Data Protection Council shall have the right to request information and reports from the Data Protection Commission, as well as access to documents; " |
|||||||||
Section 42 (1) Z 1 reads as follows:
| " 1. |
Representatives of the political parties: four representatives of the party most strongly represented in the main committee of the National Council are representatives, three representatives from the second strongest party and one from each other in the main committee of the National Council represented party is a representative to be sent to the data protection council, with it alone arriving at the strength at the time of posting. In the case of two parties in the main committee, the strength of the vote in the last election to the National Council is decisive; " |
|||||||||
Section 42 (5) is added to the following sentence:
" Members according to paragraph 1 Z 1 shall also be excluded as soon as the main committee is in accordance with § § 29 and 30 of the Law on the Rules of Procedure 1975, BGBl. No. 410, newly elected, and they will not be sent out again. "
59. In § 46 (1) (2), the words shall be: "the contracting entity" by the word "he" replaced. In § 46 (1) (3) the words shall be: "the contracting entity" by the word "him" replaced.
60. In § 46 (2) the word order is deleted ", which are not publicly available," .
61. In § 46 (3), before the words "to grant" the phrase "at the request of the contracting authority of the investigation" inserted. The word "transmitted" is given by the word "identified" and the word "recipient" by the phrase "Client of the investigation" replaced.
62. In § 46, the following paragraph 3a is inserted after paragraph 3:
" (3a) In any event, an application as referred to in paragraph 3 is to be followed by a declaration made by the right to dispose of the data from which the data is to be determined, or to an explanation which has otherwise been authorized by it, to the contracting authority to: Data sets available for the investigation. Instead of this declaration, it is also possible to obtain a declaration of exile in this declaration (Section 367 (1) of the Executive Order-EO, RGBl. No 79/1896). "
63. In § 47 (4), after the word order "The Data Protection Commission has" the phrase "at the request of an adjudicating entity that processes address data," inserted.
64. § 49 (3) the following sentence is added:
"§ 26 (2) to (10) shall apply mutatily."
65. In accordance with § 50 (1) third sentence, the following sentence shall be inserted:
"Apart from the deviating period, § 26 (3) to (10) shall apply mutatily."
Section 50 (2) reads as follows:
" (2) By means of a corresponding act, other contracting authorities, in particular the notification of the information system, may also be transferred to the operator. The submission of authorisation pursuant to § 10 AVG is not required for the transmission of the reporting obligation alone. To the extent that the transfer of duty is not provided by law, it shall only be effective vis-à-vis third parties if, on the basis of a corresponding notification to the Data Protection Commission, it can be seen from the registration in the data processing register. "
67. In accordance with Section 50 (2), the following paragraph 2a is inserted:
" (2a) If a composite information system is registered on the basis of a notification by at least two contracting entities, contracting entities which, as a result, aim to participate in the information composite system, may submit the notification in the scope of section 19 (1) (3) to (3) to 7 to a reference to the content of the notification of an already registered client, if they wish to participate to the exact same extent. "
68. In accordance with § 50, the following 9a. Section inserted:
" 9a. Section
Video monitoring
General
§ 50a. (1) Video surveillance within the meaning of this section shall mean the systematic, in particular continuous, detection of events affecting a particular object (monitored object) or a particular person (supervised person) by means of: technical image recording devices or image transfer devices. Such monitoring shall be subject to the following paragraphs, unless otherwise specified by other laws.
(2) For video surveillance, § § 6 and 7 apply, in particular the principle of proportionality (§ 7 para. 3). However, lawful purposes of a video surveillance, in particular the evaluation and transmission of the data ascertained, are only the protection of the monitored object or of the person being monitored or the fulfilment of legal requirements, subject to paragraph 5. Duty of care, in each case including the protection of evidence, with regard to the events referred to in paragraph 1. Personal rights according to § 16 ABGB remain unaffected.
