0A4F4F9BD490A749D5437F821CF06DF1
Data Protection Act No. 165/1999
https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
http://leaux.net/URLS/ConvertAPI Text Files/2237AA1178125B27F3926CD54E2E22A6.en.txt
Examining the file media/Synopses/2237AA1178125B27F3926CD54E2E22A6.html:
This file was generated: 2020-07-14 06:25:45
Indicators in focus are typically shown highlighted in yellow; |
Peer Indicators (that share the same Vulnerability association) are shown highlighted in pink; |
"Outside" Indicators (those that do NOT share the same Vulnerability association) are shown highlighted in green; |
Trigger Words/Phrases are shown highlighted in gray. |
Link to Orphaned Trigger Words (Appendix (Indicator List, Indicator Peers, Trigger Words, Type/Vulnerability/Indicator Overlay)
Applicable Type / Vulnerability / Indicator Overlay for this Input
Political / Illegal Activity
Searching for indicator crime:
(return to top)
p.(None): to provide necessary support. The control activity is under the greatest possible protection of the rights of the person responsible or the processor and third parties
p.(None): exercise.
p.(None): (2) For the purpose of inspection, the data protection authority, after notification of the owner of the premises and the person responsible or the
p.(None): The processor is entitled to enter rooms in which data processing is carried out, to put data processing systems into operation that
p.(None): to carry out the processing to be checked and copies of data carriers to the extent absolutely necessary for the exercise of the control powers
p.(None): manufacture.
p.(None): (3) Information that the data protection authority or the person authorized by it during the control activity may only contain for the control in the
p.(None): Be used in the implementation of data protection regulations. Incidentally, confidentiality also applies to courts
p.(None): and administrative authorities, in particular tax authorities; however, with the proviso that if the inspection suspects a criminal offense
p.(None): Action in accordance with section 63 of this federal law or in accordance with sections 118a, 119, 119a, 126a to 126c, 148a or section 278a of the Criminal Code - StGB, BGBl. № 60/1974,
p.(None): or a crime that results in a custodial sentence, the maximum of which exceeds five years, is to be reported and regarding such crimes and
p.(None): Offenses according to § 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975, must also be complied with.
p.(None): (4) Is the operation of data processing a significant immediate threat to the confidentiality interests of the parties concerned that are worth protecting
p.(None): Persons (danger of delay), the data protection authority can continue the data processing with a decision in accordance with Section 57 (1) of the General
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
...
p.(None): be excessive
p.(None): 4. must be factually correct and, if necessary, up to date; all appropriate measures must be taken to ensure that
p.(None): personal data that are incorrect with regard to the purposes of their processing are deleted or corrected immediately,
p.(None): 5. may not be stored in a form that identifies the data for any longer than is necessary for the purposes for which they are processed
p.(None): enables data subjects
p.(None): 6. must be processed in a way that ensures adequate security of personal data, including protection against
p.(None): unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by
p.(None): appropriate technical and organizational measures.
p.(None): (2) For processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
p.(None): Purposes within the scope of Section 36 (1) apply to Section 38.
p.(None): (3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must be able to demonstrate compliance.
p.(None): (4) As far as possible and reasonable, a distinction must be made between personal data, in particular the following categories of data subjects:
p.(None): 1.People who are specifically suspected of having committed a criminal act due to certain facts,
p.(None): 2.People who, based on certain facts, are reasonably suspected of committing an offense in the near future,
p.(None): 3. convicted offenders,
p.(None): 4. victims of a crime or persons for whom certain facts justify the assumption that they are victims of a crime, and
p.(None): 5. Other persons who are connected with a crime, in particular persons who are considered as witnesses, persons who provide information
p.(None): can give to the offense, or persons who are in contact or in connection with the persons mentioned in Z 1 to 3.
p.(None): (5) As far as possible, a distinction must be made between fact-based and personal data based on personal assessments. On
p.(None): Personal data based on personal assessments are to be marked accordingly and can be provided with a reason,
p.(None): which enables the traceability of the assessment.
p.(None): (6) Inaccurate, incomplete, no longer up-to-date or deleted personal data may neither be transmitted nor for automated retrieval
p.(None): File systems are provided. For this purpose, the authority has to check the data quality accordingly as far as possible. To the
p.(None): automated retrieval of personal data held ready must be kept complete and up-to-date accordingly.
p.(None): (7) Whenever possible, each time personal data are transmitted, they are used to assess the topicality, correctness, completeness and reliability of the
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
...
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): General principles for the transfer of personal data
p.(None): Section 58. (1) A transfer of personal data that is already being processed or after it has been transferred to a third country or an international one
p.(None): Organization to be processed by competent authorities is only permitted if the provisions of this main part are followed and
p.(None): 1. the transmission is necessary for the purposes specified in Section 36 (1),
p.(None): 2. the personal data to a person responsible in a third country or an international organization, which is responsible for the in § 36 para. 1
p.(None): is the competent authority mentioned, are transmitted,
p.(None): 3. In cases where personal data are transmitted or made available from another EU member state, this member state
p.(None): has previously approved the transmission,
p.(None): 4. the European Commission has taken an adequacy decision in accordance with Section 59 (1) and (2) or, if there is no such decision, appropriate decisions
p.(None): Guarantees within the meaning of Section 59 (3) to (5) have been provided or exist or if there is no adequacy decision under Section 59 (1) and (2) and
p.(None): there are no suitable guarantees within the meaning of Section 59 (3) to (5), exceptions apply to certain cases in accordance with Section 59 (6) and (7) and
p.(None): 5. It is ensured that a transfer to another third country or another international organization is only possible on the basis of a previous one
p.(None): Approval of the competent authority that carried out the original transmission and taking due account of all
p.(None): relevant factors, including the seriousness of the crime, the purpose for which the personal data was originally transmitted and the
p.(None): Levels of protection for personal data in the third country or international organization to which the personal data is made
p.(None): be passed on, is permitted.
p.(None): (2) A transmission without prior approval in accordance with Paragraph 1 (3) is only permitted if the transmission is necessary in order to achieve a direct and
p.(None): ward off serious danger to the public security of a Member State or a third country or to the essential interests of a Member State,
p.(None): and prior approval cannot be obtained in time. The authority responsible for issuing the prior approval is to be given immediately
p.(None): teaching.
p.(None): (3) Requests a competent authority of another EU member state for authorization to transmit personal data that
p.(None): originally transmitted from within Germany to a third country or an international organization in accordance with Paragraph 1 No. 3, this is in order to grant this approval
p.(None): responsible authority that originally transmitted the personal data, unless otherwise required by law.
p.(None): Data transfer to third countries or international organizations
p.(None): Section 59. (1) The transfer of personal data to a third country or an international organization is permitted if the European Commission
p.(None): in accordance with Art. 36 Para. 3 of Directive (EU) 2016/680 has decided, by means of an implementing act, that the third country concerned, an area or an or
...
Searching for indicator illegal:
(return to top)
p.(None): To make available.
p.(None): (6) If there is neither an adequacy decision in accordance with paragraphs 1 to 2 nor suitable guarantees in accordance with paragraphs 3 to 5, then is after
p.(None): In accordance with paragraph 5 a transfer of personal data to a third country or to an international organization is only permitted if the transfer
p.(None): is required
p.(None): 1. to protect a person's vital interests,
p.(None): 2. if this is required by law to safeguard the legitimate interests of the data subject,
p.(None): 3. to avert an immediate and serious danger to the public security of a member state of the EU or a third country,
p.(None): 4. in individual cases for the purposes specified in § 36 Paragraph 1, or
p.(None): 5. in individual cases to assert, exercise or defend legal claims in connection with the purposes specified in § 36 Paragraph 1.
p.(None): (7) In the cases of subsection 6 nos. 4 and 5, the transfer is only permitted if none of the fundamental interests prevailing in the public interest in the transfer
p.(None): and fundamental freedoms of the data subject prevent the transmission.
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Administrative penal provision
p.(None): Section 62. (1) Unless the offense does not constitute an offense under Art. 83 GDPR or under other administrative penalties with a more severe penalty
p.(None): is threatened, an administrative offense, which is punishable with a fine of up to 50,000 euros, who
p.(None): 1. intentionally obtains illegal access to data processing or intentionally maintains a recognizable illegal access,
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
...
Searching for indicator unlawful:
(return to top)
p.(None): health services, which provide information about their health status;
p.(None): 15. "Supervisory Authority" is the data protection authority;
p.(None): 16. "international organization" means an international law organization and its subordinate bodies or any other body which is defined by an intermediate
p.(None): an agreement was concluded between two or more states or was established on the basis of such an agreement.
p.(None): Principles for data processing, categorization and data quality
p.(None): Section 37. (1) Personal data
p.(None): 1. must be processed lawfully and in good faith,
p.(None): 2. Must be collected for specified, clear and lawful purposes and not processed in a way that is incompatible with these purposes
p.(None): become,
p.(None): 3. must correspond to the processing purpose and must be decisive and may not in relation to the purposes for which they are processed
p.(None): be excessive
p.(None): 4. must be factually correct and, if necessary, up to date; all appropriate measures must be taken to ensure that
p.(None): personal data that are incorrect with regard to the purposes of their processing are deleted or corrected immediately,
p.(None): 5. may not be stored in a form that identifies the data for any longer than is necessary for the purposes for which they are processed
p.(None): enables data subjects
p.(None): 6. must be processed in a way that ensures adequate security of personal data, including protection against
p.(None): unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by
p.(None): appropriate technical and organizational measures.
p.(None): (2) For processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
p.(None): Purposes within the scope of Section 36 (1) apply to Section 38.
p.(None): (3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must be able to demonstrate compliance.
p.(None): (4) As far as possible and reasonable, a distinction must be made between personal data, in particular the following categories of data subjects:
p.(None): 1.People who are specifically suspected of having committed a criminal act due to certain facts,
p.(None): 2.People who, based on certain facts, are reasonably suspected of committing an offense in the near future,
p.(None): 3. convicted offenders,
p.(None): 4. victims of a crime or persons for whom certain facts justify the assumption that they are victims of a crime, and
p.(None): 5. Other persons who are connected with a crime, in particular persons who are considered as witnesses, persons who provide information
p.(None): can give to the offense, or persons who are in contact or in connection with the persons mentioned in Z 1 to 3.
p.(None): (5) As far as possible, a distinction must be made between fact-based and personal data based on personal assessments. On
p.(None): Personal data based on personal assessments are to be marked accordingly and can be provided with a reason,
...
Political / criminal
Searching for indicator criminal:
(return to top)
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
p.(None): Section 28. Representation of data subjects
p.(None): § 29. Liability and right to compensation
p.(None): § 30. General conditions for imposing fines
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): § 31. Data protection authority
p.(None): Section 32. Tasks of the data protection authority
p.(None): Section 33. Powers of the data protection authority
p.(None): § 34. General provisions
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): § 35.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): § 36. Scope and definitions
p.(None): Section 37. Principles for data processing, categorization and data quality
p.(None): Section 38. Lawfulness of processing
p.(None): Section 39. Processing of special categories of personal data
p.(None): Section 40. Processing for other purposes and transmission
p.(None): Section 41. Automated decision making in individual cases
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): Section 42. Principles
p.(None): Section 43. Information to the data subject
p.(None): Section 44. Right of the data subject to information
p.(None): Section 45. Right to correction or deletion of personal data and restriction of processing
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Section 46. Responsibilities of the controller
p.(None): Section 47
p.(None): Section 48. Processors and supervision of processing
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
p.(None): Section 55. Reporting violations to the data protection authority
p.(None): Section 56. Notification to the data subject of injuries
p.(None): Section 57. Designation, position and tasks of the data protection officer
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): Section 58. General principles for the transmission of personal data
p.(None): Section 59. Data transmission to third countries or international organizations
p.(None): (Note: Section 60 expired on January 15, 2019 (see Federal Law Gazette I No. 14/2019)
p.(None): § 61. repealed by Federal Law Gazette I No. 14/2019)
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Section 62
p.(None): Section 63. Data processing with the intention of profit or damage
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
p.(None): (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent
p.(None): Limitations on the right to secrecy are only permissible to safeguard the overriding legitimate interests of another, in the event of intrusion
p.(None): State authority only on the basis of laws resulting from the in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
...
p.(None): 2. the right to correct inaccurate data and the right to delete inadmissibly processed data.
p.(None): (4) Restrictions on the rights under paragraph 3 are only permissible under the conditions specified in paragraph 2.
p.(None): (Note: Paragraph 5 repealed by Federal Law Gazette I No. 51/2012)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and implementing regulation
p.(None): § 4. (1) The provisions of Regulation (EU) 2016/679 for the protection of natural persons when processing personal data, for free
p.(None): Traffic and repealing Directive 95/46 / EC (General Data Protection Regulation), OJ № L 119, 4.5.2016 p. 1, (hereinafter: GDPR) and this
p.(None): Federal law applies to the fully or partially automated processing of personal data of natural persons as well as to the non-automated
p.(None): Processing of personal data of natural persons, which are or should be saved in a file system, unless the
p.(None): the more specific provisions of the third main part of this federal law.
p.(None): (2) The correction or deletion of automation-assisted personal data cannot be carried out immediately because it is from
p.(None): Processing can only be carried out at certain times for economic or technical reasons
p.(None): restrict personal data with effect from Art. 18 Para. 2 GDPR up to this point.
p.(None): (3) The processing of personal data about acts or omissions that are punishable by judicial or administrative authorities, in particular
p.(None): Also on suspicion of committing crimes, as well as on criminal convictions or preventive measures is in compliance with the requirements
p.(None): of the GDPR permitted if
p.(None): 1. there is an express legal authorization or obligation to process such data, or
p.(None): 2. Otherwise the admissibility of the processing of this data results from legal due diligence or the processing to protect the justified
p.(None): Interests of the responsible person or a third party in accordance with Art. 6 Para. f GDPR is required, and the way in which the data processing
p.(None): is carried out, the protection of the interests of the data subject is guaranteed in accordance with the GDPR and this federal law.
p.(None): (4) In the case of an offer of information society services made directly to a child, consent is required in accordance with Art. 6 Para. 1 lit. a GDPR
p.(None): Processing of the child's personal data lawfully when the child has reached the age of fourteen.
p.(None): (5) The right to information of the person concerned according to Art. 15 GDPR applies to a sovereign responsible person without prejudice to others
p.(None): statutory restrictions, if, by providing this information, the fulfillment of a task legally assigned to the person responsible
p.(None): is endangered.
p.(None): (6) The person concerned has the right to information in accordance with Art. 15 GDPR without prejudice to any other person responsible
...
p.(None): (2) Insofar as this is necessary to exercise the right to protection of personal data with freedom of expression and information
p.(None): Chapter II (principles) of the GDPR, with the exception of Art. 5, Chapter III (rights of the person concerned), Chapter IV
p.(None): (Controller and processor), with the exception of Art. 28, 29 and 32, Chapter V (transfer of personal data to third countries or to
p.(None): international organizations), Chapter VI (Independent Regulators), Chapter VII (Cooperation and Coherence) and Chapter IX (Rules for Special
p.(None): Processing situations) does not apply to processing that is carried out for scientific, artistic or literary purposes. Of the
p.(None): In such cases, provisions of this federal law apply to Section 6 (data secrecy).
p.(None): Processing of personal data in the event of a disaster
p.(None): § 10. (1) Responsible for the public sector and aid organizations are authorized in the event of a disaster to collect personal data
p.(None): process, insofar as this is to help those directly affected by the disaster, to find and identify dependents and
p.(None): Deceased and necessary for the information of relatives.
p.(None): (2) Anyone who has lawful personal data may transmit it to those responsible for the public sector and aid organizations, provided that
p.(None): they need the personal data to cope with the disaster for the purposes specified in Paragraph 1.
p.(None): (3) A transfer of personal data abroad is permitted, provided that this is absolutely necessary for the fulfillment of the purposes mentioned in paragraph 1
p.(None): necessary is. Data that in themselves are a criminal offense to the person concerned may not be transmitted, unless they are used for identification in the
p.(None): Individual cases are absolutely necessary. The data protection authority is responsible for the initiated transfers and the circumstances surrounding the event
p.(None): To notify the facts immediately. The data protection authority has to prohibit further data transfers to protect the rights of the data subjects if the
p.(None): Interference with the fundamental right to data protection caused by data transfer is not justified by the special circumstances of the disaster situation.
p.(None): (4) On the basis of a specific request from a close relative of a person who is actually or probably directly affected by the disaster
p.(None): The controller authorizes the inquirer to transmit personal data about the stay of the person concerned and the status of the research,
p.(None): if the relative demonstrates his identity and the close relationship credibly. Special categories of personal data (Art. 9 GDPR) are allowed to close
p.(None): Relatives are only transmitted if they can prove their identity and their family status and the transmission to safeguard their rights or those
p.(None): the person concerned is required. The social security institutions and authorities are obliged, those responsible for the public sector and
p.(None): To support aid organizations insofar as this is necessary to check the information of the requester.
...
p.(None): powers
p.(None): § 22. (1) The data protection authority can in particular all necessary data from the controller or processor of the checked data processing
p.(None): Request clarifications and request an insight into data processing and related documents. The controller or processor has the
p.(None): to provide necessary support. The control activity is under the greatest possible protection of the rights of the person responsible or the processor and third parties
p.(None): exercise.
p.(None): (2) For the purpose of inspection, the data protection authority, after notification of the owner of the premises and the person responsible or the
p.(None): The processor is entitled to enter rooms in which data processing is carried out, to put data processing systems into operation that
p.(None): to carry out the processing to be checked and copies of data carriers to the extent absolutely necessary for the exercise of the control powers
p.(None): manufacture.
p.(None): (3) Information that the data protection authority or the person authorized by it during the control activity may only contain for the control in the
p.(None): Be used in the implementation of data protection regulations. Incidentally, confidentiality also applies to courts
p.(None): and administrative authorities, in particular tax authorities; however, with the proviso that if the inspection suspects a criminal offense
p.(None): Action in accordance with section 63 of this federal law or in accordance with sections 118a, 119, 119a, 126a to 126c, 148a or section 278a of the Criminal Code - StGB, BGBl. № 60/1974,
p.(None): or a crime that results in a custodial sentence, the maximum of which exceeds five years, is to be reported and regarding such crimes and
p.(None): Offenses according to § 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975, must also be complied with.
p.(None): (4) Is the operation of data processing a significant immediate threat to the confidentiality interests of the parties concerned that are worth protecting
p.(None): Persons (danger of delay), the data protection authority can continue the data processing with a decision in accordance with Section 57 (1) of the General
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
p.(None): (5) Within the scope of its responsibility, the data protection authority is responsible for imposing fines on natural and legal persons.
...
p.(None): legal mandate, and no fine can be imposed on public bodies.
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): DPA
p.(None): Section 31. (1) The data protection authority is set up as the national supervisory authority for the area of application specified in Section 36 (1). The
p.(None): The data protection authority is not responsible for the supervision of the processing carried out by courts in the context of their judicial activity.
p.(None): (2) With regard to independence, general conditions and the establishment of the supervisory authority, Articles 52, 53 and 54 GDPR and the
p.(None): Section 18 (2), sections 19 and 20 apply mutatis mutandis.
p.(None): Tasks of the data protection authority
p.(None): Section 32. (1) The data protection authority has within the scope of Section 36 (1)
p.(None): 1. the application of § 1 and the regulations enacted in the third main part as well as the implementing regulations for the directive (EU) 2016/680 on protection
p.(None): natural persons in the processing of personal data by the responsible authorities for the purpose of prevention, investigation, detection
p.(None): or prosecution of criminal offenses or the execution of sentences, as well as the free movement of data and repeal of Framework Decision 2008/977 / JHA of
p.(None): Council, OJ No. L 119, 4.5.2016 p. 89, to be monitored and enforced;
p.(None): 2. To raise awareness among the public of the risks, regulations, guarantees and rights associated with the processing and to inform them about them;
p.(None): 3. the in Article 57 paragraph 1 lit. c to e, g, h and t of the GDPR to fulfill specified tasks with regard to the third main part;
p.(None): 4. to deal with complaints from a person concerned or a position, organization or association in accordance with § 28, the subject of
p.(None): To investigate the complaint to a reasonable extent and notify the complainant within three months of the progress and that
p.(None): Communicate the outcome of the investigation, especially if further investigation or coordination with another supervisory authority
p.(None): necessary is;
p.(None): 5. to check the lawfulness of the processing in accordance with Section 42 (8) and to inform the data subject of the result of the
p.(None): To inform the inspection in accordance with Section 42 (9) or to inform it of the reasons why the inspection was not carried out;
p.(None): 6. to follow relevant developments insofar as they affect the protection of personal data, in particular the development of the
p.(None): Information and communicationtechnology,
p.(None): 7. to provide advice in relation to the processing operations referred to in § 53, and
p.(None): 8. to exercise the rights of the data subject in the cases of sections 43 (4), 44 (3) and 45 (4).
...
p.(None): (4) Article 61 (1) to (7) GDPR applies mutatis mutandis to mutual administrative assistance within the scope of Section 36 (1).
p.(None): (5) In the area of application of section 36 (1), the provisions of section 3 of the second main piece - with the exception of section 30 - apply mutatis mutandis.
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): Section 35. (1) The data protection authority is appointed to safeguard data protection in accordance with the more detailed provisions of the GDPR and this Federal Act.
p.(None): (2) (Constitutional provision) The data protection authority also exercises its powers vis-à-vis the supreme organs of the
p.(None): Enforcement as well as towards the highest bodies according to Art. 30 Paragraphs 3 to 6, 125, 134 Paragraph 8 and 148h Paragraphs 1 and 2 B-VG in the area to which they are entitled
p.(None): Administrative matters.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and definitions
p.(None): Section 36. (1) The provisions of this main section apply to the processing of personal data by competent authorities for the purpose of prevention,
p.(None): Investigation, detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting threats to the public
p.(None): Security, as well as for the purposes of national security, intelligence and military intrinsic security.
p.(None): (2) For the purposes of this main piece, the expression denotes:
p.(None): 1. "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as "affected person")
p.(None): Respectively; A natural person is considered to be identifiable if he or she is directly or indirectly, in particular by means of assignment to an identifier such as one
p.(None): Names, an identification number, location data, an online identifier or one or more special features that express the
p.(None): physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person are identified
p.(None): can be;
p.(None): 2. "Processing" means any process carried out with or without the aid of automated processes or any such series of processes in connection with
p.(None): Personal data such as collecting, collecting, organizing, organizing, storing, adapting or changing that
p.(None): Reading, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or
p.(None): Linkage, restriction, deletion or destruction;
p.(None): 3. "Restriction of processing" means the marking of stored personal data with the aim of restricting their future processing;
p.(None): 4. "Pro fi ling" means any type of automated processing of personal data that consists of the use of this personal data,
p.(None): to assess certain personal aspects relating to a natural person, in particular aspects related to work performance,
p.(None): economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of this natural person
p.(None): to analyze or predict;
p.(None): 5. "Pseudonymization" means the processing of personal data in such a way that the personal data is not used
p.(None): Information can no longer be assigned to a specific person concerned, provided that this additional information is kept separately
p.(None): and are subject to technical and organizational measures that ensure that the personal data is not identified
p.(None): or assigned to an identifiable natural person;
p.(None): 6. "file system" means any structured collection of personal data that is accessible according to certain criteria, regardless of whether it is
p.(None): Collection is managed centrally, decentrally or according to functional or geographical aspects;
p.(None): 7. "competent authority"
p.(None): (a) a government agency responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of sentences, including the
p.(None): Protection against and averting threats to public security, national security, the intelligence service or the military
p.(None): Intrinsic safety is responsible, or
p.(None): (b) another agency or body which, through the law of the Member States, exercises the exercise of official authority and sovereign powers
p.(None): Prevention, investigation, detection or prosecution of criminal offenses or for the execution of sentences, including the protection against and the defense against
p.(None): Public security threats transmitted for the purposes of national security, intelligence or military intrinsic security
p.(None): has been;
p.(None): 8. "Controller" means the competent authority, alone or together with others, about the purposes and means of processing personal data
p.(None): Data decides;
p.(None): 9. "Processor" means a natural or legal person, public authority, agency or other body that provides personal data on behalf of the
p.(None): Processed responsible;
p.(None): 10. "recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed,
p.(None): regardless of whether it is a third party or not. Authorities involved in a particular investigation mandate based on
p.(None): Laws may receive personal data, but are not considered recipients; the processing of this data by the aforementioned
p.(None): Authorities are done in accordance with applicable data protection regulations according to the purposes of the processing;
p.(None): 11. "Violation of the protection of personal data" means a violation of security that leads to destruction, loss or change, whether
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
...
p.(None): 1. must be processed lawfully and in good faith,
p.(None): 2. Must be collected for specified, clear and lawful purposes and not processed in a way that is incompatible with these purposes
p.(None): become,
p.(None): 3. must correspond to the processing purpose and must be decisive and may not in relation to the purposes for which they are processed
p.(None): be excessive
p.(None): 4. must be factually correct and, if necessary, up to date; all appropriate measures must be taken to ensure that
p.(None): personal data that are incorrect with regard to the purposes of their processing are deleted or corrected immediately,
p.(None): 5. may not be stored in a form that identifies the data for any longer than is necessary for the purposes for which they are processed
p.(None): enables data subjects
p.(None): 6. must be processed in a way that ensures adequate security of personal data, including protection against
p.(None): unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by
p.(None): appropriate technical and organizational measures.
p.(None): (2) For processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
p.(None): Purposes within the scope of Section 36 (1) apply to Section 38.
p.(None): (3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must be able to demonstrate compliance.
p.(None): (4) As far as possible and reasonable, a distinction must be made between personal data, in particular the following categories of data subjects:
p.(None): 1.People who are specifically suspected of having committed a criminal act due to certain facts,
p.(None): 2.People who, based on certain facts, are reasonably suspected of committing an offense in the near future,
p.(None): 3. convicted offenders,
p.(None): 4. victims of a crime or persons for whom certain facts justify the assumption that they are victims of a crime, and
p.(None): 5. Other persons who are connected with a crime, in particular persons who are considered as witnesses, persons who provide information
p.(None): can give to the offense, or persons who are in contact or in connection with the persons mentioned in Z 1 to 3.
p.(None): (5) As far as possible, a distinction must be made between fact-based and personal data based on personal assessments. On
p.(None): Personal data based on personal assessments are to be marked accordingly and can be provided with a reason,
p.(None): which enables the traceability of the assessment.
p.(None): (6) Inaccurate, incomplete, no longer up-to-date or deleted personal data may neither be transmitted nor for automated retrieval
p.(None): File systems are provided. For this purpose, the authority has to check the data quality accordingly as far as possible. To the
p.(None): automated retrieval of personal data held ready must be kept complete and up-to-date accordingly.
p.(None): (7) Whenever possible, each time personal data are transmitted, they are used to assess the topicality, correctness, completeness and reliability of the
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
...
p.(None): Personal data of the data subject by the person responsible.
p.(None): (2) In addition to the information mentioned in paragraph 1, the person responsible has the following additional information in special cases
p.(None): To provide information to enable the exercise of the rights of the data subject:
p.(None): 1. the legal basis for processing,
p.(None): 2. the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration,
p.(None): 3. if applicable, the categories of recipients of the personal data, including recipients in third countries or in international organizations,
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
p.(None): (4) The information of the person concerned in accordance with paragraph 2 can be postponed, restricted or omitted to the extent and for as long as this is stated in
p.(None): Individual cases are absolutely necessary and proportionate
p.(None): 1. to ensure that the prevention, detection, investigation or prosecution of criminal offenses or the execution of sentences are not impaired,
p.(None): in particular by hindering official or judicial investigations, investigations or procedures,
p.(None): 2. to protect public security,
p.(None): 3. to protect national security,
p.(None): 4. to protect the constitutional institutions of the Republic of Austria,
p.(None): 5. to protect the military intrinsic security or
p.(None): 6. to protect the rights and freedoms of others.
p.(None): Right of information of the data subject
p.(None): § 44. (1) Every person concerned has the right to receive confirmation from the person responsible as to whether they relate to personal data
p.(None): are processed; if this is the case, it has the right to receive information about personal data and the following information:
p.(None): 1. the purposes of the processing and its legal basis,
p.(None): 2. the categories of personal data that are processed,
p.(None): 3. the recipients or categories of recipients to whom the personal data has been disclosed, especially for recipients
p.(None): in third countries or with international organizations,
p.(None): 4. If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for the determination
p.(None): this duration,
p.(None): 5. the existence of a right to correction or deletion of personal data or restriction of the processing of personal data
p.(None): data subject by the person responsible,
...
p.(None): (3) Each processor must keep a list of all categories of processing activities carried out on behalf of a responsible person,
p.(None): that contains:
p.(None): 1.Name and contact details of the processor or processors, each person responsible on whose behalf the processor is active,
p.(None): as well as any data protection officer,
p.(None): 2. the categories of processing carried out on behalf of each person responsible,
p.(None): 3. If applicable, transfers of personal data to a third country or to an international organization, if the person responsible
p.(None): instructed accordingly, including identification of the third country or international organization,
p.(None): 4. If possible, a general description of the technical and organizational measures in accordance with Section 54 (1).
p.(None): logging
p.(None): Section 50. (1) Every processing operation must be logged in a suitable manner so that the admissibility of the processing is reproduced and checked
p.(None): can.
p.(None): (2) In automated processing systems, all processing operations must be logged in an automated form. From this log data must
p.(None): at least the purpose, the data processed, the date and time of processing, the identification of the person who provided the personal data
p.(None): processed, as well as the identity of any recipient of such personal data.
p.(None): (3) In non-automated processing systems, at least queries and disclosures including transfers, changes and
p.(None): Log deletions. Paragraph 2, second sentence, applies to this log data.
p.(None): (4) The protocols may only be used to check the legality of data processing, including self-monitoring, and the guarantee
p.(None): of integrity and security of personal data and in judicial criminal proceedings.
p.(None): (5) The controller and the processor must make the logs available to the data protection authority on request.
p.(None): Cooperation with the data protection authority
p.(None): § 51. The person responsible and the processor are obliged to call on the data protection authority to carry out their tasks
p.(None): together.
p.(None): Privacy impact assessment
p.(None): § 52. The data controller has the protection of the rights and legitimate interests of the data subjects and others
p.(None): Affected persons to carry out a data protection impact assessment in accordance with Art. 35 Para. 1, 2, 3, 7 and 11 GDPR, whereby the evidence in accordance with Art. 35 Para. 7 lit. d
p.(None): GDPR relates to compliance with the requirements of this main part.
p.(None): Prior consultation with the data protection authority
p.(None): Section 53. In accordance with Art. 36 GDPR, the person responsible must process the data before processing personal data in new file systems
p.(None): To consult the data protection authority, whereby the references in Art. 36 Para. 1 and Para. 3 lit. e GDPR on § 52 and the reference to the provisions regarding
...
p.(None): To teach categories.
p.(None): (5) Transmissions in accordance with Paragraph 3 No. 2 are to be documented and the documentation including the date and time of the transmission, information about
p.(None): the receiving competent authority, justification of the transfer and transferred personal data, the data protection authority on request
p.(None): To make available.
p.(None): (6) If there is neither an adequacy decision in accordance with paragraphs 1 to 2 nor suitable guarantees in accordance with paragraphs 3 to 5, then is after
p.(None): In accordance with paragraph 5 a transfer of personal data to a third country or to an international organization is only permitted if the transfer
p.(None): is required
p.(None): 1. to protect a person's vital interests,
p.(None): 2. if this is required by law to safeguard the legitimate interests of the data subject,
p.(None): 3. to avert an immediate and serious danger to the public security of a member state of the EU or a third country,
p.(None): 4. in individual cases for the purposes specified in § 36 Paragraph 1, or
p.(None): 5. in individual cases to assert, exercise or defend legal claims in connection with the purposes specified in § 36 Paragraph 1.
p.(None): (7) In the cases of subsection 6 nos. 4 and 5, the transfer is only permitted if none of the fundamental interests prevailing in the public interest in the transfer
p.(None): and fundamental freedoms of the data subject prevent the transmission.