(3) A person concerned is then not infringed by a video surveillance in his legitimate interests of secrecy (Section 7 (2) (3) (3)) if:
| 1. |
these are in the vital interest of a person, or |
|||||||||
| 2. |
Data on behaviour which, without any doubt, allows the conclusion that it was intended to be perceived publicly, or |
|||||||||
| 3. |
he has expressly agreed to the use of his data in the context of surveillance. |
|||||||||
(4) In addition, a person concerned is not injured by a video surveillance only in his or her protective interests (Section 7 (2) (3)) if it is not carried out in the context of the enforcement of public functions and
| 1. |
Certain facts justify the assumption that the object being monitored or the person being monitored could become the target or the place of a dangerous attack, or |
|||||||||
| 2. |
Directly applicable legislation of the peoples or of Community law, laws, regulations, decisions or judicial decisions Special due diligence obligations for the contracting authority to protect the monitored object or the monitored Resurface, or |
|||||||||
| 3. |
the monitoring is exhausted in a mere real-time reproduction of events affecting the monitored object/person, that is, it is neither stored (recorded) nor processed further in any other form (Real-time monitoring), and it is done for the purpose of protecting the body, life or property of the contracting entity. |
|||||||||
(5) A video surveillance as referred to in paragraph 4 shall not apply to events in places which are part of the maximum personal life of a person concerned. In addition, video surveillance is prohibited for the purpose of employee control at workplaces.
(6) Protection-worthy interests of the secrecy of persons concerned shall not be infringed even if data recorded by video surveillance are transmitted beyond use in accordance with paragraphs 2 to 4, in the following cases:
| 1. |
to the competent authority or to the competent court, because the contracting authority has established reasonable suspicions that the data could document an act which is liable to be punishable by the office of its own motion, or |
|||||||||
| 2. |
to the security authorities to exercise these rights under Section 53 (5) of the Security Policy Act (SPG), BGBl. No 566/1991, powers granted, |
|||||||||
| even if the action or attack is not directed against the monitored object or the person being monitored. The powers of the authorities and courts for the enforcement of the issuing of evidence and for the securing of evidence as well as the corresponding obligations of the client remain unaffected. |
||||||||||
(7) Data from data subjects obtained with a video surveillance shall not be matched with other image data and shall not be searched for sensitive data as a selection criterion.
Special obligation to log and delete
§ 50b. (1) Any use of a video surveillance shall be recorded. This does not apply to real-time monitoring cases.
(2) Data recorded shall be deleted after 72 hours at the latest, provided that it is not necessary for the realization of the underlying protection or evidence protection purposes, or for the purposes of § 50a (6). § 33 (2) AVG applies. An intended longer retention period shall be given in the notification and shall be justified. In this case, the Data Protection Commission may only register the video surveillance if, for specific reasons, this is regularly required for the purpose of achieving this objective.
Reporting requirements and registration procedures
§ 50c. (1) Video surveillance shall be subject to the reporting obligation in accordance with § § 17 ff. If the client does not agree to encrypt the video surveillance data and to ensure that an evaluation of the video recordings only in the substantiated form, the data protection commission shall be subject to the sole key of the data protection commission. In case of a certain position, they are subject to prior checking (Section 18 (2)). Certain facts in the sense of § 50a (4) Z 1 must be credibly made in the case of a refund of the notification. Insofar as in accordance with § 96a of the Arbeitsverfassungsgesetz 1974-ArbVG, BGBl. No 22, operating agreements must be submitted in the registration procedure.
(2) A video surveillance shall be exempted from the reporting obligation beyond § 17 (2) and (3).
| 1. |
in the case of real-time monitoring or |
|||||||||
| 2. |
if a storage (recording) is performed only on an analog storage medium. |
|||||||||
(3) Several supervised objects or supervised persons for whose video surveillance the same client has a legal competence or legal authority (Section 7 (1)) may, on the basis of their similar nature or their spatial nature, be able to: Ties in a message are summarised when it is based on the same legal basis.