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Administrative penal provision
p.(None): Section 62. (1) Unless the offense does not constitute an offense under Art. 83 GDPR or under other administrative penalties with a more severe penalty
p.(None): is threatened, an administrative offense, which is punishable with a fine of up to 50,000 euros, who
p.(None): 1. intentionally obtains illegal access to data processing or intentionally maintains a recognizable illegal access,
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
p.(None): and men in the same way. When applying the terms to certain natural persons, the respective gender-specific form is too
p.(None): use.
p.(None): Issuing regulations
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
p.(None): § 67. Insofar as this federal law refers to provisions of other federal laws, these are to be applied in their respectively applicable version.
p.(None): completion
p.(None): Section 68. With the enforcement of this Federal Act, unless it is the responsibility of the Federal Government, the Federal Minister for the Constitution, Reforms,
p.(None): Deregulation and judiciary, as well as the Federal Chancellor and the other Federal Ministers within their sphere of activity.
p.(None): Transitional provisions
p.(None): Section 69. (1) The term of office of the head of the data protection authority that is in effect at the time this Federal Act comes into force will continue until it expires
p.(None): continued. This also applies to his deputy.
...
p.(None): continue. No entries or changes in content may be made in the data processing register. Registrations in
p.(None): Data processing registers become irrelevant. Everyone can inspect the register. In the registration file including at most
p.(None): Permission notices contained therein are to be granted access if the insight-holder proves that he is an affected person, and insofar as not
p.(None): there are overriding legitimate confidentiality interests of the person responsible (client) or other persons.
p.(None): (3) Pending registration procedures according to §§ 17 and 18 para. 2 DSG 2000 at the time this Federal Act comes into force are considered
p.(None): set. At the time this Federal Act came into force, pending proceedings pursuant to Sections 13, 46 and 47 DSG 2000 must be continued, provided that
p.(None): Approval is required under this federal law or the GDPR. Otherwise they are considered set.
p.(None): (4) At the time this Federal Act comes into force at the data protection authority or at the ordinary courts on the Data Protection Act 2000
p.(None): Pending proceedings are to be continued in accordance with the provisions of this Federal Act and the GDPR, with the proviso that the ordinary
p.(None): Dishes stays upright.
p.(None): (5) Violations of the Data Protection Act 2000, which were not pending at the time this Federal Act came into force, are after
p.(None): to assess the legal situation after the entry into force of this federal law. A criminal offense that was implemented prior to the entry into force of this federal law
p.(None): has to be judged according to the legal situation which is more favorable for the offender in its overall effect; this also applies to the appeal procedure.
p.(None): (6) Submissions by data subjects pursuant to Section 24 are exempt from federal administrative levies.
p.(None): (7) The sending posts have a number of members and substitute members of the Data Protection Council corresponding to Section 15 (1) 1 to 6
p.(None): Federal Ministry of Constitution, Reforms, Deregulation and Justice to be announced in writing within two weeks from May 25, 2018. The
p.(None): Constituent meeting of the Data Protection Council must take place within six weeks from May 25, 2018. Until the election of the new chairman and the
p.(None): the two vice-chairmen remain the previous chairman and the two previous vice-chairmen in their function.
p.(None): (8) Special provisions regarding the processing of personal data in other federal or state laws remain unaffected.
p.(None): (9) Prior to the entry into force of this Federal Act pursuant to Sections 13, 46 and 47 DSG 2000, legally valid permits issued by the data protection authority remain
p.(None): unaffected. Consent given under the Data Protection Act 2000 remains in effect provided that it complies with the requirements of the GDPR.
p.(None): Come into effect
p.(None): Section 70. (1) The remaining provisions of this Federal Act also enter into force on January 1, 2000.
...
Political / political affiliation
Searching for indicator party:
(return to top)
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and implementing regulation
p.(None): § 4. (1) The provisions of Regulation (EU) 2016/679 for the protection of natural persons when processing personal data, for free
p.(None): Traffic and repealing Directive 95/46 / EC (General Data Protection Regulation), OJ № L 119, 4.5.2016 p. 1, (hereinafter: GDPR) and this
p.(None): Federal law applies to the fully or partially automated processing of personal data of natural persons as well as to the non-automated
p.(None): Processing of personal data of natural persons, which are or should be saved in a file system, unless the
p.(None): the more specific provisions of the third main part of this federal law.
p.(None): (2) The correction or deletion of automation-assisted personal data cannot be carried out immediately because it is from
p.(None): Processing can only be carried out at certain times for economic or technical reasons
p.(None): restrict personal data with effect from Art. 18 Para. 2 GDPR up to this point.
p.(None): (3) The processing of personal data about acts or omissions that are punishable by judicial or administrative authorities, in particular
p.(None): Also on suspicion of committing crimes, as well as on criminal convictions or preventive measures is in compliance with the requirements
p.(None): of the GDPR permitted if
p.(None): 1. there is an express legal authorization or obligation to process such data, or
p.(None): 2. Otherwise the admissibility of the processing of this data results from legal due diligence or the processing to protect the justified
p.(None): Interests of the responsible person or a third party in accordance with Art. 6 Para. f GDPR is required, and the way in which the data processing
p.(None): is carried out, the protection of the interests of the data subject is guaranteed in accordance with the GDPR and this federal law.
p.(None): (4) In the case of an offer of information society services made directly to a child, consent is required in accordance with Art. 6 Para. 1 lit. a GDPR
p.(None): Processing of the child's personal data lawfully when the child has reached the age of fourteen.
p.(None): (5) The right to information of the person concerned according to Art. 15 GDPR applies to a sovereign responsible person without prejudice to others
p.(None): statutory restrictions, if, by providing this information, the fulfillment of a task legally assigned to the person responsible
p.(None): is endangered.
p.(None): (6) The person concerned has the right to information in accordance with Art. 15 GDPR without prejudice to any other person responsible
p.(None): As a rule, restrictions do not apply if, by providing this information, a business or company secret of the person responsible or third parties
p.(None): would be endangered.
p.(None): (Note: Paragraph 7 repealed by Art. 5 no. 3, Federal Law Gazette I No. 14/2019)
p.(None): Data Protection Officer
...
p.(None): (6) The personal data processed for the purpose of coping with the disaster must be deleted immediately if they are necessary for the fulfillment
p.(None): of the specific purpose are no longer required.
p.(None): Warning from the data protection authority
p.(None): § 11. The data protection authority will apply the catalog of Art. 83 para. 2 to 6 GDPR in such a way that proportionality is maintained.
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
p.(None): (2) Taking a picture is permitted, taking into account the requirements of § 13, if
p.(None): 1. it is necessary in the vital interest of a person,
p.(None): 2. the data subject has consented to the processing of their personal data,
p.(None): 3. it is ordered or permitted by special legal provisions, or
p.(None): 4. In individual cases there are overriding legitimate interests of the person responsible or a third party and the proportionality is given.
p.(None): (3) Image acquisition is permitted in accordance with paragraph 2 no. 4 if
p.(None): 1. it serves the preventive protection of people or things on private properties that are used exclusively by the person responsible, and
p.(None): spatially does not extend beyond the property, with the exception of a public involvement that is at best inevitable to achieve the purpose
p.(None): Traffic areas,
p.(None): 2. for the preventive protection of people or things in publicly accessible places that are subject to the house right of the person responsible,
p.(None): is necessary due to legal violations that have already taken place or due to a special hazard potential in the nature of the place, or
p.(None): 3. it pursues a private interest in documentation that does not aim at identifying uninvolved persons or the targeted recording of
p.(None): Objects that are suitable for the indirect identification of such persons.
p.(None): (4) Is not permitted
p.(None): 1. taking a picture without the express consent of the person concerned in their highly personal life,
p.(None): 2. an image for the purpose of checking employees,
p.(None): 3. the automation-supported comparison of personal data obtained by means of image recordings without express consent and for that
p.(None): Creation of personality profiles with other personal data or
p.(None): 4. the evaluation of personal data obtained by means of image recordings based on special categories of personal data (Art. 9
...
p.(None): are to be given, as well as to regulations in the federal enforcement area that concern essential data protection issues;
p.(None): 4. The Data Protection Council has the right to request information and reports from those responsible in the public sector, insofar as this relates to
p.(None): data protection assessment of projects with significant effects on data protection in Austria is necessary;
p.(None): 5. The Data Protection Council can publish its observations, concerns and suggestions and be aware of those responsible in the public domain
p.(None): bring.
p.(None): (3) Paragraph 2 no. 3 and 4 does not apply insofar as internal affairs of recognized churches and religious societies are concerned.
p.(None): composition
p.(None): § 15. (1) The Data Protection Council includes:
p.(None): 1. Representatives of the political parties: Twelve members send the political parties according to the d’Hondt system in proportion to their mandate in the
p.(None): Central Committee of the National Council. Every political party represented in the main committee of the National Council is entitled to be represented in the Data Protection Council
p.(None): his. A party represented on the main committee of the National Council, which according to the above calculation has no member, can be a member by name
p.(None): do;
p.(None): 2. one representative each from the Federal Chamber of Workers and Salaried Employees and the Austrian Chamber of Commerce;
p.(None): 3. two representatives of the countries;
p.(None): 4. one representative each from the Association of Municipalities and the Association of Cities;
p.(None): 5. a federal representative to be sent by the Federal Minister for the Constitution, Reforms, Deregulation and Justice;
p.(None): 6. a representative to be appointed by the Federal Government from among the data protection officers of the Federal Ministries;
p.(None): 7. Two national or international data protection experts to be named by the Data Protection Council after its constitution.
p.(None): (2) The representatives mentioned in paragraph 1 should have knowledge and experience in the fields of data protection law, Union law and fundamental rights
p.(None): to have.
p.(None): (3) A substitute member is to be sent for each member in accordance with paragraph 1 nos. 1 to 6, who will replace him if the member is prevented. The
p.(None): The Federal Ministry of Constitution, Reforms, Deregulation and Justice must be notified in writing of the members and substitute members.
...
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
p.(None): (5) Within the scope of its responsibility, the data protection authority is responsible for imposing fines on natural and legal persons.
p.(None): (6) Exist in the course of a lawsuit based on § 29 of a person concerned who has moved away from an institution, organization or association within the meaning of the
p.(None): Art. 80 Para. 1 GDPR, if there are any doubts about the existence of the relevant criteria, the data protection authority shall take action at the request of the bringing-in court
p.(None): corresponding findings with notice. This institution, organization or association has party status in the proceedings. Against a negative
p.(None): Notification of determination is open to her to appeal to the Federal Administrative Court.
p.(None): Activity report and publication of decisions
p.(None): § 23. (1) The data protection authority has until March 31 of each year to prepare an activity report according to Art. 59 GDPR and the
p.(None): To submit to the Federal Minister for the Constitution, Reforms, Deregulation and Justice. The report is from the Federal Minister for the Constitution, Reforms, Deregulation and
p.(None): Submit justice to the Federal Government, the National Council and the Federal Council. The data protection authority has the report of the public, the European one
p.(None): Commission, the European Data Protection Board (Art. 68 GDPR) and the Data Protection Council.
p.(None): (2) Decisions of the data protection authority of fundamental importance for the general public are made by the data protection authority taking into account the
p.(None): To publish confidentiality requirements in an appropriate manner.
p.(None): Section 3
p.(None): Remedies, liability and sanctions
...
p.(None): Protection against and averting threats to public security, national security, the intelligence service or the military
p.(None): Intrinsic safety is responsible, or
p.(None): (b) another agency or body which, through the law of the Member States, exercises the exercise of official authority and sovereign powers
p.(None): Prevention, investigation, detection or prosecution of criminal offenses or for the execution of sentences, including the protection against and the defense against
p.(None): Public security threats transmitted for the purposes of national security, intelligence or military intrinsic security
p.(None): has been;
p.(None): 8. "Controller" means the competent authority, alone or together with others, about the purposes and means of processing personal data
p.(None): Data decides;
p.(None): 9. "Processor" means a natural or legal person, public authority, agency or other body that provides personal data on behalf of the
p.(None): Processed responsible;
p.(None): 10. "recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed,
p.(None): regardless of whether it is a third party or not. Authorities involved in a particular investigation mandate based on
p.(None): Laws may receive personal data, but are not considered recipients; the processing of this data by the aforementioned
p.(None): Authorities are done in accordance with applicable data protection regulations according to the purposes of the processing;
p.(None): 11. "Violation of the protection of personal data" means a violation of security that leads to destruction, loss or change, whether
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
p.(None): 12. "genetic data" personal data on the inherited or acquired genetic characteristics of a natural person, the unique
p.(None): Provide information about the physiology or health of this natural person and in particular from the analysis of a biological sample of the
p.(None): concerned natural person;
p.(None): 13. “biometric data” means personal data obtained using special technical processes relating to physical, physiological or
p.(None): characteristics typical of the behavior of a natural person, which enable or confirm the clear identification of this natural person, such as
p.(None): Facial images or dactyloscopic data;
p.(None): 14. "health data" means personal data relating to the physical or mental health of a natural person, including its provision
p.(None): health services, which provide information about their health status;
p.(None): 15. "Supervisory Authority" is the data protection authority;
...
p.(None): is threatened, an administrative offense, which is punishable with a fine of up to 50,000 euros, who
p.(None): 1. intentionally obtains illegal access to data processing or intentionally maintains a recognizable illegal access,
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
...
Searching for indicator political:
(return to top)
p.(None): 2. the data protection council can issue or commission expert opinions;
p.(None): 3. gives the Data Protection Council the opportunity to comment on draft laws of the federal ministries, insofar as these are important under data protection law
p.(None): are to be given, as well as to regulations in the federal enforcement area that concern essential data protection issues;
p.(None): 4. The Data Protection Council has the right to request information and reports from those responsible in the public sector, insofar as this relates to
p.(None): data protection assessment of projects with significant effects on data protection in Austria is necessary;
p.(None): 5. The Data Protection Council can publish its observations, concerns and suggestions and be aware of those responsible in the public domain
p.(None): bring.
p.(None): (3) Paragraph 2 no. 3 and 4 does not apply insofar as internal affairs of recognized churches and religious societies are concerned.
p.(None): composition
p.(None): § 15. (1) The Data Protection Council includes:
p.(None): 1. Representatives of the political parties: Twelve members send the political parties according to the d’Hondt system in proportion to their mandate in the
p.(None): Central Committee of the National Council. Every political party represented in the main committee of the National Council is entitled to be represented in the Data Protection Council
p.(None): his. A party represented on the main committee of the National Council, which according to the above calculation has no member, can be a member by name
p.(None): do;
p.(None): 2. one representative each from the Federal Chamber of Workers and Salaried Employees and the Austrian Chamber of Commerce;
p.(None): 3. two representatives of the countries;
p.(None): 4. one representative each from the Association of Municipalities and the Association of Cities;
p.(None): 5. a federal representative to be sent by the Federal Minister for the Constitution, Reforms, Deregulation and Justice;
p.(None): 6. a representative to be appointed by the Federal Government from among the data protection officers of the Federal Ministries;
p.(None): 7. Two national or international data protection experts to be named by the Data Protection Council after its constitution.
p.(None): (2) The representatives mentioned in paragraph 1 should have knowledge and experience in the fields of data protection law, Union law and fundamental rights
p.(None): to have.
...
p.(None): bound.
p.(None): Meetings and decision making
p.(None): Section 17. (1) The meetings of the Data Protection Council are convened by the chairman as required. Each member of the Data Protection Council can write the
p.(None): Request the convening of the Data Protection Council stating the desired subject of the negotiation. If there is such a request, the chairman has
p.(None): to schedule the session to take place no later than four weeks after the request is received.
p.(None): (2) Each member of the Data Protection Council is - except in the case of justified prevention - obliged to attend the meetings of the Data Protection Council
p.(None): participate. The substitute member will only attend the meeting if the member is unable to attend.
p.(None): (3) The presence of more than half of its members or substitute members is required for deliberations and decision-making in the Data Protection Council.
p.(None): A simple majority of the votes cast is sufficient to pass resolutions. In a tie vote, the Chairman shall be decisive.
p.(None): Abstentions are not permitted. Minority votes are permitted.
p.(None): (4) In the case of urgent matters, the chairperson may appoint the deputy chairperson and one representative of the political parties (section 15 subsection 1 no.1)
p.(None): invite to an extraordinary meeting (Presidium).
p.(None): (5) The Data Protection Council may form permanent or non-permanent working committees from among its members, which it shall prepare, assess and process
p.(None): individual matters. He is also entitled to the management, pre-assessment and processing of individual matters
p.(None): individual member (rapporteur).
p.(None): (6) The head of the data protection authority is entitled to attend the meetings of the data protection council or its working committees. A right to vote
p.(None): is not entitled to him.
p.(None): (7) If necessary, the chairman can call in experts to the meetings of the Data Protection Council or to working committees. Also for preparation
p.(None): At meetings of the Data Protection Council or working committees, the Chairman of the Data Protection Council can involve experts in the respective field, insofar as
p.(None): this is necessary to clarify questions of particular importance for data protection.
p.(None): (8) Unless it decides otherwise, the deliberations in the meetings of the Data Protection Council are not public. The members and substitute members
...
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
...
Political / vulnerable
Searching for indicator vulnerable:
(return to top)
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
p.(None): (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent
p.(None): Limitations on the right to secrecy are only permissible to safeguard the overriding legitimate interests of another, in the event of intrusion
p.(None): State authority only on the basis of laws resulting from the in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
p.(None): (ECHR), Federal Law Gazette No. 210/1958, are necessary reasons mentioned. Such laws allow the use of data that is particularly vulnerable in nature
p.(None): are only intended to protect important public interests and at the same time must provide adequate guarantees for the protection of confidentiality interests
p.(None): of those concerned. Even in the case of permissible restrictions, the encroachment on the fundamental right may only in the mildest, leading to the goal
p.(None): be made.
p.(None): (3) Everyone, insofar as he is concerned, has personal data for automated processing or for processing in manual, ie. without
p.(None): Automation support led files are determined, in accordance with legal regulations
p.(None): 1. The right to information about who processes which data about him, where the data comes from and what they are used for, in particular
p.(None): whom they are communicated to;
p.(None): 2. the right to correct inaccurate data and the right to delete inadmissibly processed data.
p.(None): (4) Restrictions on the rights under paragraph 3 are only permissible under the conditions specified in paragraph 2.
p.(None): (Note: Paragraph 5 repealed by Federal Law Gazette I No. 51/2012)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and implementing regulation
p.(None): § 4. (1) The provisions of Regulation (EU) 2016/679 for the protection of natural persons when processing personal data, for free
p.(None): Traffic and repealing Directive 95/46 / EC (General Data Protection Regulation), OJ № L 119, 4.5.2016 p. 1, (hereinafter: GDPR) and this
...
Health / Cognitive Impairment
Searching for indicator impaired:
(return to top)
p.(None): (2) In addition to the information mentioned in paragraph 1, the person responsible has the following additional information in special cases
p.(None): To provide information to enable the exercise of the rights of the data subject:
p.(None): 1. the legal basis for processing,
p.(None): 2. the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration,
p.(None): 3. if applicable, the categories of recipients of the personal data, including recipients in third countries or in international organizations,
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
p.(None): (4) The information of the person concerned in accordance with paragraph 2 can be postponed, restricted or omitted to the extent and for as long as this is stated in
p.(None): Individual cases are absolutely necessary and proportionate
p.(None): 1. to ensure that the prevention, detection, investigation or prosecution of criminal offenses or the execution of sentences are not impaired,
p.(None): in particular by hindering official or judicial investigations, investigations or procedures,
p.(None): 2. to protect public security,
p.(None): 3. to protect national security,
p.(None): 4. to protect the constitutional institutions of the Republic of Austria,
p.(None): 5. to protect the military intrinsic security or
p.(None): 6. to protect the rights and freedoms of others.
p.(None): Right of information of the data subject
p.(None): § 44. (1) Every person concerned has the right to receive confirmation from the person responsible as to whether they relate to personal data
p.(None): are processed; if this is the case, it has the right to receive information about personal data and the following information:
p.(None): 1. the purposes of the processing and its legal basis,
p.(None): 2. the categories of personal data that are processed,
p.(None): 3. the recipients or categories of recipients to whom the personal data has been disclosed, especially for recipients
p.(None): in third countries or with international organizations,
p.(None): 4. If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for the determination
p.(None): this duration,
p.(None): 5. the existence of a right to correction or deletion of personal data or restriction of the processing of personal data
p.(None): data subject by the person responsible,
...
Searching for indicator impairment:
(return to top)
p.(None): Interests of the data subject is necessary.
p.(None): (4) An application in accordance with paragraph 3 is in any case by the person authorized to dispose of the data from which the personal data are determined
p.(None): to attach a signed statement that he provides the data controller with the data for the investigation. Instead of this explanation
p.(None): an execution title replacing this declaration can also be submitted (Section 367 (1) of the Execution Regulation - EO, RGBl. No. 79/1896).
p.(None): (5) Also in those cases in which the processing of personal data for purposes of scientific research or statistics in
p.(None): personal form is permitted, the personal reference is to be encrypted immediately, if in individual phases of scientific or statistical
p.(None): Working with personal data in accordance with Paragraph 1 No. 3 that can be found. Unless otherwise expressly provided for by law, the
p.(None): Eliminate personal reference to the data as soon as it is no longer necessary for scientific or statistical work.
p.(None): (6) Legal restrictions on the admissibility of the use of personal data for other, in particular copyright reasons,
p.(None): stay untouched.
p.(None): Providing addresses for notification and questioning of data subjects
p.(None): § 8. (1) Unless otherwise expressly stipulated by law, the transmission of address data requires a specific group of those concerned
p.(None): Individuals for the purpose of notifying or questioning the consent of the data subjects.
p.(None): (2) If, however, an impairment of the confidentiality interests of the persons concerned in view of the selection criteria for the group of persons concerned
p.(None): and the subject of the notification or questioning is unlikely, no consent is required if
p.(None): 1. Data from the same person responsible is processed or
p.(None): 2. in the event of an intended transmission of the address data to third parties
p.(None): a) there is also a public interest in the notification or questioning, or
p.(None): b) none of the persons concerned object to this within a reasonable time after having been informed of the reason and content of the transmission
p.(None): has raised against the transmission.
p.(None): (3) If the requirements of paragraph 2 are not met, and obtaining the consent of the persons concerned in accordance with paragraph 1 would be one
p.(None): require disproportionate effort, the transmission of the address data is permitted with the approval of the data protection authority in accordance with paragraph 4, if the
p.(None): Transmission to third parties
p.(None): 1. for the purpose of notification or questioning from an important interest of the person concerned,
p.(None): 2. from an important public notification or questioning interest or
p.(None): 3. to interview the data subjects for scientific or statistical purposes
p.(None): should be done.
p.(None): (4) At the request of a controller who processes address data, the data protection authority must grant the authorization for transmission if the
...
p.(None): does not state within a reasonable period of time why he still does not at least partially remedy the originally alleged infringement
p.(None): considered. If the complainant 's nature of the matter is changed by such a statement (Section 13 (8) AVG), the withdrawal of the
p.(None): original complaint and the simultaneous submission of a new complaint. In this case, too, is the original complaint procedure
p.(None): informally and inform the complainant about this. Delayed statements are not to be considered.
p.(None): (7) The complainant will be informed by the data protection authority within three months of the filing of the complaint about the status and result of the
p.(None): Investigation taught.
p.(None): (8) Any person concerned can refer the matter to the Federal Administrative Court if the data protection authority does not deal with the complaint or if the
p.(None): has not informed the data subject of the status or result of the complaint within three months.
p.(None): (9) The data protection authority can - if necessary - involve experts in the procedure.
p.(None): (10) The decision period according to § 73 AVG does not include:
p.(None): 1. the time during which the procedure is suspended until a final question is reached;
p.(None): 2. the time during a procedure according to Art. 56, 60 and 63 GDPR.
p.(None): Accompanying measures in the complaints procedure
p.(None): § 25. (1) In the context of a complaint, the complainant makes a substantial impairment of his confidentiality interests worthy of protection
p.(None): by processing his personal data in a credible manner, the data protection authority can proceed in accordance with Section 22 (4).
p.(None): (2) If the accuracy of personal data is disputed in a proceeding, the respondent must give one until the end of the proceeding
p.(None): Make a note of contest. If necessary, the data protection authority has this at the request of the complainant with a decision in accordance with Section 57 (1) AVG
p.(None): to arrange.
p.(None): (3) If a data controller refers to a restriction within the meaning of Art. 23 GDPR, this has the legality
p.(None): to review the application of the restrictions. If it comes to the conclusion that the confidentiality of processed personal data is kept
p.(None): the person concerned was not justified, the disclosure of the personal data is to be requested with notice. If the notice of
p.(None): If the data protection authority did not comply within eight weeks, the data protection authority has disclosed personal data to
p.(None): affected person himself and to give him the requested information or to inform him which personal data has already been corrected or
p.(None): have been deleted.
p.(None): (4) Notices authorizing transfers of personal data abroad must be revoked if the legal or
p.(None): the actual requirements for the approval no longer exist.
...
Health / Motherhood/Family
Searching for indicator family:
(return to top)
p.(None): Section 54. Data security measures
p.(None): Section 55. Reporting violations to the data protection authority
p.(None): Section 56. Notification to the data subject of injuries
p.(None): Section 57. Designation, position and tasks of the data protection officer
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): Section 58. General principles for the transmission of personal data
p.(None): Section 59. Data transmission to third countries or international organizations
p.(None): (Note: Section 60 expired on January 15, 2019 (see Federal Law Gazette I No. 14/2019)
p.(None): § 61. repealed by Federal Law Gazette I No. 14/2019)
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Section 62
p.(None): Section 63. Data processing with the intention of profit or damage
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
p.(None): (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent
p.(None): Limitations on the right to secrecy are only permissible to safeguard the overriding legitimate interests of another, in the event of intrusion
p.(None): State authority only on the basis of laws resulting from the in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
p.(None): (ECHR), Federal Law Gazette No. 210/1958, are necessary reasons mentioned. Such laws allow the use of data that is particularly vulnerable in nature
p.(None): are only intended to protect important public interests and at the same time must provide adequate guarantees for the protection of confidentiality interests
p.(None): of those concerned. Even in the case of permissible restrictions, the encroachment on the fundamental right may only in the mildest, leading to the goal
p.(None): be made.
p.(None): (3) Everyone, insofar as he is concerned, has personal data for automated processing or for processing in manual, ie. without
p.(None): Automation support led files are determined, in accordance with legal regulations
...
p.(None): they need the personal data to cope with the disaster for the purposes specified in Paragraph 1.
p.(None): (3) A transfer of personal data abroad is permitted, provided that this is absolutely necessary for the fulfillment of the purposes mentioned in paragraph 1
p.(None): necessary is. Data that in themselves are a criminal offense to the person concerned may not be transmitted, unless they are used for identification in the
p.(None): Individual cases are absolutely necessary. The data protection authority is responsible for the initiated transfers and the circumstances surrounding the event
p.(None): To notify the facts immediately. The data protection authority has to prohibit further data transfers to protect the rights of the data subjects if the
p.(None): Interference with the fundamental right to data protection caused by data transfer is not justified by the special circumstances of the disaster situation.
p.(None): (4) On the basis of a specific request from a close relative of a person who is actually or probably directly affected by the disaster
p.(None): The controller authorizes the inquirer to transmit personal data about the stay of the person concerned and the status of the research,
p.(None): if the relative demonstrates his identity and the close relationship credibly. Special categories of personal data (Art. 9 GDPR) are allowed to close
p.(None): Relatives are only transmitted if they can prove their identity and their family status and the transmission to safeguard their rights or those
p.(None): the person concerned is required. The social security institutions and authorities are obliged, those responsible for the public sector and
p.(None): To support aid organizations insofar as this is necessary to check the information of the requester.
p.(None): (5) As close relatives within the meaning of this provision, parents, children, spouses, registered partners and companions of the persons concerned are allowed
p.(None): understand. Other relatives may receive the information mentioned under the same conditions as close relatives if they have a special one
p.(None): Make the relationship with the person actually or probably directly affected by the disaster credible.
p.(None): (6) The personal data processed for the purpose of coping with the disaster must be deleted immediately if they are necessary for the fulfillment
p.(None): of the specific purpose are no longer required.
p.(None): Warning from the data protection authority
p.(None): § 11. The data protection authority will apply the catalog of Art. 83 para. 2 to 6 GDPR in such a way that proportionality is maintained.
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
...
Social / Access to Social Goods
Searching for indicator access:
(return to top)
p.(None): is necessary due to legal violations that have already taken place or due to a special hazard potential in the nature of the place, or
p.(None): 3. it pursues a private interest in documentation that does not aim at identifying uninvolved persons or the targeted recording of
p.(None): Objects that are suitable for the indirect identification of such persons.
p.(None): (4) Is not permitted
p.(None): 1. taking a picture without the express consent of the person concerned in their highly personal life,
p.(None): 2. an image for the purpose of checking employees,
p.(None): 3. the automation-supported comparison of personal data obtained by means of image recordings without express consent and for that
p.(None): Creation of personality profiles with other personal data or
p.(None): 4. the evaluation of personal data obtained by means of image recordings based on special categories of personal data (Art. 9
p.(None): GDPR) as a selection criterion.
p.(None): (5) Personal data determined by means of a permissible image acquisition may be transmitted to the extent necessary for the transmission
p.(None): one of the requirements of paragraph 2 items 1 to 4 is met. Paragraph 4 applies accordingly.
p.(None): Special data security measures and labeling
p.(None): § 13. (1) The person responsible must take appropriate data security measures adapted to the risk of intrusion and ensure that the
p.(None): Access to the image recording and subsequent changes to it by unauthorized persons is excluded.
p.(None): (2) The person responsible - except in the case of real-time monitoring - must log every processing operation.
p.(None): (3) Recorded personal data are to be deleted by the person responsible if they are no longer required for the purpose for which they were determined
p.(None): and there is no other legally required retention requirement. Storage longer than 72 hours must be proportionate
p.(None): and must be recorded and justified separately.
p.(None): (4) Paragraphs 1 to 3 do not apply to image recordings in accordance with Section 12 paragraph 3 line 3.
p.(None): (5) The person responsible for an image recording must mark it appropriately. In any case, the person responsible has clear from the labeling
p.(None): unless the person concerned is already aware of the circumstances of the case.
p.(None): (6) The labeling obligation does not apply in the cases of Section 12 (3) (3) and for processing that is strictly limited in time in individual cases, their purpose
p.(None): can only be achieved by means of a covert investigation, provided that the person responsible has sufficient guarantees to safeguard the
p.(None): Provides for the interests of those affected, in particular by informing the data subjects retrospectively.
p.(None): (7) If, contrary to Paragraph 5, sufficient information is not provided, anyone who is potentially affected by processing can do so from the owner or
p.(None): Authorized users of a property or a building or other object from which such processing apparently originates, information
p.(None): request about the identity of the person responsible. The unfounded failure to provide such information constitutes a refusal to provide information pursuant to Art
p.(None): GDPR to keep the same.
p.(None): 2. Main piece
p.(None): organs
...
p.(None): Public security threats transmitted for the purposes of national security, intelligence or military intrinsic security
p.(None): has been;
p.(None): 8. "Controller" means the competent authority, alone or together with others, about the purposes and means of processing personal data
p.(None): Data decides;
p.(None): 9. "Processor" means a natural or legal person, public authority, agency or other body that provides personal data on behalf of the
p.(None): Processed responsible;
p.(None): 10. "recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed,
p.(None): regardless of whether it is a third party or not. Authorities involved in a particular investigation mandate based on
p.(None): Laws may receive personal data, but are not considered recipients; the processing of this data by the aforementioned
p.(None): Authorities are done in accordance with applicable data protection regulations according to the purposes of the processing;
p.(None): 11. "Violation of the protection of personal data" means a violation of security that leads to destruction, loss or change, whether
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
p.(None): 12. "genetic data" personal data on the inherited or acquired genetic characteristics of a natural person, the unique
p.(None): Provide information about the physiology or health of this natural person and in particular from the analysis of a biological sample of the
p.(None): concerned natural person;
p.(None): 13. “biometric data” means personal data obtained using special technical processes relating to physical, physiological or
p.(None): characteristics typical of the behavior of a natural person, which enable or confirm the clear identification of this natural person, such as
p.(None): Facial images or dactyloscopic data;
p.(None): 14. "health data" means personal data relating to the physical or mental health of a natural person, including its provision
p.(None): health services, which provide information about their health status;
p.(None): 15. "Supervisory Authority" is the data protection authority;
p.(None): 16. "international organization" means an international law organization and its subordinate bodies or any other body which is defined by an intermediate
p.(None): an agreement was concluded between two or more states or was established on the basis of such an agreement.
p.(None): Principles for data processing, categorization and data quality
p.(None): Section 37. (1) Personal data
p.(None): 1. must be processed lawfully and in good faith,
p.(None): 2. Must be collected for specified, clear and lawful purposes and not processed in a way that is incompatible with these purposes
p.(None): become,
...
p.(None): enables and contributes.
p.(None): With regard to item 8, the processor will inform the controller immediately if he considers that an instruction against this main item
p.(None): or violates other Union data protection regulations or statutory data protection regulations.
p.(None): (4) If the processor uses the services of another processor to carry out certain processing activities on behalf of the
p.(None): To carry out the responsible person, this further processor will be contracted or another legal instrument according to the
p.(None): Union law or by law the same data protection obligations imposed in the contract or other legal instrument between the
p.(None): Responsible and the processor in accordance with paragraph 3 are determined, in particular sufficient guarantees must be offered that the
p.(None): appropriate technical and organizational measures are carried out so that the processing corresponds to the requirements of this main part
p.(None): he follows. If the other processor does not meet his data protection obligations, the first processor is liable to the person responsible for
p.(None): compliance with the obligations of that other processor.
p.(None): (5) The contract or the other legal instrument within the meaning of paragraphs 3 and 4 must be drawn up in writing, which is also done in an electronic format
p.(None): can.
p.(None): (6) The processor and any person subordinate to the controller or processor who has access to personal data,
p.(None): may only process this data on the instructions of the person responsible, unless it is processed in accordance with EU law or on the basis of laws on
p.(None): Processing are required.
p.(None): (7) A processor who determines the purposes and means of processing in violation of this main part shall apply in relation to this processing
p.(None): as the person responsible.
p.(None): Directory of processing activities
p.(None): Section 49. (1) Each person responsible has to maintain a register of processing activities in accordance with the provisions of Art. 30 Para. 1 to 4 GDPR, whereby
p.(None): the references in Art. 30 Para. 1 lit. g and para. 2 lit. d GDPR refer to § 54 and the reference to a representative of the person responsible or
p.(None): Processor is devoid of purpose.
p.(None): (2) The directory in accordance with paragraph 1 must also contain information on
p.(None): 1. the use of profiling when such use is made, and
p.(None): 2. the legal basis for the processing, including the transfers for which the personal data are intended.
p.(None): (3) Each processor must keep a list of all categories of processing activities carried out on behalf of a responsible person,
p.(None): that contains:
p.(None): 1.Name and contact details of the processor or processors, each person responsible on whose behalf the processor is active,
p.(None): as well as any data protection officer,
p.(None): 2. the categories of processing carried out on behalf of each person responsible,
p.(None): 3. If applicable, transfers of personal data to a third country or to an international organization, if the person responsible
p.(None): instructed accordingly, including identification of the third country or international organization,
...
p.(None): Section 53. In accordance with Art. 36 GDPR, the person responsible must process the data before processing personal data in new file systems
p.(None): To consult the data protection authority, whereby the references in Art. 36 Para. 1 and Para. 3 lit. e GDPR on § 52 and the reference to the provisions regarding
p.(None): of the powers of the data protection authority in Art. 36 Para. 2 GDPR refer to Section 33 and the measures listed in Art. 36 Para. 2 GDPR within
p.(None): six weeks with the possibility of an extension for another month.
p.(None): Data security measures
p.(None): § 54. (1) The person responsible and the processor have taken into account the state of the art, the implementation costs and the type of
p.(None): The scope, the circumstances and the purposes of the processing as well as the different probability and severity of the risk for the rights and
p.(None): Freedoms of natural persons, taking into account the different categories according to § 37, appropriate technical and organizational measures
p.(None): meet to ensure a level of protection appropriate to the risk, especially with regard to the processing of special categories
p.(None): personal data according to § 39.
p.(None): (2) The controller and the processor have measures regarding automated processing after a risk assessment
p.(None): to achieve the following purposes:
p.(None): 1. Unauthorized persons (access control) are denied access to processing plants with which the processing is carried out;
p.(None): 2. prevention of unauthorized reading, copying, modification or removal of data carriers (data carrier control);
p.(None): 3. Prevention of the unauthorized entry of personal data as well as the unauthorized knowledge, change and deletion of
p.(None): stored personal data (storage control);
p.(None): 4. Prevention of the use of automated processing systems with the help of devices for data transmission by unauthorized persons (user control);
p.(None): 5. Guarantee that those authorized to use an automated processing system only have access authorization
p.(None): underlying personal data have access (access control);
p.(None): 6. Ensuring that it can be checked and ascertained to which locations personal data can be transferred using data transmission facilities
p.(None): have been transmitted or made available (transmission control);
p.(None): 7. Guarantee that it can be subsequently checked and ascertained which personal data was automated, at what time and by whom
p.(None): Processing systems have been entered (input control);
p.(None): 8. Preventing the data from being read, copied or changed without authorization when transmitting personal data and when transporting data carriers
p.(None): or can be deleted (transport control);
p.(None): 9. Ensuring that systems used can be restored in the event of a fault (restoration);
p.(None): 10. Ensuring that all functions of the system are available, malfunctions are reported (reliability) and saved
p.(None): personal data cannot be damaged by system malfunctions (data integrity).
p.(None): Reporting of violations to the data protection authority
p.(None): Section 55. (1) In accordance with Art. 33 GDPR, the controller has violations of the protection of personal data by the data protection authority
p.(None): Report.
p.(None): (2) Insofar as the breach of protection relates to personal data provided by or to the controller of another Member State
p.(None): have been transmitted to the European Union, the information specified in Article 33 (3) GDPR is the responsibility of the Member State of the
...
p.(None): To make available.
p.(None): (6) If there is neither an adequacy decision in accordance with paragraphs 1 to 2 nor suitable guarantees in accordance with paragraphs 3 to 5, then is after
p.(None): In accordance with paragraph 5 a transfer of personal data to a third country or to an international organization is only permitted if the transfer
p.(None): is required
p.(None): 1. to protect a person's vital interests,
p.(None): 2. if this is required by law to safeguard the legitimate interests of the data subject,
p.(None): 3. to avert an immediate and serious danger to the public security of a member state of the EU or a third country,
p.(None): 4. in individual cases for the purposes specified in § 36 Paragraph 1, or
p.(None): 5. in individual cases to assert, exercise or defend legal claims in connection with the purposes specified in § 36 Paragraph 1.
p.(None): (7) In the cases of subsection 6 nos. 4 and 5, the transfer is only permitted if none of the fundamental interests prevailing in the public interest in the transfer
p.(None): and fundamental freedoms of the data subject prevent the transmission.
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Administrative penal provision
p.(None): Section 62. (1) Unless the offense does not constitute an offense under Art. 83 GDPR or under other administrative penalties with a more severe penalty
p.(None): is threatened, an administrative offense, which is punishable with a fine of up to 50,000 euros, who
p.(None): 1. intentionally obtains illegal access to data processing or intentionally maintains a recognizable illegal access,
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
...
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
p.(None): § 67. Insofar as this federal law refers to provisions of other federal laws, these are to be applied in their respectively applicable version.
p.(None): completion
p.(None): Section 68. With the enforcement of this Federal Act, unless it is the responsibility of the Federal Government, the Federal Minister for the Constitution, Reforms,
p.(None): Deregulation and judiciary, as well as the Federal Chancellor and the other Federal Ministers within their sphere of activity.
p.(None): Transitional provisions
p.(None): Section 69. (1) The term of office of the head of the data protection authority that is in effect at the time this Federal Act comes into force will continue until it expires
p.(None): continued. This also applies to his deputy.
p.(None): (2) The data processing register maintained by the data protection authority must be archived by the data protection authority until December 31, 2019
p.(None): continue. No entries or changes in content may be made in the data processing register. Registrations in
p.(None): Data processing registers become irrelevant. Everyone can inspect the register. In the registration file including at most
p.(None): Permission notices contained therein are to be granted access if the insight-holder proves that he is an affected person, and insofar as not
p.(None): there are overriding legitimate confidentiality interests of the person responsible (client) or other persons.
p.(None): (3) Pending registration procedures according to §§ 17 and 18 para. 2 DSG 2000 at the time this Federal Act comes into force are considered
p.(None): set. At the time this Federal Act came into force, pending proceedings pursuant to Sections 13, 46 and 47 DSG 2000 must be continued, provided that
p.(None): Approval is required under this federal law or the GDPR. Otherwise they are considered set.
p.(None): (4) At the time this Federal Act comes into force at the data protection authority or at the ordinary courts on the Data Protection Act 2000
p.(None): Pending proceedings are to be continued in accordance with the provisions of this Federal Act and the GDPR, with the proviso that the ordinary
p.(None): Dishes stays upright.
p.(None): (5) Violations of the Data Protection Act 2000, which were not pending at the time this Federal Act came into force, are after
p.(None): to assess the legal situation after the entry into force of this federal law. A criminal offense that was implemented prior to the entry into force of this federal law
p.(None): has to be judged according to the legal situation which is more favorable for the offender in its overall effect; this also applies to the appeal procedure.
p.(None): (6) Submissions by data subjects pursuant to Section 24 are exempt from federal administrative levies.
...
Searching for indicator freedom of information:
(return to top)
p.(None): BGBl. I No. 51/2012 (NR: GP XXIV RV 1618 AB 1771 p. 155. BR: 8730 AB 8731 p. 809.)
p.(None): BGBl. I No. 57/2013 (NR: GP XXIV RV 2131 AB 2245 p. 194. BR: AB 8940 p. 819.)
p.(None): BGBl. I No. 83/2013 (NR: GP XXIV RV 2168 AB 2268 p. 200. BR: AB 8968 p. 820.)
p.(None): [CELEX No .: 31995L0046]
p.(None): BGBl. I No. 132/2015 (VfGH)
p.(None): BGBl. I No. 120/2017 (NR: GP XXV RV 1664 AB 1761 p. 190. BR: 9824 AB 9856 p. 871.)
p.(None): [CELEX No .: 32016L0680]
p.(None): BGBl. I No. 23/2018 (NR: GP XXVI IA 188 / A AB 99 S. 21. BR: AB 9958 S. 879.)
p.(None): BGBl. I No. 24/2018 (NR: GP XXVI IA 189 / A AB 98 S. 21. BR: AB 9948 S. 879.)
p.(None): BGBl. I No. 14/2019 (NR: GP XXVI RV 301 AB 463 p. 57. BR: AB 10104 p. 888.)
p.(None): Preamble / Promulgatory
p.(None): Table of Contents
p.(None): article 1
p.(None): (Constitution determination)
p.(None): §1 fundamental right to data protection
p.(None): (Note: §§ 2 and 3 repealed by Federal Law Gazette I No. 14/2019)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): § 4. Scope and implementing regulation
p.(None): § 5. Data protection officer
p.(None): § 6. Data secrecy
p.(None): Section 2
p.(None): Data processing for specific purposes
p.(None): § 7. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
p.(None): § 8. Provision of addresses for the notification and questioning of data subjects
p.(None): § 9. Freedom of expression and freedom of information
p.(None): § 10. Processing of personal data in the event of a disaster
p.(None): § 11. Warning by the data protection authority
p.(None): Section 3
p.(None): image processing
p.(None): § 12. Admissibility of image acquisition
p.(None): § 13. Special data security measures and labeling
p.(None): 2. Main piece
p.(None): organs
p.(None): Section 1
p.(None): Data Protection
p.(None): § 14. Establishment and tasks
p.(None): § 15. Composition
p.(None): § 16. Chair and management
p.(None): § 17. Meetings and decision-making
p.(None): Section 2
p.(None): DPA
p.(None): § 18. Establishment
p.(None): § 19. Independence
p.(None): § 20. Head of the data protection authority
p.(None): § 21. Tasks
p.(None): § 22. Powers
p.(None): § 23. Activity report and publication of decisions
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): § 24. Complaint to the data protection authority
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
p.(None): Section 28. Representation of data subjects
p.(None): § 29. Liability and right to compensation
p.(None): § 30. General conditions for imposing fines
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
...
Social / Age
Searching for indicator age:
(return to top)
p.(None): (2) The correction or deletion of automation-assisted personal data cannot be carried out immediately because it is from
p.(None): Processing can only be carried out at certain times for economic or technical reasons
p.(None): restrict personal data with effect from Art. 18 Para. 2 GDPR up to this point.
p.(None): (3) The processing of personal data about acts or omissions that are punishable by judicial or administrative authorities, in particular
p.(None): Also on suspicion of committing crimes, as well as on criminal convictions or preventive measures is in compliance with the requirements
p.(None): of the GDPR permitted if
p.(None): 1. there is an express legal authorization or obligation to process such data, or
p.(None): 2. Otherwise the admissibility of the processing of this data results from legal due diligence or the processing to protect the justified
p.(None): Interests of the responsible person or a third party in accordance with Art. 6 Para. f GDPR is required, and the way in which the data processing
p.(None): is carried out, the protection of the interests of the data subject is guaranteed in accordance with the GDPR and this federal law.
p.(None): (4) In the case of an offer of information society services made directly to a child, consent is required in accordance with Art. 6 Para. 1 lit. a GDPR
p.(None): Processing of the child's personal data lawfully when the child has reached the age of fourteen.
p.(None): (5) The right to information of the person concerned according to Art. 15 GDPR applies to a sovereign responsible person without prejudice to others
p.(None): statutory restrictions, if, by providing this information, the fulfillment of a task legally assigned to the person responsible
p.(None): is endangered.
p.(None): (6) The person concerned has the right to information in accordance with Art. 15 GDPR without prejudice to any other person responsible
p.(None): As a rule, restrictions do not apply if, by providing this information, a business or company secret of the person responsible or third parties
p.(None): would be endangered.
p.(None): (Note: Paragraph 7 repealed by Art. 5 no. 3, Federal Law Gazette I No. 14/2019)
p.(None): Data Protection Officer
p.(None): § 5. (1) The data protection officer and the persons working for him are without prejudice to other confidentiality obligations when performing the tasks
p.(None): Confidentiality is mandatory. This applies in particular to the identity of data subjects who have contacted the data protection officer, as well as
p.(None): about circumstances that allow conclusions to be drawn about these persons, unless there has been an express release from secrecy by the
p.(None): concerned person. The data protection officer and the persons working for him may only use the information made available to fulfill the
...
Social / Child
Searching for indicator child:
(return to top)
p.(None): Federal law applies to the fully or partially automated processing of personal data of natural persons as well as to the non-automated
p.(None): Processing of personal data of natural persons, which are or should be saved in a file system, unless the
p.(None): the more specific provisions of the third main part of this federal law.
p.(None): (2) The correction or deletion of automation-assisted personal data cannot be carried out immediately because it is from
p.(None): Processing can only be carried out at certain times for economic or technical reasons
p.(None): restrict personal data with effect from Art. 18 Para. 2 GDPR up to this point.
p.(None): (3) The processing of personal data about acts or omissions that are punishable by judicial or administrative authorities, in particular
p.(None): Also on suspicion of committing crimes, as well as on criminal convictions or preventive measures is in compliance with the requirements
p.(None): of the GDPR permitted if
p.(None): 1. there is an express legal authorization or obligation to process such data, or
p.(None): 2. Otherwise the admissibility of the processing of this data results from legal due diligence or the processing to protect the justified
p.(None): Interests of the responsible person or a third party in accordance with Art. 6 Para. f GDPR is required, and the way in which the data processing
p.(None): is carried out, the protection of the interests of the data subject is guaranteed in accordance with the GDPR and this federal law.
p.(None): (4) In the case of an offer of information society services made directly to a child, consent is required in accordance with Art. 6 Para. 1 lit. a GDPR
p.(None): Processing of the child's personal data lawfully when the child has reached the age of fourteen.
p.(None): (5) The right to information of the person concerned according to Art. 15 GDPR applies to a sovereign responsible person without prejudice to others
p.(None): statutory restrictions, if, by providing this information, the fulfillment of a task legally assigned to the person responsible
p.(None): is endangered.
p.(None): (6) The person concerned has the right to information in accordance with Art. 15 GDPR without prejudice to any other person responsible
p.(None): As a rule, restrictions do not apply if, by providing this information, a business or company secret of the person responsible or third parties
p.(None): would be endangered.
p.(None): (Note: Paragraph 7 repealed by Art. 5 no. 3, Federal Law Gazette I No. 14/2019)
p.(None): Data Protection Officer
p.(None): § 5. (1) The data protection officer and the persons working for him are without prejudice to other confidentiality obligations when performing the tasks
p.(None): Confidentiality is mandatory. This applies in particular to the identity of data subjects who have contacted the data protection officer, as well as
p.(None): about circumstances that allow conclusions to be drawn about these persons, unless there has been an express release from secrecy by the
p.(None): concerned person. The data protection officer and the persons working for him may only use the information made available to fulfill the
...
Searching for indicator children:
(return to top)
p.(None): Individual cases are absolutely necessary. The data protection authority is responsible for the initiated transfers and the circumstances surrounding the event
p.(None): To notify the facts immediately. The data protection authority has to prohibit further data transfers to protect the rights of the data subjects if the
p.(None): Interference with the fundamental right to data protection caused by data transfer is not justified by the special circumstances of the disaster situation.
p.(None): (4) On the basis of a specific request from a close relative of a person who is actually or probably directly affected by the disaster
p.(None): The controller authorizes the inquirer to transmit personal data about the stay of the person concerned and the status of the research,
p.(None): if the relative demonstrates his identity and the close relationship credibly. Special categories of personal data (Art. 9 GDPR) are allowed to close
p.(None): Relatives are only transmitted if they can prove their identity and their family status and the transmission to safeguard their rights or those
p.(None): the person concerned is required. The social security institutions and authorities are obliged, those responsible for the public sector and
p.(None): To support aid organizations insofar as this is necessary to check the information of the requester.
p.(None): (5) As close relatives within the meaning of this provision, parents, children, spouses, registered partners and companions of the persons concerned are allowed
p.(None): understand. Other relatives may receive the information mentioned under the same conditions as close relatives if they have a special one
p.(None): Make the relationship with the person actually or probably directly affected by the disaster credible.
p.(None): (6) The personal data processed for the purpose of coping with the disaster must be deleted immediately if they are necessary for the fulfillment
p.(None): of the specific purpose are no longer required.
p.(None): Warning from the data protection authority
p.(None): § 11. The data protection authority will apply the catalog of Art. 83 para. 2 to 6 GDPR in such a way that proportionality is maintained.
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
p.(None): (2) Taking a picture is permitted, taking into account the requirements of § 13, if
...
Social / Ethnicity
Searching for indicator ethnic:
(return to top)
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
...
Social / Incarcerated
Searching for indicator prison:
(return to top)
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
p.(None): and men in the same way. When applying the terms to certain natural persons, the respective gender-specific form is too
p.(None): use.
p.(None): Issuing regulations
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
...
Searching for indicator restricted:
(return to top)
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
p.(None): (5) If the person responsible does not take action at the request of the person concerned, he shall inform the person concerned without delay, but at the latest
p.(None): within one month after receipt of the application about the reasons for this and about the possibility to lodge a complaint with a supervisory authority or a
p.(None): to lodge a judicial remedy.
p.(None): (6) Information according to § 43 as well as all communications and measures according to §§ 44 and 45 are provided free of charge. At ok
p.(None): The person responsible can either make unsubstantiated or - in particular in the case of frequent repetition - excessive applications by a data subject
p.(None): 1. request a reasonable fee at which the administrative costs for the information or the notification or the implementation of the requested
p.(None): Measure to be taken into account, or
p.(None): 2. refuse to act on the application.
p.(None): The person responsible must provide evidence of the manifestly unfounded or excessive nature of the application.
p.(None): (7) The person responsible can confirm the identity of the person who submitted an application in accordance with sections 44 or 45
p.(None): Request information.
p.(None): (8) In the cases of sections 43 (4), 44 (3) and 45 (4), the person concerned is entitled to review the legality of the related
p.(None): To request that their rights be restricted by the data protection authority. The person responsible must inform the data subject of this right.
p.(None): (9) If the right referred to in paragraph 8 is exercised, the data protection authority shall at least inform the person concerned that all necessary
p.(None): Checks or a review have been carried out by the data protection authority. The data protection authority also has the data subject's rights
p.(None): teach to file a complaint with the Federal Administrative Court.
p.(None): Information to the data subject
p.(None): Section 43. (1) The person responsible must provide the data subject with at least the following information:
p.(None): 1. the name and contact details of the person responsible,
p.(None): 2. if applicable, the contact details of the data protection officer,
p.(None): 3. the purposes for which the personal data are processed,
p.(None): 4. the existence of a right to lodge a complaint with the supervisory authority and its contact details,
p.(None): 5. the existence of a right to information and correction or deletion of personal data and restriction of the processing of the
p.(None): Personal data of the data subject by the person responsible.
p.(None): (2) In addition to the information mentioned in paragraph 1, the person responsible has the following additional information in special cases
p.(None): To provide information to enable the exercise of the rights of the data subject:
p.(None): 1. the legal basis for processing,
p.(None): 2. the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration,
p.(None): 3. if applicable, the categories of recipients of the personal data, including recipients in third countries or in international organizations,
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
p.(None): (4) The information of the person concerned in accordance with paragraph 2 can be postponed, restricted or omitted to the extent and for as long as this is stated in
p.(None): Individual cases are absolutely necessary and proportionate
p.(None): 1. to ensure that the prevention, detection, investigation or prosecution of criminal offenses or the execution of sentences are not impaired,
p.(None): in particular by hindering official or judicial investigations, investigations or procedures,
p.(None): 2. to protect public security,
p.(None): 3. to protect national security,
p.(None): 4. to protect the constitutional institutions of the Republic of Austria,
p.(None): 5. to protect the military intrinsic security or
p.(None): 6. to protect the rights and freedoms of others.
p.(None): Right of information of the data subject
p.(None): § 44. (1) Every person concerned has the right to receive confirmation from the person responsible as to whether they relate to personal data
p.(None): are processed; if this is the case, it has the right to receive information about personal data and the following information:
p.(None): 1. the purposes of the processing and its legal basis,
p.(None): 2. the categories of personal data that are processed,
p.(None): 3. the recipients or categories of recipients to whom the personal data has been disclosed, especially for recipients
p.(None): in third countries or with international organizations,
p.(None): 4. If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for the determination
...
p.(None): 8. Preventing the data from being read, copied or changed without authorization when transmitting personal data and when transporting data carriers
p.(None): or can be deleted (transport control);
p.(None): 9. Ensuring that systems used can be restored in the event of a fault (restoration);
p.(None): 10. Ensuring that all functions of the system are available, malfunctions are reported (reliability) and saved
p.(None): personal data cannot be damaged by system malfunctions (data integrity).
p.(None): Reporting of violations to the data protection authority
p.(None): Section 55. (1) In accordance with Art. 33 GDPR, the controller has violations of the protection of personal data by the data protection authority
p.(None): Report.
p.(None): (2) Insofar as the breach of protection relates to personal data provided by or to the controller of another Member State
p.(None): have been transmitted to the European Union, the information specified in Article 33 (3) GDPR is the responsibility of the Member State of the
p.(None): To be transmitted to the European Union immediately.
p.(None): Notification to affected person of injuries
p.(None): Section 56. (1) In accordance with Art. 34 GDPR, the person responsible has the right to violate the protection of their personal data
p.(None): notify.
p.(None): (2) The notification according to paragraph 1 can be postponed, restricted or omitted under the conditions specified in § 43 paragraph 4.
p.(None): Designation, position and tasks of the data protection officer
p.(None): Section 57. (1) Each person responsible must appoint a data protection officer in accordance with Art. 37 (5) and (7) GDPR. Courts are in the frame
p.(None): exempt from their judicial activity from the obligation to appoint a data protection officer. § 5 applies with regard to the provisions of this
p.(None): Main piece analogously.
p.(None): (2) Art. 38 GDPR applies to the position of data protection officer.
p.(None): (3) The data protection officer is responsible for the tasks specified in Art. 39 GDPR with regard to compliance with the provisions of this main part.
p.(None): (4) The person responsible must publish the contact details of the data protection officer and notify the data protection authority.
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): General principles for the transfer of personal data
...
Social / Linguistic Proficiency
Searching for indicator language:
(return to top)
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
p.(None): (5) If the person responsible does not take action at the request of the person concerned, he shall inform the person concerned without delay, but at the latest
p.(None): within one month after receipt of the application about the reasons for this and about the possibility to lodge a complaint with a supervisory authority or a
p.(None): to lodge a judicial remedy.
p.(None): (6) Information according to § 43 as well as all communications and measures according to §§ 44 and 45 are provided free of charge. At ok
p.(None): The person responsible can either make unsubstantiated or - in particular in the case of frequent repetition - excessive applications by a data subject
...
Searching for indicator linguistic:
(return to top)
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
p.(None): Section 55. Reporting violations to the data protection authority
p.(None): Section 56. Notification to the data subject of injuries
p.(None): Section 57. Designation, position and tasks of the data protection officer
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): Section 58. General principles for the transmission of personal data
p.(None): Section 59. Data transmission to third countries or international organizations
p.(None): (Note: Section 60 expired on January 15, 2019 (see Federal Law Gazette I No. 14/2019)
p.(None): § 61. repealed by Federal Law Gazette I No. 14/2019)
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Section 62
p.(None): Section 63. Data processing with the intention of profit or damage
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
p.(None): (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent
p.(None): Limitations on the right to secrecy are only permissible to safeguard the overriding legitimate interests of another, in the event of intrusion
p.(None): State authority only on the basis of laws resulting from the in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
p.(None): (ECHR), Federal Law Gazette No. 210/1958, are necessary reasons mentioned. Such laws allow the use of data that is particularly vulnerable in nature
...
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
p.(None): and men in the same way. When applying the terms to certain natural persons, the respective gender-specific form is too
p.(None): use.
p.(None): Issuing regulations
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
p.(None): § 67. Insofar as this federal law refers to provisions of other federal laws, these are to be applied in their respectively applicable version.
p.(None): completion
p.(None): Section 68. With the enforcement of this Federal Act, unless it is the responsibility of the Federal Government, the Federal Minister for the Constitution, Reforms,
p.(None): Deregulation and judiciary, as well as the Federal Chancellor and the other Federal Ministers within their sphere of activity.
p.(None): Transitional provisions
p.(None): Section 69. (1) The term of office of the head of the data protection authority that is in effect at the time this Federal Act comes into force will continue until it expires
p.(None): continued. This also applies to his deputy.
p.(None): (2) The data processing register maintained by the data protection authority must be archived by the data protection authority until December 31, 2019
...