Information by labelling
§ 50d. (1) The client of a video surveillance shall identify them appropriately. In any case, the contracting authority must clearly emerge from the marking, unless it is already known to the parties concerned in the circumstances of the case. The marking must be carried out locally in such a way that any potentially affected person approaching a monitored object or a person under surveillance must be able to avoid the video surveillance.
(2) There is no obligation to identify a video in the case of video surveillance in the context of the enforcement of public tasks, which are exempt from the obligation to notify pursuant to section 17 (3).
Right of information
§ 50e. (1) By way of derogation from Article 26 (1), the information advertiser shall be informed about the period during which he may have been affected by the surveillance and the place where he/she has been identified as closely as possible and his identity has been duly substantiated. to grant the data processed to his person by sending a copy of the data processed to his person in a customary technical format. Alternatively, the information advertiser may request an inspection on the reader's reading devices, and in this case he is also entitled to copy a copy. The other components of the information (available information on the origin, recipient or recipient of a transfer, purpose, legal basis and any service provider) shall also be given in writing in the case of monitoring, if: does not agree to the information advertiser of an oral exchange of information.
(2) Paragraph 26 (2) must be applied with the proviso that, in the event that information on the grounds of overriding legitimate interests of third parties or of the contracting authority cannot be provided in the form regulated in paragraph 1, the information advertising agent shall be entitled to a written description of the conduct processed by the supervising or on the basis of information unrecogniritity of the other persons.
(3) In the case of real-time monitoring, a right of access is excluded. "
69. In Section 51 (1), the sales designation shall be deleted. "(1)" . The phrase "with the intention of obtaining an asset advantage or inflicting a disadvantage on another" is due to the phrase "with the intention of unlawfully enriching himself or a third party as a result, or with the intention of damaging another in his claim guaranteed by § 1 (1) (1)" replaced.
70. § 51 (2).
71. In § 52 (1) the number shall be: "18 890" by "25 000" replaced.
72. In Section 52 (2), the number shall be: "9 445" by "10 000" replaced.
73. § 52 para. 2 Z 1 to 7 reads:
| " 1. |
Data is determined, processed or transmitted without having fulfilled its reporting obligation in accordance with § § 17 or 50c or operating a data application in a manner which deviates from the notification, or |
|||||||||
| 2. |
Data transferred or transferred abroad without the required approval of the Data Protection Commission pursuant to Section 13 (1) of the German Data Protection Act (DPA) or |
|||||||||
| 3. |
in breach of the obligations set out in Article 13 (2) (2), (19) or (§) 50c (1) or by the Data Protection Commission pursuant to § 13 (1) or § 21 (2) of the obligations of the Data Protection Commission, or |
|||||||||
| 4. |
In accordance with § § 23, 24, 25 or 50d, his disclosure obligations or information obligations are violated or |
|||||||||
| 5. |
, the security measures required in accordance with Section 14 shall be overlooked, or |
|||||||||
| 6. |
does not take into account the security measures required pursuant to section 50a (7) and section 50b (1); or |
|||||||||
| 7. |
Data shall not be deleted after the expiry of the deletion period provided for in § 50b (2). " |
|||||||||
74. In accordance with section 52 (2), the following paragraph 2a is inserted:
" (2a) In so far as the action does not constitute a criminal offence under the jurisdiction of the courts or is punishable under other administrative criminal provisions with a more restrictive penalty, an administrative surrender involving a A penalty of up to 500 euros is to be punished, who does not inquire, correct or delete data in accordance with § § 26, 27 or 28 on time. "
Section 52 (4) reads as follows:
" (4) The penalty of the decay of data carriers and programs as well as image transfer and image recording devices may be pronounced (§ § 10, 17 and 18 VStG) if these items are related to an administrative surrender pursuant to para. 1 or 2 "
76. In § 55, the expression " § 2 para. 3 BGBlG, BGBl. No. 660/1996 " by the expression " § 4 of the Federal Law Gazette Act, BGBl. I No 100/2003 " replaced.