Social / Occupation
Searching for indicator occupation:
(return to top)
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
...
Social / Police Officer
Searching for indicator officer:
(return to top)
p.(None): BGBl. I No. 2/2008 (1. BVRBG) (NR: GP XXIII RV 314 AB 370 p. 41. BR: 7799 AB 7830 p. 751.)
p.(None): BGBl. I No. 133/2009 (NR: GP XXIV RV 472 AB 531 p. 49. BR: 8220 AB 8225 p. 780.)
p.(None): BGBl. I No. 135/2009 (NR: GP XXIV RV 485 AB 558 p. 49. BR: 8217 AB 8228 p. 780.)
p.(None): BGBl. I No. 112/2011 (NR: GP XXIV RV 1494 AB 1500 p. 130.B: 8602 AB 8603 p. 802.)
p.(None): [CELEX-No .: 32009L0133, 32010L0024]
p.(None): BGBl. I No. 51/2012 (NR: GP XXIV RV 1618 AB 1771 p. 155. BR: 8730 AB 8731 p. 809.)
p.(None): BGBl. I No. 57/2013 (NR: GP XXIV RV 2131 AB 2245 p. 194. BR: AB 8940 p. 819.)
p.(None): BGBl. I No. 83/2013 (NR: GP XXIV RV 2168 AB 2268 p. 200. BR: AB 8968 p. 820.)
p.(None): [CELEX No .: 31995L0046]
p.(None): BGBl. I No. 132/2015 (VfGH)
p.(None): BGBl. I No. 120/2017 (NR: GP XXV RV 1664 AB 1761 p. 190. BR: 9824 AB 9856 p. 871.)
p.(None): [CELEX No .: 32016L0680]
p.(None): BGBl. I No. 23/2018 (NR: GP XXVI IA 188 / A AB 99 S. 21. BR: AB 9958 S. 879.)
p.(None): BGBl. I No. 24/2018 (NR: GP XXVI IA 189 / A AB 98 S. 21. BR: AB 9948 S. 879.)
p.(None): BGBl. I No. 14/2019 (NR: GP XXVI RV 301 AB 463 p. 57. BR: AB 10104 p. 888.)
p.(None): Preamble / Promulgatory
p.(None): Table of Contents
p.(None): article 1
p.(None): (Constitution determination)
p.(None): §1 fundamental right to data protection
p.(None): (Note: §§ 2 and 3 repealed by Federal Law Gazette I No. 14/2019)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): § 4. Scope and implementing regulation
p.(None): § 5. Data protection officer
p.(None): § 6. Data secrecy
p.(None): Section 2
p.(None): Data processing for specific purposes
p.(None): § 7. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
p.(None): § 8. Provision of addresses for the notification and questioning of data subjects
p.(None): § 9. Freedom of expression and freedom of information
p.(None): § 10. Processing of personal data in the event of a disaster
p.(None): § 11. Warning by the data protection authority
p.(None): Section 3
p.(None): image processing
p.(None): § 12. Admissibility of image acquisition
p.(None): § 13. Special data security measures and labeling
p.(None): 2. Main piece
p.(None): organs
p.(None): Section 1
p.(None): Data Protection
p.(None): § 14. Establishment and tasks
p.(None): § 15. Composition
p.(None): § 16. Chair and management
p.(None): § 17. Meetings and decision-making
p.(None): Section 2
p.(None): DPA
p.(None): § 18. Establishment
p.(None): § 19. Independence
p.(None): § 20. Head of the data protection authority
p.(None): § 21. Tasks
p.(None): § 22. Powers
p.(None): § 23. Activity report and publication of decisions
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): § 24. Complaint to the data protection authority
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
...
p.(None): Section 37. Principles for data processing, categorization and data quality
p.(None): Section 38. Lawfulness of processing
p.(None): Section 39. Processing of special categories of personal data
p.(None): Section 40. Processing for other purposes and transmission
p.(None): Section 41. Automated decision making in individual cases
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): Section 42. Principles
p.(None): Section 43. Information to the data subject
p.(None): Section 44. Right of the data subject to information
p.(None): Section 45. Right to correction or deletion of personal data and restriction of processing
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Section 46. Responsibilities of the controller
p.(None): Section 47
p.(None): Section 48. Processors and supervision of processing
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
p.(None): Section 55. Reporting violations to the data protection authority
p.(None): Section 56. Notification to the data subject of injuries
p.(None): Section 57. Designation, position and tasks of the data protection officer
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): Section 58. General principles for the transmission of personal data
p.(None): Section 59. Data transmission to third countries or international organizations
p.(None): (Note: Section 60 expired on January 15, 2019 (see Federal Law Gazette I No. 14/2019)
p.(None): § 61. repealed by Federal Law Gazette I No. 14/2019)
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Section 62
p.(None): Section 63. Data processing with the intention of profit or damage
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
...
p.(None): Interests of the responsible person or a third party in accordance with Art. 6 Para. f GDPR is required, and the way in which the data processing
p.(None): is carried out, the protection of the interests of the data subject is guaranteed in accordance with the GDPR and this federal law.
p.(None): (4) In the case of an offer of information society services made directly to a child, consent is required in accordance with Art. 6 Para. 1 lit. a GDPR
p.(None): Processing of the child's personal data lawfully when the child has reached the age of fourteen.
p.(None): (5) The right to information of the person concerned according to Art. 15 GDPR applies to a sovereign responsible person without prejudice to others
p.(None): statutory restrictions, if, by providing this information, the fulfillment of a task legally assigned to the person responsible
p.(None): is endangered.
p.(None): (6) The person concerned has the right to information in accordance with Art. 15 GDPR without prejudice to any other person responsible
p.(None): As a rule, restrictions do not apply if, by providing this information, a business or company secret of the person responsible or third parties
p.(None): would be endangered.
p.(None): (Note: Paragraph 7 repealed by Art. 5 no. 3, Federal Law Gazette I No. 14/2019)
p.(None): Data Protection Officer
p.(None): § 5. (1) The data protection officer and the persons working for him are without prejudice to other confidentiality obligations when performing the tasks
p.(None): Confidentiality is mandatory. This applies in particular to the identity of data subjects who have contacted the data protection officer, as well as
p.(None): about circumstances that allow conclusions to be drawn about these persons, unless there has been an express release from secrecy by the
p.(None): concerned person. The data protection officer and the persons working for him may only use the information made available to fulfill the
p.(None): Use tasks and are obliged to maintain confidentiality even after they have finished their work.
p.(None): (2) A data protection officer receives knowledge of data for his or her work for a body under the control of the data protection officer
p.(None): Employees have a legal right to refuse to testify, this right also applies to the data protection officer and those working for him
p.(None): To the extent that the person to whom the legal right to refuse to testify has exercised it. To the extent of
p.(None): The data protection officer's right to refuse to testify is subject to his files and other documents being prohibited from seizure and confiscation.
p.(None): (3) The data protection officer in the public domain (established in forms of public law, in particular also as a body of a
p.(None): Local authority) is free from instructions regarding the performance of its duties. The supreme body has the right to consider the objects of the
p.(None): To inform management in the public area with the data protection officer. The data protection officer only has to comply with this to the extent that
p.(None): this does not contradict the independence of the data protection officer within the meaning of Art. 38 Para. 3 GDPR.
p.(None): (4) In the sphere of action of each Federal Ministry, taking into account the type and scope of data processing and depending on the institution of the
p.(None): Federal Ministry to provide one or more data protection officers. These must be submitted to the respective Federal Ministry or the respective subordinate
p.(None): Belong to an agency or other body.
p.(None): (5) The data protection officer in the public sector in accordance with paragraph 4 maintains a regular exchange of experience, in particular with regard to the
p.(None): Ensuring a uniform data protection standard.
p.(None): data confidentiality
p.(None): § 6. (1) The person responsible, the processor and their employees - these are employees (employees) and people in one
p.(None): Employee-like (employee-like) relationship - have personal data from data processing operations that are based solely on their
p.(None): have been entrusted with professional employment or have become accessible, without prejudice to other legal confidentiality obligations, secret
p.(None): hold, unless there is a legally permissible reason for the transfer of the entrusted or accessible personal data
p.(None): (Data confidentiality).
p.(None): (2) Employees may only transmit personal data on the basis of an express order from their employer (employer). The
p.(None): Responsible parties and the processor, if such an obligation of their employees does not already exist by law, have this contractually
p.(None): undertake to transmit personal data from data processing only on the basis of instructions and data secrecy even after termination
p.(None): to comply with the employment relationship (employment relationship) with the person responsible or processor.
p.(None): (3) The person responsible and the processor have the employees affected by the order regarding the transmission orders applicable to them
p.(None): and to teach about the consequences of a breach of data secrecy.
...
p.(None): 2. refuse to act on the application.
p.(None): The person responsible must provide evidence of the manifestly unfounded or excessive nature of the application.
p.(None): (7) The person responsible can confirm the identity of the person who submitted an application in accordance with sections 44 or 45
p.(None): Request information.
p.(None): (8) In the cases of sections 43 (4), 44 (3) and 45 (4), the person concerned is entitled to review the legality of the related
p.(None): To request that their rights be restricted by the data protection authority. The person responsible must inform the data subject of this right.
p.(None): (9) If the right referred to in paragraph 8 is exercised, the data protection authority shall at least inform the person concerned that all necessary
p.(None): Checks or a review have been carried out by the data protection authority. The data protection authority also has the data subject's rights
p.(None): teach to file a complaint with the Federal Administrative Court.
p.(None): Information to the data subject
p.(None): Section 43. (1) The person responsible must provide the data subject with at least the following information:
p.(None): 1. the name and contact details of the person responsible,
p.(None): 2. if applicable, the contact details of the data protection officer,
p.(None): 3. the purposes for which the personal data are processed,
p.(None): 4. the existence of a right to lodge a complaint with the supervisory authority and its contact details,
p.(None): 5. the existence of a right to information and correction or deletion of personal data and restriction of the processing of the
p.(None): Personal data of the data subject by the person responsible.
p.(None): (2) In addition to the information mentioned in paragraph 1, the person responsible has the following additional information in special cases
p.(None): To provide information to enable the exercise of the rights of the data subject:
p.(None): 1. the legal basis for processing,
p.(None): 2. the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration,
p.(None): 3. if applicable, the categories of recipients of the personal data, including recipients in third countries or in international organizations,
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
...
p.(None): compliance with the obligations of that other processor.
p.(None): (5) The contract or the other legal instrument within the meaning of paragraphs 3 and 4 must be drawn up in writing, which is also done in an electronic format
p.(None): can.
p.(None): (6) The processor and any person subordinate to the controller or processor who has access to personal data,
p.(None): may only process this data on the instructions of the person responsible, unless it is processed in accordance with EU law or on the basis of laws on
p.(None): Processing are required.
p.(None): (7) A processor who determines the purposes and means of processing in violation of this main part shall apply in relation to this processing
p.(None): as the person responsible.
p.(None): Directory of processing activities
p.(None): Section 49. (1) Each person responsible has to maintain a register of processing activities in accordance with the provisions of Art. 30 Para. 1 to 4 GDPR, whereby
p.(None): the references in Art. 30 Para. 1 lit. g and para. 2 lit. d GDPR refer to § 54 and the reference to a representative of the person responsible or
p.(None): Processor is devoid of purpose.
p.(None): (2) The directory in accordance with paragraph 1 must also contain information on
p.(None): 1. the use of profiling when such use is made, and
p.(None): 2. the legal basis for the processing, including the transfers for which the personal data are intended.
p.(None): (3) Each processor must keep a list of all categories of processing activities carried out on behalf of a responsible person,
p.(None): that contains:
p.(None): 1.Name and contact details of the processor or processors, each person responsible on whose behalf the processor is active,
p.(None): as well as any data protection officer,
p.(None): 2. the categories of processing carried out on behalf of each person responsible,
p.(None): 3. If applicable, transfers of personal data to a third country or to an international organization, if the person responsible
p.(None): instructed accordingly, including identification of the third country or international organization,
p.(None): 4. If possible, a general description of the technical and organizational measures in accordance with Section 54 (1).
p.(None): logging
p.(None): Section 50. (1) Every processing operation must be logged in a suitable manner so that the admissibility of the processing is reproduced and checked
p.(None): can.
p.(None): (2) In automated processing systems, all processing operations must be logged in an automated form. From this log data must
p.(None): at least the purpose, the data processed, the date and time of processing, the identification of the person who provided the personal data
p.(None): processed, as well as the identity of any recipient of such personal data.
p.(None): (3) In non-automated processing systems, at least queries and disclosures including transfers, changes and
p.(None): Log deletions. Paragraph 2, second sentence, applies to this log data.
p.(None): (4) The protocols may only be used to check the legality of data processing, including self-monitoring, and the guarantee
p.(None): of integrity and security of personal data and in judicial criminal proceedings.
p.(None): (5) The controller and the processor must make the logs available to the data protection authority on request.
p.(None): Cooperation with the data protection authority
...
p.(None): 10. Ensuring that all functions of the system are available, malfunctions are reported (reliability) and saved
p.(None): personal data cannot be damaged by system malfunctions (data integrity).
p.(None): Reporting of violations to the data protection authority
p.(None): Section 55. (1) In accordance with Art. 33 GDPR, the controller has violations of the protection of personal data by the data protection authority
p.(None): Report.
p.(None): (2) Insofar as the breach of protection relates to personal data provided by or to the controller of another Member State
p.(None): have been transmitted to the European Union, the information specified in Article 33 (3) GDPR is the responsibility of the Member State of the
p.(None): To be transmitted to the European Union immediately.
p.(None): Notification to affected person of injuries
p.(None): Section 56. (1) In accordance with Art. 34 GDPR, the person responsible has the right to violate the protection of their personal data
p.(None): notify.
p.(None): (2) The notification according to paragraph 1 can be postponed, restricted or omitted under the conditions specified in § 43 paragraph 4.
p.(None): Designation, position and tasks of the data protection officer
p.(None): Section 57. (1) Each person responsible must appoint a data protection officer in accordance with Art. 37 (5) and (7) GDPR. Courts are in the frame
p.(None): exempt from their judicial activity from the obligation to appoint a data protection officer. § 5 applies with regard to the provisions of this
p.(None): Main piece analogously.
p.(None): (2) Art. 38 GDPR applies to the position of data protection officer.
p.(None): (3) The data protection officer is responsible for the tasks specified in Art. 39 GDPR with regard to compliance with the provisions of this main part.
p.(None): (4) The person responsible must publish the contact details of the data protection officer and notify the data protection authority.
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): General principles for the transfer of personal data
p.(None): Section 58. (1) A transfer of personal data that is already being processed or after it has been transferred to a third country or an international one
p.(None): Organization to be processed by competent authorities is only permitted if the provisions of this main part are followed and
p.(None): 1. the transmission is necessary for the purposes specified in Section 36 (1),
p.(None): 2. the personal data to a person responsible in a third country or an international organization, which is responsible for the in § 36 para. 1
p.(None): is the competent authority mentioned, are transmitted,
p.(None): 3. In cases where personal data are transmitted or made available from another EU member state, this member state
p.(None): has previously approved the transmission,
p.(None): 4. the European Commission has taken an adequacy decision in accordance with Section 59 (1) and (2) or, if there is no such decision, appropriate decisions
p.(None): Guarantees within the meaning of Section 59 (3) to (5) have been provided or exist or if there is no adequacy decision under Section 59 (1) and (2) and
p.(None): there are no suitable guarantees within the meaning of Section 59 (3) to (5), exceptions apply to certain cases in accordance with Section 59 (6) and (7) and
p.(None): 5. It is ensured that a transfer to another third country or another international organization is only possible on the basis of a previous one
...
Searching for indicator police:
(return to top)
p.(None): § 19. Independence
p.(None): § 20. Head of the data protection authority
p.(None): § 21. Tasks
p.(None): § 22. Powers
p.(None): § 23. Activity report and publication of decisions
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): § 24. Complaint to the data protection authority
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
p.(None): Section 28. Representation of data subjects
p.(None): § 29. Liability and right to compensation
p.(None): § 30. General conditions for imposing fines
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): § 31. Data protection authority
p.(None): Section 32. Tasks of the data protection authority
p.(None): Section 33. Powers of the data protection authority
p.(None): § 34. General provisions
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): § 35.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): § 36. Scope and definitions
p.(None): Section 37. Principles for data processing, categorization and data quality
p.(None): Section 38. Lawfulness of processing
p.(None): Section 39. Processing of special categories of personal data
p.(None): Section 40. Processing for other purposes and transmission
p.(None): Section 41. Automated decision making in individual cases
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): Section 42. Principles
p.(None): Section 43. Information to the data subject
p.(None): Section 44. Right of the data subject to information
p.(None): Section 45. Right to correction or deletion of personal data and restriction of processing
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Section 46. Responsibilities of the controller
p.(None): Section 47
p.(None): Section 48. Processors and supervision of processing
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
...
p.(None): (3) As part of the activity report pursuant to Section 23, the data protection authority must report on the activities according to Section 4 and 5. The requirements
p.(None): Art. 59 GDPR and § 23 for the activity report and the publication of decisions apply mutatis mutandis.
p.(None): (4) Article 61 (1) to (7) GDPR applies mutatis mutandis to mutual administrative assistance within the scope of Section 36 (1).
p.(None): (5) In the area of application of section 36 (1), the provisions of section 3 of the second main piece - with the exception of section 30 - apply mutatis mutandis.
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): Section 35. (1) The data protection authority is appointed to safeguard data protection in accordance with the more detailed provisions of the GDPR and this Federal Act.
p.(None): (2) (Constitutional provision) The data protection authority also exercises its powers vis-à-vis the supreme organs of the
p.(None): Enforcement as well as towards the highest bodies according to Art. 30 Paragraphs 3 to 6, 125, 134 Paragraph 8 and 148h Paragraphs 1 and 2 B-VG in the area to which they are entitled
p.(None): Administrative matters.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and definitions
p.(None): Section 36. (1) The provisions of this main section apply to the processing of personal data by competent authorities for the purpose of prevention,
p.(None): Investigation, detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting threats to the public
p.(None): Security, as well as for the purposes of national security, intelligence and military intrinsic security.
p.(None): (2) For the purposes of this main piece, the expression denotes:
p.(None): 1. "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as "affected person")
p.(None): Respectively; A natural person is considered to be identifiable if he or she is directly or indirectly, in particular by means of assignment to an identifier such as one
p.(None): Names, an identification number, location data, an online identifier or one or more special features that express the
p.(None): physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person are identified
p.(None): can be;
...
Social / Property Ownership
Searching for indicator home:
(return to top)
p.(None): Home Contact Sitemap Imprint Deutsch
p.(None): [Federal law] State law Municipal law Judiciary Other announcements, decrees Total query
p.(None): Federal law consolidated: Entire legal regulation for data protection law, version from 01.02.2020 print view
p.(None): Other formats:
p.(None): long Title
p.(None): Federal Act for the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG)
p.(None): StF: BGBl. I No. 165/1999 (NR: GP XX RV 1613 AB 2028 p. 179. BR: 5992 AB 6034 p. 657.)
p.(None): [CELEX No .: 395L0046]
p.(None): modification
p.(None): BGBl. I No. 136/2001 (NR: GP XXI RV 742 AB 824 p. 81. BR: 6458 AB 6459 p. 681.)
p.(None): BGBl. I No. 13/2005 (NR: GP XXII IA 515 / A AB 821 p. 96. BR: AB 7228 p. 719.)
p.(None): BGBl. I No. 2/2008 (1. BVRBG) (NR: GP XXIII RV 314 AB 370 p. 41. BR: 7799 AB 7830 p. 751.)
p.(None): BGBl. I No. 133/2009 (NR: GP XXIV RV 472 AB 531 p. 49. BR: 8220 AB 8225 p. 780.)
p.(None): BGBl. I No. 135/2009 (NR: GP XXIV RV 485 AB 558 p. 49. BR: 8217 AB 8228 p. 780.)
p.(None): BGBl. I No. 112/2011 (NR: GP XXIV RV 1494 AB 1500 p. 130.B: 8602 AB 8603 p. 802.)
p.(None): [CELEX-No .: 32009L0133, 32010L0024]
p.(None): BGBl. I No. 51/2012 (NR: GP XXIV RV 1618 AB 1771 p. 155. BR: 8730 AB 8731 p. 809.)
p.(None): BGBl. I No. 57/2013 (NR: GP XXIV RV 2131 AB 2245 p. 194. BR: AB 8940 p. 819.)
p.(None): BGBl. I No. 83/2013 (NR: GP XXIV RV 2168 AB 2268 p. 200. BR: AB 8968 p. 820.)
p.(None): [CELEX No .: 31995L0046]
p.(None): BGBl. I No. 132/2015 (VfGH)
p.(None): BGBl. I No. 120/2017 (NR: GP XXV RV 1664 AB 1761 p. 190. BR: 9824 AB 9856 p. 871.)
p.(None): [CELEX No .: 32016L0680]
p.(None): BGBl. I No. 23/2018 (NR: GP XXVI IA 188 / A AB 99 S. 21. BR: AB 9958 S. 879.)
...
Searching for indicator property:
(return to top)
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
p.(None): (2) Taking a picture is permitted, taking into account the requirements of § 13, if
p.(None): 1. it is necessary in the vital interest of a person,
p.(None): 2. the data subject has consented to the processing of their personal data,
p.(None): 3. it is ordered or permitted by special legal provisions, or
p.(None): 4. In individual cases there are overriding legitimate interests of the person responsible or a third party and the proportionality is given.
p.(None): (3) Image acquisition is permitted in accordance with paragraph 2 no. 4 if
p.(None): 1. it serves the preventive protection of people or things on private properties that are used exclusively by the person responsible, and
p.(None): spatially does not extend beyond the property, with the exception of a public involvement that is at best inevitable to achieve the purpose
p.(None): Traffic areas,
p.(None): 2. for the preventive protection of people or things in publicly accessible places that are subject to the house right of the person responsible,
p.(None): is necessary due to legal violations that have already taken place or due to a special hazard potential in the nature of the place, or
p.(None): 3. it pursues a private interest in documentation that does not aim at identifying uninvolved persons or the targeted recording of
p.(None): Objects that are suitable for the indirect identification of such persons.
p.(None): (4) Is not permitted
p.(None): 1. taking a picture without the express consent of the person concerned in their highly personal life,
p.(None): 2. an image for the purpose of checking employees,
p.(None): 3. the automation-supported comparison of personal data obtained by means of image recordings without express consent and for that
p.(None): Creation of personality profiles with other personal data or
p.(None): 4. the evaluation of personal data obtained by means of image recordings based on special categories of personal data (Art. 9
p.(None): GDPR) as a selection criterion.
p.(None): (5) Personal data determined by means of a permissible image acquisition may be transmitted to the extent necessary for the transmission
p.(None): one of the requirements of paragraph 2 items 1 to 4 is met. Paragraph 4 applies accordingly.
p.(None): Special data security measures and labeling
p.(None): § 13. (1) The person responsible must take appropriate data security measures adapted to the risk of intrusion and ensure that the
p.(None): Access to the image recording and subsequent changes to it by unauthorized persons is excluded.
p.(None): (2) The person responsible - except in the case of real-time monitoring - must log every processing operation.
p.(None): (3) Recorded personal data are to be deleted by the person responsible if they are no longer required for the purpose for which they were determined
p.(None): and there is no other legally required retention requirement. Storage longer than 72 hours must be proportionate
p.(None): and must be recorded and justified separately.
p.(None): (4) Paragraphs 1 to 3 do not apply to image recordings in accordance with Section 12 paragraph 3 line 3.
p.(None): (5) The person responsible for an image recording must mark it appropriately. In any case, the person responsible has clear from the labeling
p.(None): unless the person concerned is already aware of the circumstances of the case.
p.(None): (6) The labeling obligation does not apply in the cases of Section 12 (3) (3) and for processing that is strictly limited in time in individual cases, their purpose
p.(None): can only be achieved by means of a covert investigation, provided that the person responsible has sufficient guarantees to safeguard the
p.(None): Provides for the interests of those affected, in particular by informing the data subjects retrospectively.
p.(None): (7) If, contrary to Paragraph 5, sufficient information is not provided, anyone who is potentially affected by processing can do so from the owner or
p.(None): Authorized users of a property or a building or other object from which such processing apparently originates, information
p.(None): request about the identity of the person responsible. The unfounded failure to provide such information constitutes a refusal to provide information pursuant to Art
p.(None): GDPR to keep the same.
p.(None): 2. Main piece
p.(None): organs
p.(None): Section 1
p.(None): Data Protection
p.(None): Setup and tasks
p.(None): § 14. (1) A data protection council has been set up at the Federal Ministry for Constitution, Reforms, Deregulation and Justice. This takes questions from
p.(None): of fundamental importance for data protection position, promotes the uniform further development of data protection and advises the Federal Government in
p.(None): legal policy regarding data protection relevant projects.
p.(None): (2) To fulfill its tasks in accordance with paragraph 1
p.(None): 1. The Data Protection Council can make recommendations in terms of data protection law to the Federal Government and the Federal Ministers;
p.(None): 2. the data protection council can issue or commission expert opinions;
p.(None): 3. gives the Data Protection Council the opportunity to comment on draft laws of the federal ministries, insofar as these are important under data protection law
...
Social / Racial Minority
Searching for indicator minority:
(return to top)
p.(None): Officials of the Federal Ministry for the Constitution, Reforms, Deregulation and Justice subject to the instructions of the Chairman of the Data Protection Council
p.(None): bound.
p.(None): Meetings and decision making
p.(None): Section 17. (1) The meetings of the Data Protection Council are convened by the chairman as required. Each member of the Data Protection Council can write the
p.(None): Request the convening of the Data Protection Council stating the desired subject of the negotiation. If there is such a request, the chairman has
p.(None): to schedule the session to take place no later than four weeks after the request is received.
p.(None): (2) Each member of the Data Protection Council is - except in the case of justified prevention - obliged to attend the meetings of the Data Protection Council
p.(None): participate. The substitute member will only attend the meeting if the member is unable to attend.
p.(None): (3) The presence of more than half of its members or substitute members is required for deliberations and decision-making in the Data Protection Council.
p.(None): A simple majority of the votes cast is sufficient to pass resolutions. In a tie vote, the Chairman shall be decisive.
p.(None): Abstentions are not permitted. Minority votes are permitted.
p.(None): (4) In the case of urgent matters, the chairperson may appoint the deputy chairperson and one representative of the political parties (section 15 subsection 1 no.1)
p.(None): invite to an extraordinary meeting (Presidium).
p.(None): (5) The Data Protection Council may form permanent or non-permanent working committees from among its members, which it shall prepare, assess and process
p.(None): individual matters. He is also entitled to the management, pre-assessment and processing of individual matters
p.(None): individual member (rapporteur).
p.(None): (6) The head of the data protection authority is entitled to attend the meetings of the data protection council or its working committees. A right to vote
p.(None): is not entitled to him.
p.(None): (7) If necessary, the chairman can call in experts to the meetings of the Data Protection Council or to working committees. Also for preparation
p.(None): At meetings of the Data Protection Council or working committees, the Chairman of the Data Protection Council can involve experts in the respective field, insofar as
p.(None): this is necessary to clarify questions of particular importance for data protection.
p.(None): (8) Unless it decides otherwise, the deliberations in the meetings of the Data Protection Council are not public. The members and substitute members
...
Searching for indicator racial:
(return to top)
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
...
Social / Religion
Searching for indicator faith:
(return to top)
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
p.(None): 12. "genetic data" personal data on the inherited or acquired genetic characteristics of a natural person, the unique
p.(None): Provide information about the physiology or health of this natural person and in particular from the analysis of a biological sample of the
p.(None): concerned natural person;
p.(None): 13. “biometric data” means personal data obtained using special technical processes relating to physical, physiological or
p.(None): characteristics typical of the behavior of a natural person, which enable or confirm the clear identification of this natural person, such as
p.(None): Facial images or dactyloscopic data;
p.(None): 14. "health data" means personal data relating to the physical or mental health of a natural person, including its provision
p.(None): health services, which provide information about their health status;
p.(None): 15. "Supervisory Authority" is the data protection authority;
p.(None): 16. "international organization" means an international law organization and its subordinate bodies or any other body which is defined by an intermediate
p.(None): an agreement was concluded between two or more states or was established on the basis of such an agreement.
p.(None): Principles for data processing, categorization and data quality
p.(None): Section 37. (1) Personal data
p.(None): 1. must be processed lawfully and in good faith,
p.(None): 2. Must be collected for specified, clear and lawful purposes and not processed in a way that is incompatible with these purposes
p.(None): become,
p.(None): 3. must correspond to the processing purpose and must be decisive and may not in relation to the purposes for which they are processed
p.(None): be excessive
p.(None): 4. must be factually correct and, if necessary, up to date; all appropriate measures must be taken to ensure that
p.(None): personal data that are incorrect with regard to the purposes of their processing are deleted or corrected immediately,
p.(None): 5. may not be stored in a form that identifies the data for any longer than is necessary for the purposes for which they are processed
p.(None): enables data subjects
p.(None): 6. must be processed in a way that ensures adequate security of personal data, including protection against
p.(None): unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by
p.(None): appropriate technical and organizational measures.
p.(None): (2) For processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
p.(None): Purposes within the scope of Section 36 (1) apply to Section 38.
p.(None): (3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must be able to demonstrate compliance.
p.(None): (4) As far as possible and reasonable, a distinction must be made between personal data, in particular the following categories of data subjects:
p.(None): 1.People who are specifically suspected of having committed a criminal act due to certain facts,
...
Searching for indicator religious:
(return to top)
p.(None): legal policy regarding data protection relevant projects.
p.(None): (2) To fulfill its tasks in accordance with paragraph 1
p.(None): 1. The Data Protection Council can make recommendations in terms of data protection law to the Federal Government and the Federal Ministers;
p.(None): 2. the data protection council can issue or commission expert opinions;
p.(None): 3. gives the Data Protection Council the opportunity to comment on draft laws of the federal ministries, insofar as these are important under data protection law
p.(None): are to be given, as well as to regulations in the federal enforcement area that concern essential data protection issues;
p.(None): 4. The Data Protection Council has the right to request information and reports from those responsible in the public sector, insofar as this relates to
p.(None): data protection assessment of projects with significant effects on data protection in Austria is necessary;
p.(None): 5. The Data Protection Council can publish its observations, concerns and suggestions and be aware of those responsible in the public domain
p.(None): bring.
p.(None): (3) Paragraph 2 no. 3 and 4 does not apply insofar as internal affairs of recognized churches and religious societies are concerned.
p.(None): composition
p.(None): § 15. (1) The Data Protection Council includes:
p.(None): 1. Representatives of the political parties: Twelve members send the political parties according to the d’Hondt system in proportion to their mandate in the
p.(None): Central Committee of the National Council. Every political party represented in the main committee of the National Council is entitled to be represented in the Data Protection Council
p.(None): his. A party represented on the main committee of the National Council, which according to the above calculation has no member, can be a member by name
p.(None): do;
p.(None): 2. one representative each from the Federal Chamber of Workers and Salaried Employees and the Austrian Chamber of Commerce;
p.(None): 3. two representatives of the countries;
p.(None): 4. one representative each from the Association of Municipalities and the Association of Cities;
p.(None): 5. a federal representative to be sent by the Federal Minister for the Constitution, Reforms, Deregulation and Justice;
p.(None): 6. a representative to be appointed by the Federal Government from among the data protection officers of the Federal Ministries;
...
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
p.(None): (5) If the person responsible does not take action at the request of the person concerned, he shall inform the person concerned without delay, but at the latest
...
Social / Soldier
Searching for indicator military:
(return to top)
p.(None): § 21. Tasks
p.(None): § 22. Powers
p.(None): § 23. Activity report and publication of decisions
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): § 24. Complaint to the data protection authority
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
p.(None): Section 28. Representation of data subjects
p.(None): § 29. Liability and right to compensation
p.(None): § 30. General conditions for imposing fines
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): § 31. Data protection authority
p.(None): Section 32. Tasks of the data protection authority
p.(None): Section 33. Powers of the data protection authority
p.(None): § 34. General provisions
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): § 35.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): § 36. Scope and definitions
p.(None): Section 37. Principles for data processing, categorization and data quality
p.(None): Section 38. Lawfulness of processing
p.(None): Section 39. Processing of special categories of personal data
p.(None): Section 40. Processing for other purposes and transmission
p.(None): Section 41. Automated decision making in individual cases
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): Section 42. Principles
p.(None): Section 43. Information to the data subject
p.(None): Section 44. Right of the data subject to information
p.(None): Section 45. Right to correction or deletion of personal data and restriction of processing
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Section 46. Responsibilities of the controller
p.(None): Section 47
p.(None): Section 48. Processors and supervision of processing
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
...
p.(None): Art. 59 GDPR and § 23 for the activity report and the publication of decisions apply mutatis mutandis.
p.(None): (4) Article 61 (1) to (7) GDPR applies mutatis mutandis to mutual administrative assistance within the scope of Section 36 (1).
p.(None): (5) In the area of application of section 36 (1), the provisions of section 3 of the second main piece - with the exception of section 30 - apply mutatis mutandis.
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): Section 35. (1) The data protection authority is appointed to safeguard data protection in accordance with the more detailed provisions of the GDPR and this Federal Act.
p.(None): (2) (Constitutional provision) The data protection authority also exercises its powers vis-à-vis the supreme organs of the
p.(None): Enforcement as well as towards the highest bodies according to Art. 30 Paragraphs 3 to 6, 125, 134 Paragraph 8 and 148h Paragraphs 1 and 2 B-VG in the area to which they are entitled
p.(None): Administrative matters.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and definitions
p.(None): Section 36. (1) The provisions of this main section apply to the processing of personal data by competent authorities for the purpose of prevention,
p.(None): Investigation, detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting threats to the public
p.(None): Security, as well as for the purposes of national security, intelligence and military intrinsic security.
p.(None): (2) For the purposes of this main piece, the expression denotes:
p.(None): 1. "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as "affected person")
p.(None): Respectively; A natural person is considered to be identifiable if he or she is directly or indirectly, in particular by means of assignment to an identifier such as one
p.(None): Names, an identification number, location data, an online identifier or one or more special features that express the
p.(None): physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person are identified
p.(None): can be;
p.(None): 2. "Processing" means any process carried out with or without the aid of automated processes or any such series of processes in connection with
p.(None): Personal data such as collecting, collecting, organizing, organizing, storing, adapting or changing that
p.(None): Reading, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or
p.(None): Linkage, restriction, deletion or destruction;
p.(None): 3. "Restriction of processing" means the marking of stored personal data with the aim of restricting their future processing;
p.(None): 4. "Pro fi ling" means any type of automated processing of personal data that consists of the use of this personal data,
p.(None): to assess certain personal aspects relating to a natural person, in particular aspects related to work performance,
p.(None): economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of this natural person
p.(None): to analyze or predict;
p.(None): 5. "Pseudonymization" means the processing of personal data in such a way that the personal data is not used
p.(None): Information can no longer be assigned to a specific person concerned, provided that this additional information is kept separately
p.(None): and are subject to technical and organizational measures that ensure that the personal data is not identified
p.(None): or assigned to an identifiable natural person;
p.(None): 6. "file system" means any structured collection of personal data that is accessible according to certain criteria, regardless of whether it is
p.(None): Collection is managed centrally, decentrally or according to functional or geographical aspects;
p.(None): 7. "competent authority"
p.(None): (a) a government agency responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of sentences, including the
p.(None): Protection against and averting threats to public security, national security, the intelligence service or the military
p.(None): Intrinsic safety is responsible, or
p.(None): (b) another agency or body which, through the law of the Member States, exercises the exercise of official authority and sovereign powers
p.(None): Prevention, investigation, detection or prosecution of criminal offenses or for the execution of sentences, including the protection against and the defense against
p.(None): Public security threats transmitted for the purposes of national security, intelligence or military intrinsic security
p.(None): has been;
p.(None): 8. "Controller" means the competent authority, alone or together with others, about the purposes and means of processing personal data
p.(None): Data decides;
p.(None): 9. "Processor" means a natural or legal person, public authority, agency or other body that provides personal data on behalf of the
p.(None): Processed responsible;
p.(None): 10. "recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed,
p.(None): regardless of whether it is a third party or not. Authorities involved in a particular investigation mandate based on
p.(None): Laws may receive personal data, but are not considered recipients; the processing of this data by the aforementioned
p.(None): Authorities are done in accordance with applicable data protection regulations according to the purposes of the processing;
p.(None): 11. "Violation of the protection of personal data" means a violation of security that leads to destruction, loss or change, whether
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
p.(None): 12. "genetic data" personal data on the inherited or acquired genetic characteristics of a natural person, the unique
p.(None): Provide information about the physiology or health of this natural person and in particular from the analysis of a biological sample of the
p.(None): concerned natural person;
...
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
p.(None): (4) The information of the person concerned in accordance with paragraph 2 can be postponed, restricted or omitted to the extent and for as long as this is stated in
p.(None): Individual cases are absolutely necessary and proportionate
p.(None): 1. to ensure that the prevention, detection, investigation or prosecution of criminal offenses or the execution of sentences are not impaired,
p.(None): in particular by hindering official or judicial investigations, investigations or procedures,
p.(None): 2. to protect public security,
p.(None): 3. to protect national security,
p.(None): 4. to protect the constitutional institutions of the Republic of Austria,
p.(None): 5. to protect the military intrinsic security or
p.(None): 6. to protect the rights and freedoms of others.
p.(None): Right of information of the data subject
p.(None): § 44. (1) Every person concerned has the right to receive confirmation from the person responsible as to whether they relate to personal data
p.(None): are processed; if this is the case, it has the right to receive information about personal data and the following information:
p.(None): 1. the purposes of the processing and its legal basis,
p.(None): 2. the categories of personal data that are processed,
p.(None): 3. the recipients or categories of recipients to whom the personal data has been disclosed, especially for recipients
p.(None): in third countries or with international organizations,
p.(None): 4. If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for the determination
p.(None): this duration,
p.(None): 5. the existence of a right to correction or deletion of personal data or restriction of the processing of personal data
p.(None): data subject by the person responsible,
p.(None): 6. the existence of a right to lodge a complaint with the data protection authority and its contact details and
p.(None): 7. Notification of the personal data that are the subject of processing, as well as all available information about the origin of the data.
p.(None): (2) Restrictions on the right to information are only permitted under the conditions specified in Section 43 (4).
p.(None): (3) In the event of failure to provide the information referred to in paragraph 2, the person responsible must immediately notify the person concerned in writing of the refusal or
...
Social / Threat of Stigma
Searching for indicator threat:
(return to top)
p.(None): The processor is entitled to enter rooms in which data processing is carried out, to put data processing systems into operation that
p.(None): to carry out the processing to be checked and copies of data carriers to the extent absolutely necessary for the exercise of the control powers
p.(None): manufacture.
p.(None): (3) Information that the data protection authority or the person authorized by it during the control activity may only contain for the control in the
p.(None): Be used in the implementation of data protection regulations. Incidentally, confidentiality also applies to courts
p.(None): and administrative authorities, in particular tax authorities; however, with the proviso that if the inspection suspects a criminal offense
p.(None): Action in accordance with section 63 of this federal law or in accordance with sections 118a, 119, 119a, 126a to 126c, 148a or section 278a of the Criminal Code - StGB, BGBl. № 60/1974,
p.(None): or a crime that results in a custodial sentence, the maximum of which exceeds five years, is to be reported and regarding such crimes and
p.(None): Offenses according to § 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975, must also be complied with.
p.(None): (4) Is the operation of data processing a significant immediate threat to the confidentiality interests of the parties concerned that are worth protecting
p.(None): Persons (danger of delay), the data protection authority can continue the data processing with a decision in accordance with Section 57 (1) of the General
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
p.(None): (5) Within the scope of its responsibility, the data protection authority is responsible for imposing fines on natural and legal persons.
p.(None): (6) Exist in the course of a lawsuit based on § 29 of a person concerned who has moved away from an institution, organization or association within the meaning of the
...
Social / Trade Union Membership
Searching for indicator union:
(return to top)
p.(None): Central Committee of the National Council. Every political party represented in the main committee of the National Council is entitled to be represented in the Data Protection Council
p.(None): his. A party represented on the main committee of the National Council, which according to the above calculation has no member, can be a member by name
p.(None): do;
p.(None): 2. one representative each from the Federal Chamber of Workers and Salaried Employees and the Austrian Chamber of Commerce;
p.(None): 3. two representatives of the countries;
p.(None): 4. one representative each from the Association of Municipalities and the Association of Cities;
p.(None): 5. a federal representative to be sent by the Federal Minister for the Constitution, Reforms, Deregulation and Justice;
p.(None): 6. a representative to be appointed by the Federal Government from among the data protection officers of the Federal Ministries;
p.(None): 7. Two national or international data protection experts to be named by the Data Protection Council after its constitution.
p.(None): (2) The representatives mentioned in paragraph 1 should have knowledge and experience in the fields of data protection law, Union law and fundamental rights
p.(None): to have.
p.(None): (3) A substitute member is to be sent for each member in accordance with paragraph 1 nos. 1 to 6, who will replace him if the member is prevented. The
p.(None): The Federal Ministry of Constitution, Reforms, Deregulation and Justice must be notified in writing of the members and substitute members.
p.(None): (4) Members of the Federal Government or a state government as well as State Secretaries and other persons who are not members of the Data Protection Council cannot belong to the Data Protection Council
p.(None): cannot be elected to the National Council.
p.(None): (5) The term of office of the members and substitute members in accordance with paragraph 1 items 1 to 6 begins with their posting to the Data Protection Council and ends
p.(None): 1. upon dismissal by the sending agency (para. 1) by means of a written notification to the Federal Ministry for the Constitution, reforms,
p.(None): Deregulation and justice with simultaneous naming of a new member or substitute member,
p.(None): 2. with the announcement of the resignation by the member or substitute member by means of a written notification to the Federal Ministry for
p.(None): Constitution, reforms, deregulation and justice or
p.(None): 3. at the latest with the new election of the main committee of the National Council in accordance with Sections 29 and 30 of the 1975 Law on Rules of Procedure, Federal Law Gazette No. 410/1975.
...
p.(None): (3) The Federal Minister for the Constitution, Reforms, Deregulation and Justice can contact the head of the data protection authority on the subjects of the
p.(None): Teach management. The head of the data protection authority can only comply with this to the extent that this does not mean that the
p.(None): Supervisory authority within the meaning of Art. 52 GDPR contradicts.
p.(None): Head of the data protection authority
p.(None): Section 20. (1) The head of the data protection authority is appointed by the Federal President on a proposal from the Federal Government for a period of five years; the
p.(None): Reappointment is permitted. The proposal must be preceded by a call for applications.
p.(None): (2) The head of the data protection authority has
p.(None): 1. to have completed the law studies,
p.(None): 2. Personal and professional suitability through appropriate prior training and relevant professional experience in the field of data protection
p.(None): issues of concern
p.(None): 3. to have excellent knowledge of Austrian data protection law, Union law and fundamental rights, and
p.(None): 4. have at least five years of legal professional experience.
p.(None): (3) The following may not be appointed as head of the data protection authority:
p.(None): 1. Members of the Federal Government, State Secretaries, members of a state government, members of the National Council, the Federal Council or any other
p.(None): general representative body or the European Parliament, as well as lawyers and the President of the Court of Auditors,
p.(None): 2. persons who have performed a function mentioned in Z 1 within the past two years, and
p.(None): 3. People who are excluded from being eligible for election to the National Council.
p.(None): (4) The Federal President shall remove the head on the proposal of the Federal Government.
p.(None): (5) The deputy head of the data protection authority is appointed by the Federal President on a proposal from the Federal Government in accordance with paragraphs 1 to 3
p.(None): ordered. Paragraph 4 applies to the removal of the deputy.
p.(None): tasks
p.(None): § 21. (1) The data protection authority advises the committees of the National Council and the Federal Council, the Federal Government and the state governments on their behalf
p.(None): Requests for legislative and administrative measures. The data protection authority is prior to enacting federal laws and regulations in the
...
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
p.(None): (5) If the person responsible does not take action at the request of the person concerned, he shall inform the person concerned without delay, but at the latest
...
p.(None): to correct, delete or restrict their processing.
p.(None): (Note: Paragraph 7 repealed by Z 22, Federal Law Gazette I No. 24/2018)
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Obligations of the person responsible
p.(None): Section 46. The controller has the obligations set out in Art. 24 Para. 1 and 2 and Art. 25 Para. 1 and 2 GDPR with regard to the compliance of the
p.(None): Processing to comply with the provisions of this main part.
p.(None): Jointly responsible
p.(None): Section 47. Two or more controllers who jointly determine the purposes and means of processing are joint controllers. You have in
p.(None): an agreement in a transparent form to define their respective tasks under this federal law, in particular as regards the exercise of the rights of the
p.(None): concerned person, and who fulfills which information obligations according to § 43, if and insofar as the respective tasks of those responsible are not
p.(None): are established by law. A contact point for the data subjects must be specified in the agreement.
p.(None): Processors and supervision of processing
p.(None): Section 48. (1) If processing is carried out on behalf of a person responsible, he will only work with processors who offer sufficient guarantees that
p.(None): that suitable technical and organizational measures are carried out in such a way that the processing is in accordance with the requirements of this
p.(None): Federal law takes place and guarantees the protection of the rights of the data subject.
p.(None): (2) The processor will not make use of any other processor without the separate written approval of the person responsible.
p.(None): (3) Processing by a processor is carried out on the basis of a contract or other legal instrument under Union law
p.(None): or on the basis of express legal authorization, which binds the processor in relation to the person responsible and in the object
p.(None): and duration of processing, type and purpose of processing, the type of personal data, the categories of data subjects and the obligations and
p.(None): Rights of the controller are defined. This contract or other legal instrument specifically provides that the processor
p.(None): 1. the personal data only on documented instructions from the person responsible - also with regard to the transmission of personal data to a
p.(None): Third country or an international organization - processed, unless it is by Union law or by law, the processor
p.(None): is subject to this; in such a case, the processor will notify the controller of these legal requirements before
p.(None): Processing with, unless the law in question does not prohibit such communication because of an important public interest;
p.(None): 2. guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or that one
p.(None): are subject to reasonable legal confidentiality;
p.(None): 3. takes all measures required pursuant to Section 54;
p.(None): 4. complies with the conditions set out in paragraphs 2 and 4 for using the services of another processor;
p.(None): 5. Given the nature of the processing, if possible supports the person responsible with suitable technical and organizational measures,
p.(None): comply with his obligation to respond to requests to exercise the data subject's rights set out in this main piece;
p.(None): 6. taking into account the type of processing and the information available to them, the controller in compliance with the requirements of the
p.(None): §§ 52 to 56 supports the duties mentioned;
p.(None): 7. after completion of the processing services, either delete or delete all personal data at the discretion of the person responsible
p.(None): returns, unless there is an obligation to store personal data under Union law or law;
p.(None): 8. provides the person responsible with all the information required to demonstrate compliance with the obligations set out in paras. 1 to 6 and
p.(None): Checks - including inspections - that are carried out by the person responsible or another auditor commissioned by him,
p.(None): enables and contributes.
p.(None): With regard to item 8, the processor will inform the controller immediately if he considers that an instruction against this main item
p.(None): or violates other Union data protection regulations or statutory data protection regulations.
p.(None): (4) If the processor uses the services of another processor to carry out certain processing activities on behalf of the
p.(None): To carry out the responsible person, this further processor will be contracted or another legal instrument according to the
p.(None): Union law or by law the same data protection obligations imposed in the contract or other legal instrument between the
p.(None): Responsible and the processor in accordance with paragraph 3 are determined, in particular sufficient guarantees must be offered that the
p.(None): appropriate technical and organizational measures are carried out so that the processing corresponds to the requirements of this main part
p.(None): he follows. If the other processor does not meet his data protection obligations, the first processor is liable to the person responsible for
p.(None): compliance with the obligations of that other processor.
p.(None): (5) The contract or the other legal instrument within the meaning of paragraphs 3 and 4 must be drawn up in writing, which is also done in an electronic format
p.(None): can.
p.(None): (6) The processor and any person subordinate to the controller or processor who has access to personal data,
p.(None): may only process this data on the instructions of the person responsible, unless it is processed in accordance with EU law or on the basis of laws on
p.(None): Processing are required.
p.(None): (7) A processor who determines the purposes and means of processing in violation of this main part shall apply in relation to this processing
p.(None): as the person responsible.
p.(None): Directory of processing activities
p.(None): Section 49. (1) Each person responsible has to maintain a register of processing activities in accordance with the provisions of Art. 30 Para. 1 to 4 GDPR, whereby
p.(None): the references in Art. 30 Para. 1 lit. g and para. 2 lit. d GDPR refer to § 54 and the reference to a representative of the person responsible or
p.(None): Processor is devoid of purpose.
...
p.(None): underlying personal data have access (access control);
p.(None): 6. Ensuring that it can be checked and ascertained to which locations personal data can be transferred using data transmission facilities
p.(None): have been transmitted or made available (transmission control);
p.(None): 7. Guarantee that it can be subsequently checked and ascertained which personal data was automated, at what time and by whom
p.(None): Processing systems have been entered (input control);
p.(None): 8. Preventing the data from being read, copied or changed without authorization when transmitting personal data and when transporting data carriers
p.(None): or can be deleted (transport control);
p.(None): 9. Ensuring that systems used can be restored in the event of a fault (restoration);
p.(None): 10. Ensuring that all functions of the system are available, malfunctions are reported (reliability) and saved
p.(None): personal data cannot be damaged by system malfunctions (data integrity).
p.(None): Reporting of violations to the data protection authority
p.(None): Section 55. (1) In accordance with Art. 33 GDPR, the controller has violations of the protection of personal data by the data protection authority
p.(None): Report.
p.(None): (2) Insofar as the breach of protection relates to personal data provided by or to the controller of another Member State
p.(None): have been transmitted to the European Union, the information specified in Article 33 (3) GDPR is the responsibility of the Member State of the
p.(None): To be transmitted to the European Union immediately.
p.(None): Notification to affected person of injuries
p.(None): Section 56. (1) In accordance with Art. 34 GDPR, the person responsible has the right to violate the protection of their personal data
p.(None): notify.
p.(None): (2) The notification according to paragraph 1 can be postponed, restricted or omitted under the conditions specified in § 43 paragraph 4.
p.(None): Designation, position and tasks of the data protection officer
p.(None): Section 57. (1) Each person responsible must appoint a data protection officer in accordance with Art. 37 (5) and (7) GDPR. Courts are in the frame
p.(None): exempt from their judicial activity from the obligation to appoint a data protection officer. § 5 applies with regard to the provisions of this
p.(None): Main piece analogously.
p.(None): (2) Art. 38 GDPR applies to the position of data protection officer.
p.(None): (3) The data protection officer is responsible for the tasks specified in Art. 39 GDPR with regard to compliance with the provisions of this main part.
...
p.(None): ward off serious danger to the public security of a Member State or a third country or to the essential interests of a Member State,
p.(None): and prior approval cannot be obtained in time. The authority responsible for issuing the prior approval is to be given immediately
p.(None): teaching.
p.(None): (3) Requests a competent authority of another EU member state for authorization to transmit personal data that
p.(None): originally transmitted from within Germany to a third country or an international organization in accordance with Paragraph 1 No. 3, this is in order to grant this approval
p.(None): responsible authority that originally transmitted the personal data, unless otherwise required by law.
p.(None): Data transfer to third countries or international organizations
p.(None): Section 59. (1) The transfer of personal data to a third country or an international organization is permitted if the European Commission
p.(None): in accordance with Art. 36 Para. 3 of Directive (EU) 2016/680 has decided, by means of an implementing act, that the third country concerned, an area or an or
p.(None): several speci fi c sectors in this third country or the relevant international organization offers an adequate level of protection. Such
p.(None): Data transmission does not require any special approval. This does not affect the approval requirement pursuant to Section 58 (1) (3).
p.(None): (2) transfers of personal data to a third country, to an area or to one or more speci fi c sectors in a third country or to one
p.(None): international organizations in accordance with paragraphs 3 to 8 are determined by a decision of the European Union in accordance with Article 36 paragraph 5 of Directive (EU) 2016/680
p.(None): Commission to revoke, change or suspend a decision in accordance with Art. 36 Para. 3 of Directive (EU) 2016/680.
p.(None): (3) If there is no decision pursuant to Paragraph 1, the transfer of personal data to a third country or an international organization is permitted,
p.(None): if
p.(None): 1. appropriate guarantees for the protection of personal data are provided in a legally binding instrument or
p.(None): 2. the person responsible came to the conclusion on the basis of an assessment of the circumstances relevant to the transfer of personal data,
p.(None): that there are appropriate safeguards to protect personal data.
p.(None): (4) If there are suitable guarantees in accordance with Paragraph 3 No. 2 for categories of transfers, the person responsible has the data protection authority over them
p.(None): To teach categories.
p.(None): (5) Transmissions in accordance with Paragraph 3 No. 2 are to be documented and the documentation including the date and time of the transmission, information about
p.(None): the receiving competent authority, justification of the transfer and transferred personal data, the data protection authority on request
p.(None): To make available.
p.(None): (6) If there is neither an adequacy decision in accordance with paragraphs 1 to 2 nor suitable guarantees in accordance with paragraphs 3 to 5, then is after
...
Social / employees
Searching for indicator employees:
(return to top)
p.(None): As a rule, restrictions do not apply if, by providing this information, a business or company secret of the person responsible or third parties
p.(None): would be endangered.
p.(None): (Note: Paragraph 7 repealed by Art. 5 no. 3, Federal Law Gazette I No. 14/2019)
p.(None): Data Protection Officer
p.(None): § 5. (1) The data protection officer and the persons working for him are without prejudice to other confidentiality obligations when performing the tasks
p.(None): Confidentiality is mandatory. This applies in particular to the identity of data subjects who have contacted the data protection officer, as well as
p.(None): about circumstances that allow conclusions to be drawn about these persons, unless there has been an express release from secrecy by the
p.(None): concerned person. The data protection officer and the persons working for him may only use the information made available to fulfill the
p.(None): Use tasks and are obliged to maintain confidentiality even after they have finished their work.
p.(None): (2) A data protection officer receives knowledge of data for his or her work for a body under the control of the data protection officer
p.(None): Employees have a legal right to refuse to testify, this right also applies to the data protection officer and those working for him
p.(None): To the extent that the person to whom the legal right to refuse to testify has exercised it. To the extent of
p.(None): The data protection officer's right to refuse to testify is subject to his files and other documents being prohibited from seizure and confiscation.
p.(None): (3) The data protection officer in the public domain (established in forms of public law, in particular also as a body of a
p.(None): Local authority) is free from instructions regarding the performance of its duties. The supreme body has the right to consider the objects of the
p.(None): To inform management in the public area with the data protection officer. The data protection officer only has to comply with this to the extent that
p.(None): this does not contradict the independence of the data protection officer within the meaning of Art. 38 Para. 3 GDPR.
p.(None): (4) In the sphere of action of each Federal Ministry, taking into account the type and scope of data processing and depending on the institution of the
p.(None): Federal Ministry to provide one or more data protection officers. These must be submitted to the respective Federal Ministry or the respective subordinate
p.(None): Belong to an agency or other body.
p.(None): (5) The data protection officer in the public sector in accordance with paragraph 4 maintains a regular exchange of experience, in particular with regard to the
p.(None): Ensuring a uniform data protection standard.
p.(None): data confidentiality
p.(None): § 6. (1) The person responsible, the processor and their employees - these are employees (employees) and people in one
p.(None): Employee-like (employee-like) relationship - have personal data from data processing operations that are based solely on their
p.(None): have been entrusted with professional employment or have become accessible, without prejudice to other legal confidentiality obligations, secret
p.(None): hold, unless there is a legally permissible reason for the transfer of the entrusted or accessible personal data
p.(None): (Data confidentiality).
p.(None): (2) Employees may only transmit personal data on the basis of an express order from their employer (employer). The
p.(None): Responsible parties and the processor, if such an obligation of their employees does not already exist by law, have this contractually
p.(None): undertake to transmit personal data from data processing only on the basis of instructions and data secrecy even after termination
p.(None): to comply with the employment relationship (employment relationship) with the person responsible or processor.
p.(None): (3) The person responsible and the processor have the employees affected by the order regarding the transmission orders applicable to them
p.(None): and to teach about the consequences of a breach of data secrecy.
p.(None): (4) Without prejudice to the constitutional right to issue instructions, an employee may refuse to comply with an order to make an unauthorized person
p.(None): Data transmission no disadvantage.
p.(None): (5) A statutory right to refuse to testify in favor of a responsible person may not be exercised by one of them
p.(None): Processor, in particular not by bypassing or seizing documents processed using automation.
p.(None): Section 2
p.(None): Data processing for specific purposes
p.(None): Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
p.(None): § 7. (1) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not
p.(None): If the goal is personal results, the controller may process all personal data that
p.(None): 1. are publicly accessible,
p.(None): 2. he has lawfully determined for other investigations or other purposes, or
p.(None): 3. Personal data is pseudonymized for him and the person responsible does not identify the person concerned with legally permissible means
p.(None): can determine.
p.(None): (2) For data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
p.(None): Purposes that do not fall under paragraph 1 may only personal data
p.(None): 1. according to special legal regulations,
p.(None): 2. with the consent of the data subject or
p.(None): 3. with the approval of the data protection authority in accordance with paragraph 3
p.(None): are processed.
...
p.(None): 1. for the purpose of notification or questioning from an important interest of the person concerned,
p.(None): 2. from an important public notification or questioning interest or
p.(None): 3. to interview the data subjects for scientific or statistical purposes
p.(None): should be done.
p.(None): (4) At the request of a controller who processes address data, the data protection authority must grant the authorization for transmission if the
p.(None): Applicant makes the existence of the conditions mentioned in Paragraph 3 credible and overriding confidentiality interests of the parties concerned that are worthy of protection
p.(None): Do not oppose the transmission of persons. The data protection authority has the approval to tie to the fulfillment of conditions and requirements,
p.(None): insofar as this is necessary to protect the interests of the data subjects that are worth protecting.
p.(None): (5) The transmitted address data may only be processed for the approved purpose and are to be deleted as soon as they are for the
p.(None): Notification or questioning are no longer required.
p.(None): (6) Insofar as it is permissible in accordance with the above provisions, the name and address of persons who belong to a certain group of subjects
p.(None): transmit, the processing necessary for the purpose of selecting the address data to be transmitted may also be carried out.
p.(None): Freedom of expression and information
p.(None): § 9. (1) The processing of personal data by media owners, publishers, media employees and employees of one
p.(None): Media company or media service within the meaning of the Media Act - MedienG, BGBl. № 314/1981, for journalistic purposes of the media company
p.(None): or media services, the provisions of this federal law and, of the GDPR, Chapters II (principles), III (rights of the person concerned), IV
p.(None): (Responsible and processor), V (transfer of personal data to third countries or to international organizations), VI (independent
p.(None): Supervisory authorities), VII (cooperation and coherence) and IX (regulations for special processing situations) do not apply. The data protection authority
p.(None): When exercising their powers vis-à-vis the persons named in the first sentence, the protection of editorial confidentiality (§ 31 MedienG) must be observed.
p.(None): (2) Insofar as this is necessary to exercise the right to protection of personal data with freedom of expression and information
p.(None): Chapter II (principles) of the GDPR, with the exception of Art. 5, Chapter III (rights of the person concerned), Chapter IV
p.(None): (Controller and processor), with the exception of Art. 28, 29 and 32, Chapter V (transfer of personal data to third countries or to
p.(None): international organizations), Chapter VI (Independent Regulators), Chapter VII (Cooperation and Coherence) and Chapter IX (Rules for Special
p.(None): Processing situations) does not apply to processing that is carried out for scientific, artistic or literary purposes. Of the
p.(None): In such cases, provisions of this federal law apply to Section 6 (data secrecy).
p.(None): Processing of personal data in the event of a disaster
...
p.(None): 1. it is necessary in the vital interest of a person,
p.(None): 2. the data subject has consented to the processing of their personal data,
p.(None): 3. it is ordered or permitted by special legal provisions, or
p.(None): 4. In individual cases there are overriding legitimate interests of the person responsible or a third party and the proportionality is given.
p.(None): (3) Image acquisition is permitted in accordance with paragraph 2 no. 4 if
p.(None): 1. it serves the preventive protection of people or things on private properties that are used exclusively by the person responsible, and
p.(None): spatially does not extend beyond the property, with the exception of a public involvement that is at best inevitable to achieve the purpose
p.(None): Traffic areas,
p.(None): 2. for the preventive protection of people or things in publicly accessible places that are subject to the house right of the person responsible,
p.(None): is necessary due to legal violations that have already taken place or due to a special hazard potential in the nature of the place, or
p.(None): 3. it pursues a private interest in documentation that does not aim at identifying uninvolved persons or the targeted recording of
p.(None): Objects that are suitable for the indirect identification of such persons.
p.(None): (4) Is not permitted
p.(None): 1. taking a picture without the express consent of the person concerned in their highly personal life,
p.(None): 2. an image for the purpose of checking employees,
p.(None): 3. the automation-supported comparison of personal data obtained by means of image recordings without express consent and for that
p.(None): Creation of personality profiles with other personal data or
p.(None): 4. the evaluation of personal data obtained by means of image recordings based on special categories of personal data (Art. 9
p.(None): GDPR) as a selection criterion.
p.(None): (5) Personal data determined by means of a permissible image acquisition may be transmitted to the extent necessary for the transmission
p.(None): one of the requirements of paragraph 2 items 1 to 4 is met. Paragraph 4 applies accordingly.
p.(None): Special data security measures and labeling
p.(None): § 13. (1) The person responsible must take appropriate data security measures adapted to the risk of intrusion and ensure that the
p.(None): Access to the image recording and subsequent changes to it by unauthorized persons is excluded.
p.(None): (2) The person responsible - except in the case of real-time monitoring - must log every processing operation.
p.(None): (3) Recorded personal data are to be deleted by the person responsible if they are no longer required for the purpose for which they were determined
p.(None): and there is no other legally required retention requirement. Storage longer than 72 hours must be proportionate
p.(None): and must be recorded and justified separately.
p.(None): (4) Paragraphs 1 to 3 do not apply to image recordings in accordance with Section 12 paragraph 3 line 3.
p.(None): (5) The person responsible for an image recording must mark it appropriately. In any case, the person responsible has clear from the labeling
p.(None): unless the person concerned is already aware of the circumstances of the case.