77. The following paragraphs 5 and 6 are added to the new Article 60 (4):
" (5) The table of contents, § 4 (1) Z 4, 5, 7 to 9, 11 and 12, § 8 (1), (2) and (4), § 12 (1), the renumbering of the paragraphs in § 13, § 16 (1) and (3), § 17 (1), (1a) and (4), § 19 (1) (3a) and (2), the renumbering of the paragraphs in § 19, Sections 20 to 22a, including the headings, § 24 (2) (a), § 24 (4), § 26 (1) to (8) and (10), § 28 (3), § 30 (2a), 5 to 6a, § § 31 and 31a together with the headings, § 32 (1), (4), (6) and (7), § 34 (1), (3) and (4), § 36 (3), (3a) and (9), § 39 (5), § 40 1 and 2, § 41 (2) (4a), § 42 (1) (1) (1), § 42 (5), § 46 (1), (2) and (3), (2) to (3a), § 47 (4), § 49 (3), § 50 (1) to (2a), of the 9a. Section, § 51, § 52 (2) and (4), § 55, § 61 (6) to (9) as well as § 64 in the version of the Federal Law BGBl. I n ° 133/2009 will be 1. Jänner 2010 in force. At the same time, Section 4 (1) Z 10, Section 13 (3) and section 51 (2) are repeal.
(6) § 36 (6) in the version of the Federal Law BGBl. I n ° 133/2009 will enter into force on 1 July 2010. '
Section 61 (6) reads as follows:
" (6) Video surveillance which has been registered before the entry into force of § § 50a to 50e shall remain legally in its registered form if it meets the data protection provisions applicable on 31 December 2009 and the Data Protection Commission has no time limit. If, on the other hand, the Data Protection Commission has a time limit for such video surveillance, it remains legal until the end of the period of time limit, but at the latest until 31 December 2012. "
79. In accordance with § 61 (7), the following paragraph 8 is added:
" (8) The Regulation pursuant to Section 16 (3) shall be issued by the Federal Chancellor, in accordance with the technical possibilities of the data processing register, at the latest by 1. January 2012 new to enact. Until the entry into force of this regulation, § § 16 to 22, § 30 (3) and (6) and § 40 (1) (the latter, with the exception of the reference to § 31a (3)), are in the version before the Federal Act BGBl. I n ° 133/2009; § 22a, § 30 (2a) and (6a), Section 31a (1) and (2) and Section 32 (7) are not applicable until then. Section 31 (3) in the version prior to the Federal Act BGBl. I n ° 133/2009 should continue to be applied until then. The statement as to whether a data application complies with one or more of the facts referred to in § 18 (2) (1) to (4) (Section 19 (1) (3a)) is the data protection commission registered at the time of the entry into force of the new regulation pursuant to § 16 para. 3 Report data applications on the occasion of the first amendment that goes beyond a deletion, which will be refunded after that date. No notification is required with regard to § 19 paragraph 1 Z 3a alone. "
§ 64 reads as follows:
" § 64. With the enforcement of this federal law, insofar as it is not the responsibility of the Federal Government, the Federal Chancellor and the other Federal Ministers are entrusted within the scope of their scope of action. "
Article 2
Amendment of the Security Policy Act
The Security Policy Act-SPG, BGBl. No 566/1991, as last amended by the Federal Law BGBl. I n ° 131/2009, shall be amended as follows:
(1) The following paragraph 8 is added to § 54:
" (8) Safety authorities are empowered to use image transmission equipment for real-time monitoring, provided that they are authorised to use image recording devices or to fulfil a safety-related task or to assist them in the implementation of of the patrol service. "
(2) The following paragraph 29 is added to § 94:
" (29) § 54 (8) in the version of the Federal Law BGBl. I n ° 133/2009 shall enter into force 1. Jänner 2010 in Kraft "
Fischer
Faymann