...
p.(None): data protection assessment of projects with significant effects on data protection in Austria is necessary;
p.(None): 5. The Data Protection Council can publish its observations, concerns and suggestions and be aware of those responsible in the public domain
p.(None): bring.
p.(None): (3) Paragraph 2 no. 3 and 4 does not apply insofar as internal affairs of recognized churches and religious societies are concerned.
p.(None): composition
p.(None): § 15. (1) The Data Protection Council includes:
p.(None): 1. Representatives of the political parties: Twelve members send the political parties according to the d’Hondt system in proportion to their mandate in the
p.(None): Central Committee of the National Council. Every political party represented in the main committee of the National Council is entitled to be represented in the Data Protection Council
p.(None): his. A party represented on the main committee of the National Council, which according to the above calculation has no member, can be a member by name
p.(None): do;
p.(None): 2. one representative each from the Federal Chamber of Workers and Salaried Employees and the Austrian Chamber of Commerce;
p.(None): 3. two representatives of the countries;
p.(None): 4. one representative each from the Association of Municipalities and the Association of Cities;
p.(None): 5. a federal representative to be sent by the Federal Minister for the Constitution, Reforms, Deregulation and Justice;
p.(None): 6. a representative to be appointed by the Federal Government from among the data protection officers of the Federal Ministries;
p.(None): 7. Two national or international data protection experts to be named by the Data Protection Council after its constitution.
p.(None): (2) The representatives mentioned in paragraph 1 should have knowledge and experience in the fields of data protection law, Union law and fundamental rights
p.(None): to have.
p.(None): (3) A substitute member is to be sent for each member in accordance with paragraph 1 nos. 1 to 6, who will replace him if the member is prevented. The
p.(None): The Federal Ministry of Constitution, Reforms, Deregulation and Justice must be notified in writing of the members and substitute members.
p.(None): (4) Members of the Federal Government or a state government as well as State Secretaries and other persons who are not members of the Data Protection Council cannot belong to the Data Protection Council
p.(None): cannot be elected to the National Council.
...
p.(None): have been deleted.
p.(None): (4) Notices authorizing transfers of personal data abroad must be revoked if the legal or
p.(None): the actual requirements for the approval no longer exist.
p.(None): Responsible for public and private areas
p.(None): Section 26. (1) Without prejudice to Section 5 (3), those responsible in the public sector are all responsible,
p.(None): 1. which are established in forms of public law, in particular also as a body of a local authority, or
p.(None): 2. insofar as they are active in law enforcement despite their establishment in forms of private law.
p.(None): (2) Those responsible for the public sector are parties to proceedings before the data protection authority.
p.(None): (3) Those responsible for the public sector can lodge a complaint with the Federal Administrative Court and appeal to the Administrative Court.
p.(None): (4) Those responsible, who are not subject to paragraph 1, are considered to be responsible for the private sector within the meaning of this Federal Act.
p.(None): Appeal to the Federal Administrative Court
p.(None): § 27. (1) The Federal Administrative Court decides on complaints against decisions by the Senate because of the violation of the duty to provide information
p.(None): Section 24 (7) and the decision-making obligation of the data protection authority.
p.(None): (2) The Senate consists of a chairperson and a competent lay judge each from the group of employers and from the group of employees. The
p.(None): Expert lay judges are appointed on a proposal from the Austrian Chamber of Commerce and the Federal Chamber for Workers. There are
p.(None): Take appropriate precautions to ensure that a sufficient number of expert lay judges are available in good time.
p.(None): (3) The competent lay judges must have at least five years of relevant professional experience and special knowledge of data protection law
p.(None): have.
p.(None): (4) The presiding judge must send the competent lay judge all documents relevant to the decision immediately or, if this is impractical or
p.(None): to maintain the confidentiality of documents is absolutely necessary to provide.
p.(None): (5) If there is a procedure against the decision of the data protection authority, an opinion or a decision of the European Committee
p.(None): has preceded the coherence procedure, the data protection authority shall forward this opinion or decision to
p.(None): Federal Administrative Court too.
p.(None): Representation of data subjects
p.(None): § 28. The person concerned has the right to set up an institution, organization or association without a profit intention that is duly established
p.(None): whose statutory goals are in the public interest and in the field of the protection of the rights and freedoms of persons concerned with regard to
...
Social / gender
Searching for indicator gender:
(return to top)
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
p.(None): and men in the same way. When applying the terms to certain natural persons, the respective gender-specific form is too
p.(None): use.
p.(None): Issuing regulations
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
p.(None): § 67. Insofar as this federal law refers to provisions of other federal laws, these are to be applied in their respectively applicable version.
p.(None): completion
p.(None): Section 68. With the enforcement of this Federal Act, unless it is the responsibility of the Federal Government, the Federal Minister for the Constitution, Reforms,
p.(None): Deregulation and judiciary, as well as the Federal Chancellor and the other Federal Ministers within their sphere of activity.
p.(None): Transitional provisions
p.(None): Section 69. (1) The term of office of the head of the data protection authority that is in effect at the time this Federal Act comes into force will continue until it expires
p.(None): continued. This also applies to his deputy.
p.(None): (2) The data processing register maintained by the data protection authority must be archived by the data protection authority until December 31, 2019
p.(None): continue. No entries or changes in content may be made in the data processing register. Registrations in
p.(None): Data processing registers become irrelevant. Everyone can inspect the register. In the registration file including at most
...
Social / parents
Searching for indicator parents:
(return to top)
p.(None): Individual cases are absolutely necessary. The data protection authority is responsible for the initiated transfers and the circumstances surrounding the event
p.(None): To notify the facts immediately. The data protection authority has to prohibit further data transfers to protect the rights of the data subjects if the
p.(None): Interference with the fundamental right to data protection caused by data transfer is not justified by the special circumstances of the disaster situation.
p.(None): (4) On the basis of a specific request from a close relative of a person who is actually or probably directly affected by the disaster
p.(None): The controller authorizes the inquirer to transmit personal data about the stay of the person concerned and the status of the research,
p.(None): if the relative demonstrates his identity and the close relationship credibly. Special categories of personal data (Art. 9 GDPR) are allowed to close
p.(None): Relatives are only transmitted if they can prove their identity and their family status and the transmission to safeguard their rights or those
p.(None): the person concerned is required. The social security institutions and authorities are obliged, those responsible for the public sector and
p.(None): To support aid organizations insofar as this is necessary to check the information of the requester.
p.(None): (5) As close relatives within the meaning of this provision, parents, children, spouses, registered partners and companions of the persons concerned are allowed
p.(None): understand. Other relatives may receive the information mentioned under the same conditions as close relatives if they have a special one
p.(None): Make the relationship with the person actually or probably directly affected by the disaster credible.
p.(None): (6) The personal data processed for the purpose of coping with the disaster must be deleted immediately if they are necessary for the fulfillment
p.(None): of the specific purpose are no longer required.
p.(None): Warning from the data protection authority
p.(None): § 11. The data protection authority will apply the catalog of Art. 83 para. 2 to 6 GDPR in such a way that proportionality is maintained.
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
...
Social / philosophical differences/differences of opinion
Searching for indicator opinion:
(return to top)
p.(None): (3) Those responsible for the public sector can lodge a complaint with the Federal Administrative Court and appeal to the Administrative Court.
p.(None): (4) Those responsible, who are not subject to paragraph 1, are considered to be responsible for the private sector within the meaning of this Federal Act.
p.(None): Appeal to the Federal Administrative Court
p.(None): § 27. (1) The Federal Administrative Court decides on complaints against decisions by the Senate because of the violation of the duty to provide information
p.(None): Section 24 (7) and the decision-making obligation of the data protection authority.
p.(None): (2) The Senate consists of a chairperson and a competent lay judge each from the group of employers and from the group of employees. The
p.(None): Expert lay judges are appointed on a proposal from the Austrian Chamber of Commerce and the Federal Chamber for Workers. There are
p.(None): Take appropriate precautions to ensure that a sufficient number of expert lay judges are available in good time.
p.(None): (3) The competent lay judges must have at least five years of relevant professional experience and special knowledge of data protection law
p.(None): have.
p.(None): (4) The presiding judge must send the competent lay judge all documents relevant to the decision immediately or, if this is impractical or
p.(None): to maintain the confidentiality of documents is absolutely necessary to provide.
p.(None): (5) If there is a procedure against the decision of the data protection authority, an opinion or a decision of the European Committee
p.(None): has preceded the coherence procedure, the data protection authority shall forward this opinion or decision to
p.(None): Federal Administrative Court too.
p.(None): Representation of data subjects
p.(None): § 28. The person concerned has the right to set up an institution, organization or association without a profit intention that is duly established
p.(None): whose statutory goals are in the public interest and in the field of the protection of the rights and freedoms of persons concerned with regard to
p.(None): to protect your personal data, to lodge a complaint on your behalf and on your behalf in accordance with sections 24 to 27
p.(None): exercise mentioned rights.
p.(None): Liability and right to compensation
p.(None): Section 29. (1) Any person who, due to a breach of the GDPR or Section 1 or Article 2 1. Main item, has material or immaterial damage
p.(None): has arisen, is entitled to compensation against the person responsible or against the processor according to Art. 82 GDPR. Specifically, apply to
p.(None): this claim for damages the general provisions of civil law.
p.(None): (2) In the first instance for claims for damages is the regional court entrusted with the exercise of jurisdiction in civil cases
p.(None): Complaints can also be made to the regional court
p.(None): in which the defendant's habitual residence or registered office or branch is located.
p.(None): General conditions for imposing fines
p.(None): § 30. (1) The data protection authority can impose fines on a legal person if violations of provisions of the GDPR and § 1
p.(None): or Article 2 1. Main part was committed by persons who either acted alone or as part of a body of the legal person and one
p.(None): Leadership position within the legal person
p.(None): 1. the power to represent the legal person,
...
General/Other / Natural Hazards
Searching for indicator hazard:
(return to top)
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
p.(None): (2) Taking a picture is permitted, taking into account the requirements of § 13, if
p.(None): 1. it is necessary in the vital interest of a person,
p.(None): 2. the data subject has consented to the processing of their personal data,
p.(None): 3. it is ordered or permitted by special legal provisions, or
p.(None): 4. In individual cases there are overriding legitimate interests of the person responsible or a third party and the proportionality is given.
p.(None): (3) Image acquisition is permitted in accordance with paragraph 2 no. 4 if
p.(None): 1. it serves the preventive protection of people or things on private properties that are used exclusively by the person responsible, and
p.(None): spatially does not extend beyond the property, with the exception of a public involvement that is at best inevitable to achieve the purpose
p.(None): Traffic areas,
p.(None): 2. for the preventive protection of people or things in publicly accessible places that are subject to the house right of the person responsible,
p.(None): is necessary due to legal violations that have already taken place or due to a special hazard potential in the nature of the place, or
p.(None): 3. it pursues a private interest in documentation that does not aim at identifying uninvolved persons or the targeted recording of
p.(None): Objects that are suitable for the indirect identification of such persons.
p.(None): (4) Is not permitted
p.(None): 1. taking a picture without the express consent of the person concerned in their highly personal life,
p.(None): 2. an image for the purpose of checking employees,
p.(None): 3. the automation-supported comparison of personal data obtained by means of image recordings without express consent and for that
p.(None): Creation of personality profiles with other personal data or
p.(None): 4. the evaluation of personal data obtained by means of image recordings based on special categories of personal data (Art. 9
p.(None): GDPR) as a selection criterion.
p.(None): (5) Personal data determined by means of a permissible image acquisition may be transmitted to the extent necessary for the transmission
p.(None): one of the requirements of paragraph 2 items 1 to 4 is met. Paragraph 4 applies accordingly.
p.(None): Special data security measures and labeling
p.(None): § 13. (1) The person responsible must take appropriate data security measures adapted to the risk of intrusion and ensure that the
p.(None): Access to the image recording and subsequent changes to it by unauthorized persons is excluded.
p.(None): (2) The person responsible - except in the case of real-time monitoring - must log every processing operation.
...
p.(None): Be used in the implementation of data protection regulations. Incidentally, confidentiality also applies to courts
p.(None): and administrative authorities, in particular tax authorities; however, with the proviso that if the inspection suspects a criminal offense
p.(None): Action in accordance with section 63 of this federal law or in accordance with sections 118a, 119, 119a, 126a to 126c, 148a or section 278a of the Criminal Code - StGB, BGBl. № 60/1974,
p.(None): or a crime that results in a custodial sentence, the maximum of which exceeds five years, is to be reported and regarding such crimes and
p.(None): Offenses according to § 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975, must also be complied with.
p.(None): (4) Is the operation of data processing a significant immediate threat to the confidentiality interests of the parties concerned that are worth protecting
p.(None): Persons (danger of delay), the data protection authority can continue the data processing with a decision in accordance with Section 57 (1) of the General
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
p.(None): (5) Within the scope of its responsibility, the data protection authority is responsible for imposing fines on natural and legal persons.
p.(None): (6) Exist in the course of a lawsuit based on § 29 of a person concerned who has moved away from an institution, organization or association within the meaning of the
p.(None): Art. 80 Para. 1 GDPR, if there are any doubts about the existence of the relevant criteria, the data protection authority shall take action at the request of the bringing-in court
p.(None): corresponding findings with notice. This institution, organization or association has party status in the proceedings. Against a negative
p.(None): Notification of determination is open to her to appeal to the Federal Administrative Court.
p.(None): Activity report and publication of decisions
...
General/Other / Relationship to Authority
Searching for indicator authority:
(return to top)
p.(None): [CELEX No .: 31995L0046]
p.(None): BGBl. I No. 132/2015 (VfGH)
p.(None): BGBl. I No. 120/2017 (NR: GP XXV RV 1664 AB 1761 p. 190. BR: 9824 AB 9856 p. 871.)
p.(None): [CELEX No .: 32016L0680]
p.(None): BGBl. I No. 23/2018 (NR: GP XXVI IA 188 / A AB 99 S. 21. BR: AB 9958 S. 879.)
p.(None): BGBl. I No. 24/2018 (NR: GP XXVI IA 189 / A AB 98 S. 21. BR: AB 9948 S. 879.)
p.(None): BGBl. I No. 14/2019 (NR: GP XXVI RV 301 AB 463 p. 57. BR: AB 10104 p. 888.)
p.(None): Preamble / Promulgatory
p.(None): Table of Contents
p.(None): article 1
p.(None): (Constitution determination)
p.(None): §1 fundamental right to data protection
p.(None): (Note: §§ 2 and 3 repealed by Federal Law Gazette I No. 14/2019)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): § 4. Scope and implementing regulation
p.(None): § 5. Data protection officer
p.(None): § 6. Data secrecy
p.(None): Section 2
p.(None): Data processing for specific purposes
p.(None): § 7. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
p.(None): § 8. Provision of addresses for the notification and questioning of data subjects
p.(None): § 9. Freedom of expression and freedom of information
p.(None): § 10. Processing of personal data in the event of a disaster
p.(None): § 11. Warning by the data protection authority
p.(None): Section 3
p.(None): image processing
p.(None): § 12. Admissibility of image acquisition
p.(None): § 13. Special data security measures and labeling
p.(None): 2. Main piece
p.(None): organs
p.(None): Section 1
p.(None): Data Protection
p.(None): § 14. Establishment and tasks
p.(None): § 15. Composition
p.(None): § 16. Chair and management
p.(None): § 17. Meetings and decision-making
p.(None): Section 2
p.(None): DPA
p.(None): § 18. Establishment
p.(None): § 19. Independence
p.(None): § 20. Head of the data protection authority
p.(None): § 21. Tasks
p.(None): § 22. Powers
p.(None): § 23. Activity report and publication of decisions
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): § 24. Complaint to the data protection authority
p.(None): Section 25. Accompanying measures in the complaint procedure
p.(None): § 26. Responsible for public and private areas
p.(None): § 27. Appeal to the Federal Administrative Court
p.(None): Section 28. Representation of data subjects
p.(None): § 29. Liability and right to compensation
p.(None): § 30. General conditions for imposing fines
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): § 31. Data protection authority
p.(None): Section 32. Tasks of the data protection authority
p.(None): Section 33. Powers of the data protection authority
p.(None): § 34. General provisions
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): § 35.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): § 36. Scope and definitions
p.(None): Section 37. Principles for data processing, categorization and data quality
p.(None): Section 38. Lawfulness of processing
p.(None): Section 39. Processing of special categories of personal data
p.(None): Section 40. Processing for other purposes and transmission
p.(None): Section 41. Automated decision making in individual cases
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): Section 42. Principles
p.(None): Section 43. Information to the data subject
p.(None): Section 44. Right of the data subject to information
p.(None): Section 45. Right to correction or deletion of personal data and restriction of processing
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Section 46. Responsibilities of the controller
p.(None): Section 47
p.(None): Section 48. Processors and supervision of processing
p.(None): Section 49. Directory of processing activities
p.(None): Section 50. Logging
p.(None): Section 51. Cooperation with the data protection authority
p.(None): Section 52. Data protection impact assessment
p.(None): Section 53. Prior consultation with the data protection authority
p.(None): Section 54. Data security measures
p.(None): Section 55. Reporting violations to the data protection authority
p.(None): Section 56. Notification to the data subject of injuries
p.(None): Section 57. Designation, position and tasks of the data protection officer
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): Section 58. General principles for the transmission of personal data
p.(None): Section 59. Data transmission to third countries or international organizations
p.(None): (Note: Section 60 expired on January 15, 2019 (see Federal Law Gazette I No. 14/2019)
p.(None): § 61. repealed by Federal Law Gazette I No. 14/2019)
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Section 62
p.(None): Section 63. Data processing with the intention of profit or damage
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Section 64. Implementation and implementation of EU legal acts
p.(None): Section 65. Linguistic equal treatment
p.(None): Section 66. Issuing regulations
p.(None): Section 67. References
p.(None): Section 68. Execution
p.(None): Section 69. Transitional provisions
p.(None): § 70. Entry into force
p.(None): text
p.(None): article 1
p.(None): (Constitution determination)
p.(None): Fundamental right to data protection
p.(None): § 1. (1) Everyone, especially with regard to the respect of his private and family life, is entitled to the secrecy of those concerned
p.(None): personal data insofar as there is an interest worthy of protection. The existence of such an interest is excluded if data is due
p.(None): are not accessible to a confidentiality claim due to their general availability or because they cannot be traced back to the person concerned.
p.(None): (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent
p.(None): Limitations on the right to secrecy are only permissible to safeguard the overriding legitimate interests of another, in the event of intrusion
p.(None): State authority only on the basis of laws resulting from the in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms
p.(None): (ECHR), Federal Law Gazette No. 210/1958, are necessary reasons mentioned. Such laws allow the use of data that is particularly vulnerable in nature
p.(None): are only intended to protect important public interests and at the same time must provide adequate guarantees for the protection of confidentiality interests
p.(None): of those concerned. Even in the case of permissible restrictions, the encroachment on the fundamental right may only in the mildest, leading to the goal
p.(None): be made.
p.(None): (3) Everyone, insofar as he is concerned, has personal data for automated processing or for processing in manual, ie. without
p.(None): Automation support led files are determined, in accordance with legal regulations
p.(None): 1. The right to information about who processes which data about him, where the data comes from and what they are used for, in particular
p.(None): whom they are communicated to;
p.(None): 2. the right to correct inaccurate data and the right to delete inadmissibly processed data.
p.(None): (4) Restrictions on the rights under paragraph 3 are only permissible under the conditions specified in paragraph 2.
p.(None): (Note: Paragraph 5 repealed by Federal Law Gazette I No. 51/2012)
p.(None): Article 2
p.(None): 1. Main piece
p.(None): Implementation of the General Data Protection Regulation and additional regulations
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and implementing regulation
...
p.(None): about circumstances that allow conclusions to be drawn about these persons, unless there has been an express release from secrecy by the
p.(None): concerned person. The data protection officer and the persons working for him may only use the information made available to fulfill the
p.(None): Use tasks and are obliged to maintain confidentiality even after they have finished their work.
p.(None): (2) A data protection officer receives knowledge of data for his or her work for a body under the control of the data protection officer
p.(None): Employees have a legal right to refuse to testify, this right also applies to the data protection officer and those working for him
p.(None): To the extent that the person to whom the legal right to refuse to testify has exercised it. To the extent of
p.(None): The data protection officer's right to refuse to testify is subject to his files and other documents being prohibited from seizure and confiscation.
p.(None): (3) The data protection officer in the public domain (established in forms of public law, in particular also as a body of a
p.(None): Local authority) is free from instructions regarding the performance of its duties. The supreme body has the right to consider the objects of the
p.(None): To inform management in the public area with the data protection officer. The data protection officer only has to comply with this to the extent that
p.(None): this does not contradict the independence of the data protection officer within the meaning of Art. 38 Para. 3 GDPR.
p.(None): (4) In the sphere of action of each Federal Ministry, taking into account the type and scope of data processing and depending on the institution of the
p.(None): Federal Ministry to provide one or more data protection officers. These must be submitted to the respective Federal Ministry or the respective subordinate
p.(None): Belong to an agency or other body.
p.(None): (5) The data protection officer in the public sector in accordance with paragraph 4 maintains a regular exchange of experience, in particular with regard to the
p.(None): Ensuring a uniform data protection standard.
p.(None): data confidentiality
p.(None): § 6. (1) The person responsible, the processor and their employees - these are employees (employees) and people in one
...
p.(None): and to teach about the consequences of a breach of data secrecy.
p.(None): (4) Without prejudice to the constitutional right to issue instructions, an employee may refuse to comply with an order to make an unauthorized person
p.(None): Data transmission no disadvantage.
p.(None): (5) A statutory right to refuse to testify in favor of a responsible person may not be exercised by one of them
p.(None): Processor, in particular not by bypassing or seizing documents processed using automation.
p.(None): Section 2
p.(None): Data processing for specific purposes
p.(None): Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
p.(None): § 7. (1) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not
p.(None): If the goal is personal results, the controller may process all personal data that
p.(None): 1. are publicly accessible,
p.(None): 2. he has lawfully determined for other investigations or other purposes, or
p.(None): 3. Personal data is pseudonymized for him and the person responsible does not identify the person concerned with legally permissible means
p.(None): can determine.
p.(None): (2) For data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
p.(None): Purposes that do not fall under paragraph 1 may only personal data
p.(None): 1. according to special legal regulations,
p.(None): 2. with the consent of the data subject or
p.(None): 3. with the approval of the data protection authority in accordance with paragraph 3
p.(None): are processed.
p.(None): (3) Approval by the data protection authority for the processing of personal data for archiving purposes in the public interest,
p.(None): Scientific or historical research or statistical purposes are to be granted at the request of the person responsible for the investigation if
p.(None): 1. Obtaining the data subject's consent is impossible due to the fact that it cannot be reached or otherwise means a disproportionate effort,
p.(None): 2. there is a public interest in the processing requested and
p.(None): 3. The technical suitability of the person responsible is made credible.
p.(None): If special categories of personal data (Art. 9 GDPR) are to be determined, there must be an important public interest in the investigation;
p.(None): Furthermore, it must be ensured that the personal data at the person responsible for the investigation are only processed by persons who
p.(None): are subject to a legal obligation to maintain confidentiality with regard to the subject matter of the examination, or their reliability is otherwise credible
p.(None): is. The data protection authority has to approve the fulfillment of conditions and requirements, insofar as this is in order to protect those worthy of protection
p.(None): Interests of the data subject is necessary.
p.(None): (4) An application in accordance with paragraph 3 is in any case by the person authorized to dispose of the data from which the personal data are determined
p.(None): to attach a signed statement that he provides the data controller with the data for the investigation. Instead of this explanation
p.(None): an execution title replacing this declaration can also be submitted (Section 367 (1) of the Execution Regulation - EO, RGBl. No. 79/1896).
p.(None): (5) Also in those cases in which the processing of personal data for purposes of scientific research or statistics in
p.(None): personal form is permitted, the personal reference is to be encrypted immediately, if in individual phases of scientific or statistical
p.(None): Working with personal data in accordance with Paragraph 1 No. 3 that can be found. Unless otherwise expressly provided for by law, the
p.(None): Eliminate personal reference to the data as soon as it is no longer necessary for scientific or statistical work.
p.(None): (6) Legal restrictions on the admissibility of the use of personal data for other, in particular copyright reasons,
p.(None): stay untouched.
p.(None): Providing addresses for notification and questioning of data subjects
p.(None): § 8. (1) Unless otherwise expressly stipulated by law, the transmission of address data requires a specific group of those concerned
p.(None): Individuals for the purpose of notifying or questioning the consent of the data subjects.
p.(None): (2) If, however, an impairment of the confidentiality interests of the persons concerned in view of the selection criteria for the group of persons concerned
p.(None): and the subject of the notification or questioning is unlikely, no consent is required if
p.(None): 1. Data from the same person responsible is processed or
p.(None): 2. in the event of an intended transmission of the address data to third parties
p.(None): a) there is also a public interest in the notification or questioning, or
p.(None): b) none of the persons concerned object to this within a reasonable time after having been informed of the reason and content of the transmission
p.(None): has raised against the transmission.
p.(None): (3) If the requirements of paragraph 2 are not met, and obtaining the consent of the persons concerned in accordance with paragraph 1 would be one
p.(None): require disproportionate effort, the transmission of the address data is permitted with the approval of the data protection authority in accordance with paragraph 4, if the
p.(None): Transmission to third parties
p.(None): 1. for the purpose of notification or questioning from an important interest of the person concerned,
p.(None): 2. from an important public notification or questioning interest or
p.(None): 3. to interview the data subjects for scientific or statistical purposes
p.(None): should be done.
p.(None): (4) At the request of a controller who processes address data, the data protection authority must grant the authorization for transmission if the
p.(None): Applicant makes the existence of the conditions mentioned in Paragraph 3 credible and overriding confidentiality interests of the parties concerned that are worthy of protection
p.(None): Do not oppose the transmission of persons. The data protection authority has the approval to tie to the fulfillment of conditions and requirements,
p.(None): insofar as this is necessary to protect the interests of the data subjects that are worth protecting.
p.(None): (5) The transmitted address data may only be processed for the approved purpose and are to be deleted as soon as they are for the
p.(None): Notification or questioning are no longer required.
p.(None): (6) Insofar as it is permissible in accordance with the above provisions, the name and address of persons who belong to a certain group of subjects
p.(None): transmit, the processing necessary for the purpose of selecting the address data to be transmitted may also be carried out.
p.(None): Freedom of expression and information
p.(None): § 9. (1) The processing of personal data by media owners, publishers, media employees and employees of one
p.(None): Media company or media service within the meaning of the Media Act - MedienG, BGBl. № 314/1981, for journalistic purposes of the media company
p.(None): or media services, the provisions of this federal law and, of the GDPR, Chapters II (principles), III (rights of the person concerned), IV
p.(None): (Responsible and processor), V (transfer of personal data to third countries or to international organizations), VI (independent
p.(None): Supervisory authorities), VII (cooperation and coherence) and IX (regulations for special processing situations) do not apply. The data protection authority
p.(None): When exercising their powers vis-à-vis the persons named in the first sentence, the protection of editorial confidentiality (§ 31 MedienG) must be observed.
p.(None): (2) Insofar as this is necessary to exercise the right to protection of personal data with freedom of expression and information
p.(None): Chapter II (principles) of the GDPR, with the exception of Art. 5, Chapter III (rights of the person concerned), Chapter IV
p.(None): (Controller and processor), with the exception of Art. 28, 29 and 32, Chapter V (transfer of personal data to third countries or to
p.(None): international organizations), Chapter VI (Independent Regulators), Chapter VII (Cooperation and Coherence) and Chapter IX (Rules for Special
p.(None): Processing situations) does not apply to processing that is carried out for scientific, artistic or literary purposes. Of the
p.(None): In such cases, provisions of this federal law apply to Section 6 (data secrecy).
p.(None): Processing of personal data in the event of a disaster
p.(None): § 10. (1) Responsible for the public sector and aid organizations are authorized in the event of a disaster to collect personal data
p.(None): process, insofar as this is to help those directly affected by the disaster, to find and identify dependents and
p.(None): Deceased and necessary for the information of relatives.
p.(None): (2) Anyone who has lawful personal data may transmit it to those responsible for the public sector and aid organizations, provided that
p.(None): they need the personal data to cope with the disaster for the purposes specified in Paragraph 1.
p.(None): (3) A transfer of personal data abroad is permitted, provided that this is absolutely necessary for the fulfillment of the purposes mentioned in paragraph 1
p.(None): necessary is. Data that in themselves are a criminal offense to the person concerned may not be transmitted, unless they are used for identification in the
p.(None): Individual cases are absolutely necessary. The data protection authority is responsible for the initiated transfers and the circumstances surrounding the event
p.(None): To notify the facts immediately. The data protection authority has to prohibit further data transfers to protect the rights of the data subjects if the
p.(None): Interference with the fundamental right to data protection caused by data transfer is not justified by the special circumstances of the disaster situation.
p.(None): (4) On the basis of a specific request from a close relative of a person who is actually or probably directly affected by the disaster
p.(None): The controller authorizes the inquirer to transmit personal data about the stay of the person concerned and the status of the research,
p.(None): if the relative demonstrates his identity and the close relationship credibly. Special categories of personal data (Art. 9 GDPR) are allowed to close
p.(None): Relatives are only transmitted if they can prove their identity and their family status and the transmission to safeguard their rights or those
p.(None): the person concerned is required. The social security institutions and authorities are obliged, those responsible for the public sector and
p.(None): To support aid organizations insofar as this is necessary to check the information of the requester.
p.(None): (5) As close relatives within the meaning of this provision, parents, children, spouses, registered partners and companions of the persons concerned are allowed
p.(None): understand. Other relatives may receive the information mentioned under the same conditions as close relatives if they have a special one
p.(None): Make the relationship with the person actually or probably directly affected by the disaster credible.
p.(None): (6) The personal data processed for the purpose of coping with the disaster must be deleted immediately if they are necessary for the fulfillment
p.(None): of the specific purpose are no longer required.
p.(None): Warning from the data protection authority
p.(None): § 11. The data protection authority will apply the catalog of Art. 83 para. 2 to 6 GDPR in such a way that proportionality is maintained.
p.(None): Particularly in the case of first-time violations, the data protection authority is warned of its remedial powers in accordance with Art. 58 GDPR, in particular by warning
p.(None): Make use.
p.(None): Section 3
p.(None): image processing
p.(None): Permissibility of image acquisition
p.(None): § 12. (1) An image in the sense of this section describes the image taken by using technical equipment for image processing
p.(None): Detection of events in public or non-public space for private purposes. Acoustic processing also included in the image acquisition
p.(None): Information. This section applies to this type of image recording, unless otherwise specifically stipulated by other laws.
p.(None): (2) Taking a picture is permitted, taking into account the requirements of § 13, if
p.(None): 1. it is necessary in the vital interest of a person,
p.(None): 2. the data subject has consented to the processing of their personal data,
p.(None): 3. it is ordered or permitted by special legal provisions, or
p.(None): 4. In individual cases there are overriding legitimate interests of the person responsible or a third party and the proportionality is given.
p.(None): (3) Image acquisition is permitted in accordance with paragraph 2 no. 4 if
p.(None): 1. it serves the preventive protection of people or things on private properties that are used exclusively by the person responsible, and
p.(None): spatially does not extend beyond the property, with the exception of a public involvement that is at best inevitable to achieve the purpose
p.(None): Traffic areas,
p.(None): 2. for the preventive protection of people or things in publicly accessible places that are subject to the house right of the person responsible,
...
p.(None): to schedule the session to take place no later than four weeks after the request is received.
p.(None): (2) Each member of the Data Protection Council is - except in the case of justified prevention - obliged to attend the meetings of the Data Protection Council
p.(None): participate. The substitute member will only attend the meeting if the member is unable to attend.
p.(None): (3) The presence of more than half of its members or substitute members is required for deliberations and decision-making in the Data Protection Council.
p.(None): A simple majority of the votes cast is sufficient to pass resolutions. In a tie vote, the Chairman shall be decisive.
p.(None): Abstentions are not permitted. Minority votes are permitted.
p.(None): (4) In the case of urgent matters, the chairperson may appoint the deputy chairperson and one representative of the political parties (section 15 subsection 1 no.1)
p.(None): invite to an extraordinary meeting (Presidium).
p.(None): (5) The Data Protection Council may form permanent or non-permanent working committees from among its members, which it shall prepare, assess and process
p.(None): individual matters. He is also entitled to the management, pre-assessment and processing of individual matters
p.(None): individual member (rapporteur).
p.(None): (6) The head of the data protection authority is entitled to attend the meetings of the data protection council or its working committees. A right to vote
p.(None): is not entitled to him.
p.(None): (7) If necessary, the chairman can call in experts to the meetings of the Data Protection Council or to working committees. Also for preparation
p.(None): At meetings of the Data Protection Council or working committees, the Chairman of the Data Protection Council can involve experts in the respective field, insofar as
p.(None): this is necessary to clarify questions of particular importance for data protection.
p.(None): (8) Unless it decides otherwise, the deliberations in the meetings of the Data Protection Council are not public. The members and substitute members
p.(None): of the Data Protection Council, the head of the data protection authority as well as his deputy and the experts consulted at the meeting are confidential
p.(None): committed to all facts that have become known to them exclusively from their work in the Data Protection Council
p.(None): Section 2
p.(None): DPA
p.(None): Facility
p.(None): § 18. (1) The data protection authority is set up as a national supervisory authority in accordance with Art. 51 GDPR.
p.(None): (2) The data protection authority is headed by a head. In his absence, his deputy heads the data protection authority. The regulations are located on him
p.(None): regarding the head of the data protection authority application.
p.(None): independence
p.(None): § 19. (1) The data protection authority is a service authority and personnel position.
p.(None): (2) The head may not carry out any activity for the duration of his office
p.(None): 1. could raise doubts about the independent exercise of his office or impartiality,
p.(None): 2. hinders him in the performance of his official duties or
p.(None): 3. Essential business interests are endangered.
p.(None): He is obliged to immediately report to the Federal Minister of the Constitution, Reforms,
p.(None): To bring deregulation and justice to the attention.
p.(None): (3) The Federal Minister for the Constitution, Reforms, Deregulation and Justice can contact the head of the data protection authority on the subjects of the
p.(None): Teach management. The head of the data protection authority can only comply with this to the extent that this does not mean that the
p.(None): Supervisory authority within the meaning of Art. 52 GDPR contradicts.
p.(None): Head of the data protection authority
p.(None): Section 20. (1) The head of the data protection authority is appointed by the Federal President on a proposal from the Federal Government for a period of five years; the
p.(None): Reappointment is permitted. The proposal must be preceded by a call for applications.
p.(None): (2) The head of the data protection authority has
p.(None): 1. to have completed the law studies,
p.(None): 2. Personal and professional suitability through appropriate prior training and relevant professional experience in the field of data protection
p.(None): issues of concern
p.(None): 3. to have excellent knowledge of Austrian data protection law, Union law and fundamental rights, and
p.(None): 4. have at least five years of legal professional experience.
p.(None): (3) The following may not be appointed as head of the data protection authority:
p.(None): 1. Members of the Federal Government, State Secretaries, members of a state government, members of the National Council, the Federal Council or any other
p.(None): general representative body or the European Parliament, as well as lawyers and the President of the Court of Auditors,
p.(None): 2. persons who have performed a function mentioned in Z 1 within the past two years, and
p.(None): 3. People who are excluded from being eligible for election to the National Council.
p.(None): (4) The Federal President shall remove the head on the proposal of the Federal Government.
p.(None): (5) The deputy head of the data protection authority is appointed by the Federal President on a proposal from the Federal Government in accordance with paragraphs 1 to 3
p.(None): ordered. Paragraph 4 applies to the removal of the deputy.
p.(None): tasks
p.(None): § 21. (1) The data protection authority advises the committees of the National Council and the Federal Council, the Federal Government and the state governments on their behalf
p.(None): Requests for legislative and administrative measures. The data protection authority is prior to enacting federal laws and regulations in the
p.(None): Enforcement area of the federal government that directly concerns data protection issues.
p.(None): (2) The data protection authority must publish the lists according to Art. 35 Para. 4 and 5 GDPR by means of a regulation in the Federal Law Gazette.
p.(None): (3) The data protection authority has the information required under Art. 57 Para. 1 lit. p DSGVO announce criteria to be determined by means of a regulation. It functions at the same time
p.(None): as the only national accreditation body in accordance with Art. 43 Para. 1 lit. a GDPR.
p.(None): powers
p.(None): § 22. (1) The data protection authority can in particular all necessary data from the controller or processor of the checked data processing
p.(None): Request clarifications and request an insight into data processing and related documents. The controller or processor has the
p.(None): to provide necessary support. The control activity is under the greatest possible protection of the rights of the person responsible or the processor and third parties
p.(None): exercise.
p.(None): (2) For the purpose of inspection, the data protection authority, after notification of the owner of the premises and the person responsible or the
p.(None): The processor is entitled to enter rooms in which data processing is carried out, to put data processing systems into operation that
p.(None): to carry out the processing to be checked and copies of data carriers to the extent absolutely necessary for the exercise of the control powers
p.(None): manufacture.
p.(None): (3) Information that the data protection authority or the person authorized by it during the control activity may only contain for the control in the
p.(None): Be used in the implementation of data protection regulations. Incidentally, confidentiality also applies to courts
p.(None): and administrative authorities, in particular tax authorities; however, with the proviso that if the inspection suspects a criminal offense
p.(None): Action in accordance with section 63 of this federal law or in accordance with sections 118a, 119, 119a, 126a to 126c, 148a or section 278a of the Criminal Code - StGB, BGBl. № 60/1974,
p.(None): or a crime that results in a custodial sentence, the maximum of which exceeds five years, is to be reported and regarding such crimes and
p.(None): Offenses according to § 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975, must also be complied with.
p.(None): (4) Is the operation of data processing a significant immediate threat to the confidentiality interests of the parties concerned that are worth protecting
p.(None): Persons (danger of delay), the data protection authority can continue the data processing with a decision in accordance with Section 57 (1) of the General
p.(None): Administrative Procedure Act 1991 - AVG, Federal Law Gazette № 51/1991, prohibit. If technically possible, with regard to the purpose of data processing
p.(None): Continuation can only be partially prohibited if it makes sense and seems sufficient to eliminate the hazard. Likewise, the
p.(None): Data protection authority on request of a data subject a restriction of processing according to Art. 18 GDPR with notice according to § 57 Paragraph 1 AVG
p.(None): order if the person in charge does not comply with a related obligation on time. If a prohibition is not followed immediately,
p.(None): the data protection authority must act in accordance with Art. 83 (5) GDPR.
p.(None): (5) Within the scope of its responsibility, the data protection authority is responsible for imposing fines on natural and legal persons.
p.(None): (6) Exist in the course of a lawsuit based on § 29 of a person concerned who has moved away from an institution, organization or association within the meaning of the
p.(None): Art. 80 Para. 1 GDPR, if there are any doubts about the existence of the relevant criteria, the data protection authority shall take action at the request of the bringing-in court
p.(None): corresponding findings with notice. This institution, organization or association has party status in the proceedings. Against a negative
p.(None): Notification of determination is open to her to appeal to the Federal Administrative Court.
p.(None): Activity report and publication of decisions
p.(None): § 23. (1) The data protection authority has until March 31 of each year to prepare an activity report according to Art. 59 GDPR and the
p.(None): To submit to the Federal Minister for the Constitution, Reforms, Deregulation and Justice. The report is from the Federal Minister for the Constitution, Reforms, Deregulation and
p.(None): Submit justice to the Federal Government, the National Council and the Federal Council. The data protection authority has the report of the public, the European one
p.(None): Commission, the European Data Protection Board (Art. 68 GDPR) and the Data Protection Council.
p.(None): (2) Decisions of the data protection authority of fundamental importance for the general public are made by the data protection authority taking into account the
p.(None): To publish confidentiality requirements in an appropriate manner.
p.(None): Section 3
p.(None): Remedies, liability and sanctions
p.(None): Complaint to the data protection authority
p.(None): § 24. (1) Each person concerned has the right to lodge a complaint with the data protection authority if they believe that the processing of them
p.(None): relevant personal data violates the GDPR or § 1 or Article 2 1. main piece.
p.(None): (2) The complaint must contain:
p.(None): 1. the designation of the right deemed to be infringed,
p.(None): 2. insofar as this is reasonable, the name of the legal entity or body to which the alleged infringement is attributed (respondent)
p.(None): 3. the facts from which the infringement is derived,
p.(None): 4. the grounds on which the allegation of illegality is based,
p.(None): 5. The request to establish the alleged violation and
p.(None): 6. The information required to assess whether the complaint was made in time.
p.(None): (3) If applicable, a complaint must be followed by the underlying application and any response from the respondent. The
p.(None): The data protection authority must provide further support in the event of a complaint at the request of the data subject.
p.(None): (4) The right to treatment of a complaint expires if the intervener does not receive it within one year after becoming aware of the
p.(None): has attained an aggravating event, but no later than within three years after the event of alleged dimensions took place. Late
p.(None): Complaints must be rejected.
p.(None): (5) If a complaint proves to be justified, it must be followed. If an injury is attributable to a person responsible in the private sector,
p.(None): the complainant's requests for information, correction, deletion, restriction or data transfer to that extent are to be applied to the complainant
p.(None): that is necessary to remedy the identified violation. If the complaint proves to be unjustified, it must be dismissed.
p.(None): (6) A respondent can subsequently rectify the alleged infringement before the procedure before the data protection authority,
p.(None): by responding to the complainant's requests. If the data protection authority appears to have no complaint, it has the
p.(None): Hear the complainant. At the same time, he must be made aware that the data protection authority will informally terminate the procedure if he
p.(None): does not state within a reasonable period of time why he still does not at least partially remedy the originally alleged infringement
p.(None): considered. If the complainant 's nature of the matter is changed by such a statement (Section 13 (8) AVG), the withdrawal of the
p.(None): original complaint and the simultaneous submission of a new complaint. In this case, too, is the original complaint procedure
p.(None): informally and inform the complainant about this. Delayed statements are not to be considered.
p.(None): (7) The complainant will be informed by the data protection authority within three months of the filing of the complaint about the status and result of the
p.(None): Investigation taught.
p.(None): (8) Any person concerned can refer the matter to the Federal Administrative Court if the data protection authority does not deal with the complaint or if the
p.(None): has not informed the data subject of the status or result of the complaint within three months.
p.(None): (9) The data protection authority can - if necessary - involve experts in the procedure.
p.(None): (10) The decision period according to § 73 AVG does not include:
p.(None): 1. the time during which the procedure is suspended until a final question is reached;
p.(None): 2. the time during a procedure according to Art. 56, 60 and 63 GDPR.
p.(None): Accompanying measures in the complaints procedure
p.(None): § 25. (1) In the context of a complaint, the complainant makes a substantial impairment of his confidentiality interests worthy of protection
p.(None): by processing his personal data in a credible manner, the data protection authority can proceed in accordance with Section 22 (4).
p.(None): (2) If the accuracy of personal data is disputed in a proceeding, the respondent must give one until the end of the proceeding
p.(None): Make a note of contest. If necessary, the data protection authority has this at the request of the complainant with a decision in accordance with Section 57 (1) AVG
p.(None): to arrange.
p.(None): (3) If a data controller refers to a restriction within the meaning of Art. 23 GDPR, this has the legality
p.(None): to review the application of the restrictions. If it comes to the conclusion that the confidentiality of processed personal data is kept
p.(None): the person concerned was not justified, the disclosure of the personal data is to be requested with notice. If the notice of
p.(None): If the data protection authority did not comply within eight weeks, the data protection authority has disclosed personal data to
p.(None): affected person himself and to give him the requested information or to inform him which personal data has already been corrected or
p.(None): have been deleted.
p.(None): (4) Notices authorizing transfers of personal data abroad must be revoked if the legal or
p.(None): the actual requirements for the approval no longer exist.
p.(None): Responsible for public and private areas
p.(None): Section 26. (1) Without prejudice to Section 5 (3), those responsible in the public sector are all responsible,
p.(None): 1. which are established in forms of public law, in particular also as a body of a local authority, or
p.(None): 2. insofar as they are active in law enforcement despite their establishment in forms of private law.
p.(None): (2) Those responsible for the public sector are parties to proceedings before the data protection authority.
p.(None): (3) Those responsible for the public sector can lodge a complaint with the Federal Administrative Court and appeal to the Administrative Court.
p.(None): (4) Those responsible, who are not subject to paragraph 1, are considered to be responsible for the private sector within the meaning of this Federal Act.
p.(None): Appeal to the Federal Administrative Court
p.(None): § 27. (1) The Federal Administrative Court decides on complaints against decisions by the Senate because of the violation of the duty to provide information
p.(None): Section 24 (7) and the decision-making obligation of the data protection authority.
p.(None): (2) The Senate consists of a chairperson and a competent lay judge each from the group of employers and from the group of employees. The
p.(None): Expert lay judges are appointed on a proposal from the Austrian Chamber of Commerce and the Federal Chamber for Workers. There are
p.(None): Take appropriate precautions to ensure that a sufficient number of expert lay judges are available in good time.
p.(None): (3) The competent lay judges must have at least five years of relevant professional experience and special knowledge of data protection law
p.(None): have.
p.(None): (4) The presiding judge must send the competent lay judge all documents relevant to the decision immediately or, if this is impractical or
p.(None): to maintain the confidentiality of documents is absolutely necessary to provide.
p.(None): (5) If there is a procedure against the decision of the data protection authority, an opinion or a decision of the European Committee
p.(None): has preceded the coherence procedure, the data protection authority shall forward this opinion or decision to
p.(None): Federal Administrative Court too.
p.(None): Representation of data subjects
p.(None): § 28. The person concerned has the right to set up an institution, organization or association without a profit intention that is duly established
p.(None): whose statutory goals are in the public interest and in the field of the protection of the rights and freedoms of persons concerned with regard to
p.(None): to protect your personal data, to lodge a complaint on your behalf and on your behalf in accordance with sections 24 to 27
p.(None): exercise mentioned rights.
p.(None): Liability and right to compensation
p.(None): Section 29. (1) Any person who, due to a breach of the GDPR or Section 1 or Article 2 1. Main item, has material or immaterial damage
p.(None): has arisen, is entitled to compensation against the person responsible or against the processor according to Art. 82 GDPR. Specifically, apply to
p.(None): this claim for damages the general provisions of civil law.
p.(None): (2) In the first instance for claims for damages is the regional court entrusted with the exercise of jurisdiction in civil cases
p.(None): Complaints can also be made to the regional court
p.(None): in which the defendant's habitual residence or registered office or branch is located.
p.(None): General conditions for imposing fines
p.(None): § 30. (1) The data protection authority can impose fines on a legal person if violations of provisions of the GDPR and § 1
p.(None): or Article 2 1. Main part was committed by persons who either acted alone or as part of a body of the legal person and one
p.(None): Leadership position within the legal person
p.(None): 1. the power to represent the legal person,
p.(None): 2. the power to take decisions on behalf of the legal person, or
p.(None): 3. an authority to exercise control within the legal person
p.(None): hold.
p.(None): (2) Legal persons can also be held responsible for violations of the provisions of the GDPR and § 1 or Article 2 1. main piece
p.(None): if there is a lack of surveillance or control by a person named in paragraph 1, the commission of these violations by a for the legal person
p.(None): active person, provided that the act does not constitute an offense falling within the jurisdiction of the courts.
p.(None): (3) The data protection authority has from the punishment of a responsible person according to § 9 of the Administrative Penal Code 1991 - VStG, Federal Law Gazette № 52/1991,
p.(None): foreseen if an administrative penalty has already been imposed on the legal person for the same violation.
p.(None): (4) The fines imposed pursuant to section 22 (5) flow to the federal government and are in accordance with the provisions on the collection of judicial fines
p.(None): contribute. Legally binding decisions of the data protection authority are execution titles. The approval and execution of the execution is based on the
p.(None): Execution title of the data protection authority at the district court, in whose district the obligee has his general place of jurisdiction in disputes (§§ 66,
p.(None): 75 of the jurisdiction standard - JN, RGBl. 111/1895), or at the execution court designated in Sections 18 and 19 EO.
p.(None): (5) Against authorities and public bodies, such as bodies set up in particular in the form of public law and private law, which in
p.(None): legal mandate, and no fine can be imposed on public bodies.
p.(None): Section 4
p.(None): Regulatory authority according to Directive (EU) 2016/680
p.(None): DPA
p.(None): Section 31. (1) The data protection authority is set up as the national supervisory authority for the area of application specified in Section 36 (1). The
p.(None): The data protection authority is not responsible for the supervision of the processing carried out by courts in the context of their judicial activity.
p.(None): (2) With regard to independence, general conditions and the establishment of the supervisory authority, Articles 52, 53 and 54 GDPR and the
p.(None): Section 18 (2), sections 19 and 20 apply mutatis mutandis.
p.(None): Tasks of the data protection authority
p.(None): Section 32. (1) The data protection authority has within the scope of Section 36 (1)
p.(None): 1. the application of § 1 and the regulations enacted in the third main part as well as the implementing regulations for the directive (EU) 2016/680 on protection
p.(None): natural persons in the processing of personal data by the responsible authorities for the purpose of prevention, investigation, detection
p.(None): or prosecution of criminal offenses or the execution of sentences, as well as the free movement of data and repeal of Framework Decision 2008/977 / JHA of
p.(None): Council, OJ No. L 119, 4.5.2016 p. 89, to be monitored and enforced;
p.(None): 2. To raise awareness among the public of the risks, regulations, guarantees and rights associated with the processing and to inform them about them;
p.(None): 3. the in Article 57 paragraph 1 lit. c to e, g, h and t of the GDPR to fulfill specified tasks with regard to the third main part;
p.(None): 4. to deal with complaints from a person concerned or a position, organization or association in accordance with § 28, the subject of
p.(None): To investigate the complaint to a reasonable extent and notify the complainant within three months of the progress and that
p.(None): Communicate the outcome of the investigation, especially if further investigation or coordination with another supervisory authority
p.(None): necessary is;
p.(None): 5. to check the lawfulness of the processing in accordance with Section 42 (8) and to inform the data subject of the result of the
p.(None): To inform the inspection in accordance with Section 42 (9) or to inform it of the reasons why the inspection was not carried out;
p.(None): 6. to follow relevant developments insofar as they affect the protection of personal data, in particular the development of the
p.(None): Information and communicationtechnology,
p.(None): 7. to provide advice in relation to the processing operations referred to in § 53, and
p.(None): 8. to exercise the rights of the data subject in the cases of sections 43 (4), 44 (3) and 45 (4).
p.(None): (2) The data protection authority facilitates the submission of complaints mentioned in para. 1 no.4 by measures such as the provision of a
p.(None): Complaint form that can also be filled in electronically without excluding other means of communication.
p.(None): (3) Art. 57 para. 3 and 4 GDPR apply mutatis mutandis.
p.(None): Powers of the data protection authority
p.(None): Section 33. (1) In the area of application of Section 36 (1), the data protection authority has the effective means necessary to perform its area of responsibility
p.(None): Investigative powers. These include in particular the powers specified in section 22 (2).
p.(None): (2) The data protection authority has in the area of application of Section 36 (1) the effective necessary for the performance of its area of responsibility
p.(None): Remedy powers. In any case, this includes the powers that allow it
p.(None): 1. to warn a person responsible or a processor that the intended processing operations are likely to violate the
p.(None): Violate the scope of Directive (EU) 2016/680;
p.(None): 2. To instruct the controller or processor to carry out processing operations in a certain way and within a certain period of time.
p.(None): to be brought into line with the regulations issued in the scope of Directive (EU) 2016/680, in particular by ordering the
p.(None): Correction or deletion of personal data or restriction of processing in accordance with § 45;
p.(None): 3. impose a temporary or definitive restriction on processing, including a ban.
p.(None): (3) The data protection authority has in the scope of Section 36 (1) the effective advisory powers necessary for enforcement that it
p.(None): allow to advise those responsible according to the procedure of the previous consultation according to § 53 and to all questions connected with the
p.(None): Personal data are protected, either on their own initiative or upon request, statements to the National Council or the Federal Council, the federal or state government
p.(None): or to other institutions and bodies as well as to the public.
p.(None): (4) The exercise of the powers delegated to the supervisory authority in the area of application § 36 Paragraph 1 is analogous to Article 58 Paragraph 4 GDPR.
p.(None): (5) Section 22 (3) second sentence applies mutatis mutandis to violations in the scope of Section 36 (1).
p.(None): General provisions
p.(None): Section 34. (1) Responsible persons within the scope of Section 36 (1) must take effective measures to ensure confidential reports of violations
p.(None): promote. In this sense, those responsible have to set up appropriate procedures that make it possible to violate the provisions of the
p.(None): 3. Report the main piece to a suitable location.
p.(None): (2) The precautions listed in paragraph 1 include at least
p.(None): 1. special procedures for receiving reports of violations and their follow-up;
p.(None): 2. The protection of personal data both for the person who reports the violations and for the natural person who is suspected of being responsible for a violation
p.(None): responsible for;
p.(None): 3. clear rules that guarantee the confidentiality of the identity of the person who reports the violations, unless the disclosure of the identity in the
p.(None): Must be carried out within the framework of a public prosecutor, judicial or administrative procedure.
p.(None): (3) As part of the activity report pursuant to Section 23, the data protection authority must report on the activities according to Section 4 and 5. The requirements
p.(None): Art. 59 GDPR and § 23 for the activity report and the publication of decisions apply mutatis mutandis.
p.(None): (4) Article 61 (1) to (7) GDPR applies mutatis mutandis to mutual administrative assistance within the scope of Section 36 (1).
p.(None): (5) In the area of application of section 36 (1), the provisions of section 3 of the second main piece - with the exception of section 30 - apply mutatis mutandis.
p.(None): Section 5
p.(None): Special powers of the data protection authority
p.(None): Section 35. (1) The data protection authority is appointed to safeguard data protection in accordance with the more detailed provisions of the GDPR and this Federal Act.
p.(None): (2) (Constitutional provision) The data protection authority also exercises its powers vis-à-vis the supreme organs of the
p.(None): Enforcement as well as towards the highest bodies according to Art. 30 Paragraphs 3 to 6, 125, 134 Paragraph 8 and 148h Paragraphs 1 and 2 B-VG in the area to which they are entitled
p.(None): Administrative matters.
p.(None): 3. Main piece
p.(None): Processing of personal data for the purposes of the security police including police state protection, military
p.(None): Self-protection, the investigation and prosecution of criminal offenses, the execution of sentences and the execution of measures
p.(None): Section 1
p.(None): General provisions
p.(None): Scope and definitions
p.(None): Section 36. (1) The provisions of this main section apply to the processing of personal data by competent authorities for the purpose of prevention,
p.(None): Investigation, detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting threats to the public
p.(None): Security, as well as for the purposes of national security, intelligence and military intrinsic security.
p.(None): (2) For the purposes of this main piece, the expression denotes:
p.(None): 1. "Personal data" means all information relating to an identified or identifiable natural person (hereinafter referred to as "affected person")
...
p.(None): can be;
p.(None): 2. "Processing" means any process carried out with or without the aid of automated processes or any such series of processes in connection with
p.(None): Personal data such as collecting, collecting, organizing, organizing, storing, adapting or changing that
p.(None): Reading, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or
p.(None): Linkage, restriction, deletion or destruction;
p.(None): 3. "Restriction of processing" means the marking of stored personal data with the aim of restricting their future processing;
p.(None): 4. "Pro fi ling" means any type of automated processing of personal data that consists of the use of this personal data,
p.(None): to assess certain personal aspects relating to a natural person, in particular aspects related to work performance,
p.(None): economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of this natural person
p.(None): to analyze or predict;
p.(None): 5. "Pseudonymization" means the processing of personal data in such a way that the personal data is not used
p.(None): Information can no longer be assigned to a specific person concerned, provided that this additional information is kept separately
p.(None): and are subject to technical and organizational measures that ensure that the personal data is not identified
p.(None): or assigned to an identifiable natural person;
p.(None): 6. "file system" means any structured collection of personal data that is accessible according to certain criteria, regardless of whether it is
p.(None): Collection is managed centrally, decentrally or according to functional or geographical aspects;
p.(None): 7. "competent authority"
p.(None): (a) a government agency responsible for the prevention, investigation, detection or prosecution of criminal offenses or the execution of sentences, including the
p.(None): Protection against and averting threats to public security, national security, the intelligence service or the military
p.(None): Intrinsic safety is responsible, or
p.(None): (b) another agency or body which, through the law of the Member States, exercises the exercise of official authority and sovereign powers
p.(None): Prevention, investigation, detection or prosecution of criminal offenses or for the execution of sentences, including the protection against and the defense against
p.(None): Public security threats transmitted for the purposes of national security, intelligence or military intrinsic security
p.(None): has been;
p.(None): 8. "Controller" means the competent authority, alone or together with others, about the purposes and means of processing personal data
p.(None): Data decides;
p.(None): 9. "Processor" means a natural or legal person, public authority, agency or other body that provides personal data on behalf of the
p.(None): Processed responsible;
p.(None): 10. "recipient" means a natural or legal person, public authority, agency or other body to which personal data are disclosed,
p.(None): regardless of whether it is a third party or not. Authorities involved in a particular investigation mandate based on
p.(None): Laws may receive personal data, but are not considered recipients; the processing of this data by the aforementioned
p.(None): Authorities are done in accordance with applicable data protection regulations according to the purposes of the processing;
p.(None): 11. "Violation of the protection of personal data" means a violation of security that leads to destruction, loss or change, whether
p.(None): unintentionally or illegally, or leads to the unauthorized disclosure or access to personal data that
p.(None): transmitted, stored or otherwise processed;
p.(None): 12. "genetic data" personal data on the inherited or acquired genetic characteristics of a natural person, the unique
p.(None): Provide information about the physiology or health of this natural person and in particular from the analysis of a biological sample of the
p.(None): concerned natural person;
p.(None): 13. “biometric data” means personal data obtained using special technical processes relating to physical, physiological or
p.(None): characteristics typical of the behavior of a natural person, which enable or confirm the clear identification of this natural person, such as
p.(None): Facial images or dactyloscopic data;
p.(None): 14. "health data" means personal data relating to the physical or mental health of a natural person, including its provision
p.(None): health services, which provide information about their health status;
p.(None): 15. "Supervisory Authority" is the data protection authority;
p.(None): 16. "international organization" means an international law organization and its subordinate bodies or any other body which is defined by an intermediate
p.(None): an agreement was concluded between two or more states or was established on the basis of such an agreement.
p.(None): Principles for data processing, categorization and data quality
p.(None): Section 37. (1) Personal data
p.(None): 1. must be processed lawfully and in good faith,
p.(None): 2. Must be collected for specified, clear and lawful purposes and not processed in a way that is incompatible with these purposes
p.(None): become,
p.(None): 3. must correspond to the processing purpose and must be decisive and may not in relation to the purposes for which they are processed
p.(None): be excessive
p.(None): 4. must be factually correct and, if necessary, up to date; all appropriate measures must be taken to ensure that
p.(None): personal data that are incorrect with regard to the purposes of their processing are deleted or corrected immediately,
p.(None): 5. may not be stored in a form that identifies the data for any longer than is necessary for the purposes for which they are processed
p.(None): enables data subjects
p.(None): 6. must be processed in a way that ensures adequate security of personal data, including protection against
p.(None): unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by
p.(None): appropriate technical and organizational measures.
p.(None): (2) For processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes
p.(None): Purposes within the scope of Section 36 (1) apply to Section 38.
p.(None): (3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must be able to demonstrate compliance.
p.(None): (4) As far as possible and reasonable, a distinction must be made between personal data, in particular the following categories of data subjects:
p.(None): 1.People who are specifically suspected of having committed a criminal act due to certain facts,
p.(None): 2.People who, based on certain facts, are reasonably suspected of committing an offense in the near future,
p.(None): 3. convicted offenders,
p.(None): 4. victims of a crime or persons for whom certain facts justify the assumption that they are victims of a crime, and
p.(None): 5. Other persons who are connected with a crime, in particular persons who are considered as witnesses, persons who provide information
p.(None): can give to the offense, or persons who are in contact or in connection with the persons mentioned in Z 1 to 3.
p.(None): (5) As far as possible, a distinction must be made between fact-based and personal data based on personal assessments. On
p.(None): Personal data based on personal assessments are to be marked accordingly and can be provided with a reason,
p.(None): which enables the traceability of the assessment.
p.(None): (6) Inaccurate, incomplete, no longer up-to-date or deleted personal data may neither be transmitted nor for automated retrieval
p.(None): File systems are provided. For this purpose, the authority has to check the data quality accordingly as far as possible. To the
p.(None): automated retrieval of personal data held ready must be kept complete and up-to-date accordingly.
p.(None): (7) Whenever possible, each time personal data are transmitted, they are used to assess the topicality, correctness, completeness and reliability of the
p.(None): personal data required by the recipient.
p.(None): (8) If it is determined ex officio or as a result of a communication from a person concerned that personal data have been transmitted that do not comply with the
p.(None): 6, the submitting agency and authority responsible for the file system notifies the receiving agency or authority
p.(None): immediately with. The latter immediately has the deletion of illegally transmitted data, the correction of incorrect data, the addition of incomplete data
p.(None): Data or to restrict processing.
p.(None): (9) Does the receiving agency or authority have reason to believe that personal data transmitted is incorrect or not up to date or is too
p.(None): delete or restrict processing, it will inform the transmitting agency or authority immediately. The latter takes hold
p.(None): the necessary measures immediately.
p.(None): Lawfulness of processing
p.(None): § 38. The processing of personal data is only legal, unless it is necessary to safeguard a person's vital interests,
p.(None): insofar as they are provided for by law or in directly applicable legal provisions which have the rank of a law within the country and for the fulfillment
p.(None): is necessary and proportionate to a task performed by the competent authority for the purposes specified in section 36 (1).
p.(None): Processing of special categories of personal data
p.(None): § 39. The processing of personal data from which the racial or ethnic origin, political opinions, religious or ideological
p.(None): Beliefs or union membership emerge, as well as the processing of genetic data, biometric data for unambiguous
p.(None): Identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person for those in § 36
p.(None): Paragraph 1 is only permitted if processing is absolutely necessary and effective measures to protect the rights and freedoms of the
p.(None): data subjects are affected and
p.(None): 1. processing is permitted in accordance with § 38 or
p.(None): 2. It relates to data that the data subject has obviously made public himself.
p.(None): Processing for other purposes and transmission
p.(None): Section 40. (1) Processing of personal data in accordance with the provisions of this main part by the same or another person responsible
p.(None): for a processing purpose other than that for which they were collected is only permitted if this other purpose falls outside the scope of Section 36 (1)
p.(None): is included and the requirements of sections 38 and 39 are met.
p.(None): (2) The transmission of personal data processed in accordance with the provisions of this main part for a purpose not mentioned in Section 36 (1)
p.(None): is only permitted if this is expressly stipulated by law or in directly applicable legal provisions that have the status of a national law
p.(None): is provided and the recipient is authorized to process this personal data for this other purpose.
p.(None): (3) If the processing of personal data is subject to special conditions, the transmitting competent authority has the recipient of the
p.(None): to point out personal data that these conditions apply and must be complied with. The transmission to recipients in other Member States
p.(None): or bodies and other bodies established under Title V Chapters 4 and 5 TFEU may not be subject to conditions that are not applicable to
p.(None): corresponding data transfers in Germany apply.
p.(None): Automated decision making in individual cases
p.(None): Section 41. (1) Only decisions based on automatic processing, including pro fi ling, which are detrimental to the person concerned
p.(None): Legal consequences or may significantly affect them are only permitted if they are legally or in directly applicable legal provisions that
p.(None): have the status of a national law, are expressly provided for.
p.(None): (2) Decisions according to paragraph 1 may only be based on special categories of personal data according to § 39 if and insofar as effective measures
p.(None): to protect the rights and freedoms and the legitimate interests of the data subject.
p.(None): (3) Decisions according to paragraph 1, which have the consequence that natural persons based on personal data from which the racial or
p.(None): ethnic origin, political opinions, religious or ideological beliefs or union membership, genetic data,
p.(None): biometric data for clear identification, health data or data on sex life or sexual orientation are discriminated
p.(None): forbidden.
p.(None): Section 2
p.(None): Rights of the data subject
p.(None): principle
p.(None): Section 42. (1) The person responsible has all the information and notifications according to Sections 43 to 45 relating to the processing in
p.(None): as precise, understandable and easily accessible as possible in a clear and simple language. The information is in a suitable form, in
p.(None): If possible, submit an application in the same form as the application.
p.(None): (2) The person responsible must make it easier for the data subjects to exercise their rights in accordance with sections 43 to 45.
p.(None): (3) The person responsible must immediately inform the data subject in writing of how their application was dealt with.
p.(None): (4) The person responsible provides the person concerned with information about the measures taken on the basis of an application in accordance with sections 44 to 45,
p.(None): in any case available within one month after receipt of the application. This period can be extended by a further two months if this is under
p.(None): Consideration of the complexity and number of applications is required. The person responsible will notify the person concerned within one month
p.(None): Receipt of the request for an extension, along with the reasons for the delay. If the person concerned submits the application electronically, it is
p.(None): if possible, to inform electronically unless otherwise stated.
p.(None): (5) If the person responsible does not take action at the request of the person concerned, he shall inform the person concerned without delay, but at the latest
p.(None): within one month after receipt of the application about the reasons for this and about the possibility to lodge a complaint with a supervisory authority or a
p.(None): to lodge a judicial remedy.
p.(None): (6) Information according to § 43 as well as all communications and measures according to §§ 44 and 45 are provided free of charge. At ok
p.(None): The person responsible can either make unsubstantiated or - in particular in the case of frequent repetition - excessive applications by a data subject
p.(None): 1. request a reasonable fee at which the administrative costs for the information or the notification or the implementation of the requested
p.(None): Measure to be taken into account, or
p.(None): 2. refuse to act on the application.
p.(None): The person responsible must provide evidence of the manifestly unfounded or excessive nature of the application.
p.(None): (7) The person responsible can confirm the identity of the person who submitted an application in accordance with sections 44 or 45
p.(None): Request information.
p.(None): (8) In the cases of sections 43 (4), 44 (3) and 45 (4), the person concerned is entitled to review the legality of the related
p.(None): To request that their rights be restricted by the data protection authority. The person responsible must inform the data subject of this right.
p.(None): (9) If the right referred to in paragraph 8 is exercised, the data protection authority shall at least inform the person concerned that all necessary
p.(None): Checks or a review have been carried out by the data protection authority. The data protection authority also has the data subject's rights
p.(None): teach to file a complaint with the Federal Administrative Court.
p.(None): Information to the data subject
p.(None): Section 43. (1) The person responsible must provide the data subject with at least the following information:
p.(None): 1. the name and contact details of the person responsible,
p.(None): 2. if applicable, the contact details of the data protection officer,
p.(None): 3. the purposes for which the personal data are processed,
p.(None): 4. the existence of a right to lodge a complaint with the supervisory authority and its contact details,
p.(None): 5. the existence of a right to information and correction or deletion of personal data and restriction of the processing of the
p.(None): Personal data of the data subject by the person responsible.
p.(None): (2) In addition to the information mentioned in paragraph 1, the person responsible has the following additional information in special cases
p.(None): To provide information to enable the exercise of the rights of the data subject:
p.(None): 1. the legal basis for processing,
p.(None): 2. the duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration,
p.(None): 3. if applicable, the categories of recipients of the personal data, including recipients in third countries or in international organizations,
p.(None): 4. If necessary, further information, especially if the personal data is collected without the knowledge of the person concerned.
p.(None): (3) In the case of the collection of personal data from the person concerned, the person concerned must provide the information in accordance with the requirements of the
p.(None): Paragraphs 1 and 2 are available at the time of the survey. In all other cases, Article 14 (3) GDPR applies. The information according to paragraphs 1 and 2 can
p.(None): omitted if the data is not obtained by questioning the person concerned, but by transmitting data from other areas of responsibility
p.(None): Responsible or determined from applications of other responsible and data processing is provided by law.
p.(None): (4) The information of the person concerned in accordance with paragraph 2 can be postponed, restricted or omitted to the extent and for as long as this is stated in
p.(None): Individual cases are absolutely necessary and proportionate
...
p.(None): in particular by hindering official or judicial investigations, investigations or procedures,
p.(None): 2. to protect public security,
p.(None): 3. to protect national security,
p.(None): 4. to protect the constitutional institutions of the Republic of Austria,
p.(None): 5. to protect the military intrinsic security or
p.(None): 6. to protect the rights and freedoms of others.
p.(None): Right of information of the data subject
p.(None): § 44. (1) Every person concerned has the right to receive confirmation from the person responsible as to whether they relate to personal data
p.(None): are processed; if this is the case, it has the right to receive information about personal data and the following information:
p.(None): 1. the purposes of the processing and its legal basis,
p.(None): 2. the categories of personal data that are processed,
p.(None): 3. the recipients or categories of recipients to whom the personal data has been disclosed, especially for recipients
p.(None): in third countries or with international organizations,
p.(None): 4. If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for the determination
p.(None): this duration,
p.(None): 5. the existence of a right to correction or deletion of personal data or restriction of the processing of personal data
p.(None): data subject by the person responsible,
p.(None): 6. the existence of a right to lodge a complaint with the data protection authority and its contact details and
p.(None): 7. Notification of the personal data that are the subject of processing, as well as all available information about the origin of the data.
p.(None): (2) Restrictions on the right to information are only permitted under the conditions specified in Section 43 (4).
p.(None): (3) In the event of failure to provide the information referred to in paragraph 2, the person responsible must immediately notify the person concerned in writing of the refusal or
p.(None): to inform the restriction of the information and the reasons for it. This does not apply if the provision of this information is one of those mentioned in section 43 (4)
p.(None): Contrary to the purposes. The controller has to inform the data subject of the possibility to lodge a complaint with the data protection authority.
p.(None): (4) The person responsible must document the reasons for the decision not to provide the information in accordance with paragraph 2. This information is the
p.(None): To provide data protection authority.
p.(None): (5) To the extent that data processing is legally accessible to a person concerned with regard to the data processed about him
p.(None): the right to information in accordance with the provisions of the right of inspection. For the inspection procedure (including its
p.(None): Refusal) apply the more detailed provisions of the law, which provides for the right of inspection. Components of information provided in Para
p.(None): Inspection rights are not included, can nevertheless be asserted according to this federal law.
p.(None): Right to correction or deletion of personal data and restriction of processing
p.(None): Section 45. (1) Every person concerned has the right to have the person responsible immediately correct any incorrect personal data
p.(None): and to request the completion of incomplete personal data. If necessary, the correction or completion can be made by means of a
p.(None): supplementary explanation, if a subsequent change is incompatible with the purpose of the documentation. It is up to the proof of the correctness of the data
p.(None): the person responsible, insofar as the personal data were not determined solely on the basis of information from the data subject.
p.(None): (2) The person responsible must delete personal data immediately, either on his or her own request, if
p.(None): 1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
p.(None): 2. the personal data have been processed unlawfully or
p.(None): 3. The deletion of personal data is necessary to fulfill a legal obligation.
p.(None): (3) Instead of deleting the personal data, the person responsible can restrict their processing if
p.(None): 1. the data subject disputes the accuracy of the personal data and the accuracy or inaccuracy cannot be ascertained, or
p.(None): 2. The personal data are kept for evidence purposes as part of the performance of a legally assigned task
p.(None): have to.
p.(None): In the event of a restriction in accordance with No. 1, the person responsible must inform the data subject before the restriction is lifted.
p.(None): (4) The person responsible has the affected person in writing about a refusal to correct or delete personal data or a
p.(None): Restriction of processing and to inform about the reasons for the refusal. The person responsible has the person concerned about the possibility
p.(None): teach to lodge a complaint with the data protection authority.
p.(None): (5) The controller has the correction of incorrect personal data of the competent authority, from which the incorrect personal data
p.(None): Data come to communicate.
p.(None): (6) In cases of correction, deletion or restriction of processing in accordance with paragraphs 1 to 3, the person responsible has all recipients of the affected
p.(None): to inform personal data. The recipients are obliged to immediately transfer the personal data that they are responsible for
p.(None): to correct, delete or restrict their processing.
p.(None): (Note: Paragraph 7 repealed by Z 22, Federal Law Gazette I No. 24/2018)
p.(None): Section 3
p.(None): Responsible and processor
p.(None): Obligations of the person responsible
p.(None): Section 46. The controller has the obligations set out in Art. 24 Para. 1 and 2 and Art. 25 Para. 1 and 2 GDPR with regard to the compliance of the
p.(None): Processing to comply with the provisions of this main part.
p.(None): Jointly responsible
p.(None): Section 47. Two or more controllers who jointly determine the purposes and means of processing are joint controllers. You have in
p.(None): an agreement in a transparent form to define their respective tasks under this federal law, in particular as regards the exercise of the rights of the
p.(None): concerned person, and who fulfills which information obligations according to § 43, if and insofar as the respective tasks of those responsible are not
p.(None): are established by law. A contact point for the data subjects must be specified in the agreement.
p.(None): Processors and supervision of processing
p.(None): Section 48. (1) If processing is carried out on behalf of a person responsible, he will only work with processors who offer sufficient guarantees that
p.(None): that suitable technical and organizational measures are carried out in such a way that the processing is in accordance with the requirements of this
...
p.(None): as well as any data protection officer,
p.(None): 2. the categories of processing carried out on behalf of each person responsible,
p.(None): 3. If applicable, transfers of personal data to a third country or to an international organization, if the person responsible
p.(None): instructed accordingly, including identification of the third country or international organization,
p.(None): 4. If possible, a general description of the technical and organizational measures in accordance with Section 54 (1).
p.(None): logging
p.(None): Section 50. (1) Every processing operation must be logged in a suitable manner so that the admissibility of the processing is reproduced and checked
p.(None): can.
p.(None): (2) In automated processing systems, all processing operations must be logged in an automated form. From this log data must
p.(None): at least the purpose, the data processed, the date and time of processing, the identification of the person who provided the personal data
p.(None): processed, as well as the identity of any recipient of such personal data.
p.(None): (3) In non-automated processing systems, at least queries and disclosures including transfers, changes and
p.(None): Log deletions. Paragraph 2, second sentence, applies to this log data.
p.(None): (4) The protocols may only be used to check the legality of data processing, including self-monitoring, and the guarantee
p.(None): of integrity and security of personal data and in judicial criminal proceedings.
p.(None): (5) The controller and the processor must make the logs available to the data protection authority on request.
p.(None): Cooperation with the data protection authority
p.(None): § 51. The person responsible and the processor are obliged to call on the data protection authority to carry out their tasks
p.(None): together.
p.(None): Privacy impact assessment
p.(None): § 52. The data controller has the protection of the rights and legitimate interests of the data subjects and others
p.(None): Affected persons to carry out a data protection impact assessment in accordance with Art. 35 Para. 1, 2, 3, 7 and 11 GDPR, whereby the evidence in accordance with Art. 35 Para. 7 lit. d
p.(None): GDPR relates to compliance with the requirements of this main part.
p.(None): Prior consultation with the data protection authority
p.(None): Section 53. In accordance with Art. 36 GDPR, the person responsible must process the data before processing personal data in new file systems
p.(None): To consult the data protection authority, whereby the references in Art. 36 Para. 1 and Para. 3 lit. e GDPR on § 52 and the reference to the provisions regarding
p.(None): of the powers of the data protection authority in Art. 36 Para. 2 GDPR refer to Section 33 and the measures listed in Art. 36 Para. 2 GDPR within
p.(None): six weeks with the possibility of an extension for another month.
p.(None): Data security measures
p.(None): § 54. (1) The person responsible and the processor have taken into account the state of the art, the implementation costs and the type of
p.(None): The scope, the circumstances and the purposes of the processing as well as the different probability and severity of the risk for the rights and
p.(None): Freedoms of natural persons, taking into account the different categories according to § 37, appropriate technical and organizational measures
p.(None): meet to ensure a level of protection appropriate to the risk, especially with regard to the processing of special categories
p.(None): personal data according to § 39.
p.(None): (2) The controller and the processor have measures regarding automated processing after a risk assessment
p.(None): to achieve the following purposes:
p.(None): 1. Unauthorized persons (access control) are denied access to processing plants with which the processing is carried out;
p.(None): 2. prevention of unauthorized reading, copying, modification or removal of data carriers (data carrier control);
p.(None): 3. Prevention of the unauthorized entry of personal data as well as the unauthorized knowledge, change and deletion of
p.(None): stored personal data (storage control);
p.(None): 4. Prevention of the use of automated processing systems with the help of devices for data transmission by unauthorized persons (user control);
p.(None): 5. Guarantee that those authorized to use an automated processing system only have access authorization
p.(None): underlying personal data have access (access control);
p.(None): 6. Ensuring that it can be checked and ascertained to which locations personal data can be transferred using data transmission facilities
p.(None): have been transmitted or made available (transmission control);
p.(None): 7. Guarantee that it can be subsequently checked and ascertained which personal data was automated, at what time and by whom
p.(None): Processing systems have been entered (input control);
p.(None): 8. Preventing the data from being read, copied or changed without authorization when transmitting personal data and when transporting data carriers
p.(None): or can be deleted (transport control);
p.(None): 9. Ensuring that systems used can be restored in the event of a fault (restoration);
p.(None): 10. Ensuring that all functions of the system are available, malfunctions are reported (reliability) and saved
p.(None): personal data cannot be damaged by system malfunctions (data integrity).
p.(None): Reporting of violations to the data protection authority
p.(None): Section 55. (1) In accordance with Art. 33 GDPR, the controller has violations of the protection of personal data by the data protection authority
p.(None): Report.
p.(None): (2) Insofar as the breach of protection relates to personal data provided by or to the controller of another Member State
p.(None): have been transmitted to the European Union, the information specified in Article 33 (3) GDPR is the responsibility of the Member State of the
p.(None): To be transmitted to the European Union immediately.
p.(None): Notification to affected person of injuries
p.(None): Section 56. (1) In accordance with Art. 34 GDPR, the person responsible has the right to violate the protection of their personal data
p.(None): notify.
p.(None): (2) The notification according to paragraph 1 can be postponed, restricted or omitted under the conditions specified in § 43 paragraph 4.
p.(None): Designation, position and tasks of the data protection officer
p.(None): Section 57. (1) Each person responsible must appoint a data protection officer in accordance with Art. 37 (5) and (7) GDPR. Courts are in the frame
p.(None): exempt from their judicial activity from the obligation to appoint a data protection officer. § 5 applies with regard to the provisions of this
p.(None): Main piece analogously.
p.(None): (2) Art. 38 GDPR applies to the position of data protection officer.
p.(None): (3) The data protection officer is responsible for the tasks specified in Art. 39 GDPR with regard to compliance with the provisions of this main part.
p.(None): (4) The person responsible must publish the contact details of the data protection officer and notify the data protection authority.
p.(None): Section 4
p.(None): Transfer of personal data to third countries or international organizations
p.(None): General principles for the transfer of personal data
p.(None): Section 58. (1) A transfer of personal data that is already being processed or after it has been transferred to a third country or an international one
p.(None): Organization to be processed by competent authorities is only permitted if the provisions of this main part are followed and
p.(None): 1. the transmission is necessary for the purposes specified in Section 36 (1),
p.(None): 2. the personal data to a person responsible in a third country or an international organization, which is responsible for the in § 36 para. 1
p.(None): is the competent authority mentioned, are transmitted,
p.(None): 3. In cases where personal data are transmitted or made available from another EU member state, this member state
p.(None): has previously approved the transmission,
p.(None): 4. the European Commission has taken an adequacy decision in accordance with Section 59 (1) and (2) or, if there is no such decision, appropriate decisions
p.(None): Guarantees within the meaning of Section 59 (3) to (5) have been provided or exist or if there is no adequacy decision under Section 59 (1) and (2) and
p.(None): there are no suitable guarantees within the meaning of Section 59 (3) to (5), exceptions apply to certain cases in accordance with Section 59 (6) and (7) and
p.(None): 5. It is ensured that a transfer to another third country or another international organization is only possible on the basis of a previous one
p.(None): Approval of the competent authority that carried out the original transmission and taking due account of all
p.(None): relevant factors, including the seriousness of the crime, the purpose for which the personal data was originally transmitted and the
p.(None): Levels of protection for personal data in the third country or international organization to which the personal data is made
p.(None): be passed on, is permitted.
p.(None): (2) A transmission without prior approval in accordance with Paragraph 1 (3) is only permitted if the transmission is necessary in order to achieve a direct and
p.(None): ward off serious danger to the public security of a Member State or a third country or to the essential interests of a Member State,
p.(None): and prior approval cannot be obtained in time. The authority responsible for issuing the prior approval is to be given immediately
p.(None): teaching.
p.(None): (3) Requests a competent authority of another EU member state for authorization to transmit personal data that
p.(None): originally transmitted from within Germany to a third country or an international organization in accordance with Paragraph 1 No. 3, this is in order to grant this approval
p.(None): responsible authority that originally transmitted the personal data, unless otherwise required by law.
p.(None): Data transfer to third countries or international organizations
p.(None): Section 59. (1) The transfer of personal data to a third country or an international organization is permitted if the European Commission
p.(None): in accordance with Art. 36 Para. 3 of Directive (EU) 2016/680 has decided, by means of an implementing act, that the third country concerned, an area or an or
p.(None): several speci fi c sectors in this third country or the relevant international organization offers an adequate level of protection. Such
p.(None): Data transmission does not require any special approval. This does not affect the approval requirement pursuant to Section 58 (1) (3).
p.(None): (2) transfers of personal data to a third country, to an area or to one or more speci fi c sectors in a third country or to one
p.(None): international organizations in accordance with paragraphs 3 to 8 are determined by a decision of the European Union in accordance with Article 36 paragraph 5 of Directive (EU) 2016/680
p.(None): Commission to revoke, change or suspend a decision in accordance with Art. 36 Para. 3 of Directive (EU) 2016/680.
p.(None): (3) If there is no decision pursuant to Paragraph 1, the transfer of personal data to a third country or an international organization is permitted,
p.(None): if
p.(None): 1. appropriate guarantees for the protection of personal data are provided in a legally binding instrument or
p.(None): 2. the person responsible came to the conclusion on the basis of an assessment of the circumstances relevant to the transfer of personal data,
p.(None): that there are appropriate safeguards to protect personal data.
p.(None): (4) If there are suitable guarantees in accordance with Paragraph 3 No. 2 for categories of transfers, the person responsible has the data protection authority over them
p.(None): To teach categories.
p.(None): (5) Transmissions in accordance with Paragraph 3 No. 2 are to be documented and the documentation including the date and time of the transmission, information about
p.(None): the receiving competent authority, justification of the transfer and transferred personal data, the data protection authority on request
p.(None): To make available.
p.(None): (6) If there is neither an adequacy decision in accordance with paragraphs 1 to 2 nor suitable guarantees in accordance with paragraphs 3 to 5, then is after
p.(None): In accordance with paragraph 5 a transfer of personal data to a third country or to an international organization is only permitted if the transfer
p.(None): is required
p.(None): 1. to protect a person's vital interests,
p.(None): 2. if this is required by law to safeguard the legitimate interests of the data subject,
p.(None): 3. to avert an immediate and serious danger to the public security of a member state of the EU or a third country,
p.(None): 4. in individual cases for the purposes specified in § 36 Paragraph 1, or
p.(None): 5. in individual cases to assert, exercise or defend legal claims in connection with the purposes specified in § 36 Paragraph 1.
p.(None): (7) In the cases of subsection 6 nos. 4 and 5, the transfer is only permitted if none of the fundamental interests prevailing in the public interest in the transfer
p.(None): and fundamental freedoms of the data subject prevent the transmission.
p.(None): 4. Main piece
p.(None): Special criminal provisions
p.(None): Administrative penal provision
p.(None): Section 62. (1) Unless the offense does not constitute an offense under Art. 83 GDPR or under other administrative penalties with a more severe penalty
p.(None): is threatened, an administrative offense, which is punishable with a fine of up to 50,000 euros, who
p.(None): 1. intentionally obtains illegal access to data processing or intentionally maintains a recognizable illegal access,
p.(None): 2. Deliberately transmitted data in violation of data secrecy (Section 6), in particular data that was entrusted to him in accordance with Sections 7 or 8, intentionally for
p.(None): processed other impermissible purposes,
p.(None): 3. deliberately obtains personal data in accordance with § 10 under false pretenses,
p.(None): 4. operates image processing contrary to the provisions of section 3 of the first main part or
p.(None): 5. refuses to inspect in accordance with section 22 (2).
p.(None): (2) The attempt is punishable.
p.(None): (3) Legal entities can be fined in accordance with Section 30 in the event of an administrative offense under paragraphs 1 and 2.
p.(None): (4) The penalty for the expiry of data carriers and programs as well as image transmission and recording devices can be pronounced (§§ 10, 17
p.(None): and 18 VStG), if these items are connected with an administrative violation according to paragraph 1.
p.(None): (5) The data protection authority is responsible for decisions in accordance with paragraphs 1 to 4.
p.(None): Data processing with the intention of profit or damage
p.(None): Section 63. Anyone with the intention of illegally enriching himself or a third party as a result, or with the intention of thereby enriching another person in his of Section 1 (1)
p.(None): guaranteed right to damage, personal data entrusted to him solely on the basis of his professional occupation or
p.(None): have become accessible or which he has illegally tampered with, used, made accessible to another or published, even though the person concerned
p.(None): has a confidentiality interest worthy of protection in these data, unless the offense is threatened with a more severe punishment according to another provision, of
p.(None): Punish the court with a prison sentence of up to one year or a fine of up to 720 daily rates.
p.(None): 5. Main piece
p.(None): final provisions
p.(None): Implementation and implementation of EU legal acts
p.(None): Section 64. (1) This Federal Act serves to implement Regulation (EU) 2016/679 for the protection of natural persons during processing
p.(None): personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ. No.L 119 from 4.5.2016 p. 1.
p.(None): (2) This Federal Act also serves to implement Directive (EU) 2016/680 for the protection of natural persons when processing personal data
p.(None): Data provided by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences, and for
p.(None): free movement of data and repealing Council Framework Decision 2008/977 / JHA, OJ No.L 119 from 4.5.2016 p. 89.
p.(None): Linguistic equal treatment
p.(None): Section 65. Insofar as designations referring to natural persons are only given in male form in this federal law, they refer to women
p.(None): and men in the same way. When applying the terms to certain natural persons, the respective gender-specific form is too
p.(None): use.
p.(None): Issuing regulations
p.(None): Section 66. Regulations based on this federal law in its current version may be enacted from the day of the announcement
p.(None): follows the legal provisions to be implemented; however, they may not enter into force before the statutory provisions to be implemented.
p.(None): references
p.(None): § 67. Insofar as this federal law refers to provisions of other federal laws, these are to be applied in their respectively applicable version.
p.(None): completion
p.(None): Section 68. With the enforcement of this Federal Act, unless it is the responsibility of the Federal Government, the Federal Minister for the Constitution, Reforms,
p.(None): Deregulation and judiciary, as well as the Federal Chancellor and the other Federal Ministers within their sphere of activity.
p.(None): Transitional provisions
p.(None): Section 69. (1) The term of office of the head of the data protection authority that is in effect at the time this Federal Act comes into force will continue until it expires
p.(None): continued. This also applies to his deputy.
p.(None): (2) The data processing register maintained by the data protection authority must be archived by the data protection authority until December 31, 2019
p.(None): continue. No entries or changes in content may be made in the data processing register. Registrations in
p.(None): Data processing registers become irrelevant. Everyone can inspect the register. In the registration file including at most
p.(None): Permission notices contained therein are to be granted access if the insight-holder proves that he is an affected person, and insofar as not
p.(None): there are overriding legitimate confidentiality interests of the person responsible (client) or other persons.
p.(None): (3) Pending registration procedures according to §§ 17 and 18 para. 2 DSG 2000 at the time this Federal Act comes into force are considered
p.(None): set. At the time this Federal Act came into force, pending proceedings pursuant to Sections 13, 46 and 47 DSG 2000 must be continued, provided that
p.(None): Approval is required under this federal law or the GDPR. Otherwise they are considered set.
p.(None): (4) At the time this Federal Act comes into force at the data protection authority or at the ordinary courts on the Data Protection Act 2000
p.(None): Pending proceedings are to be continued in accordance with the provisions of this Federal Act and the GDPR, with the proviso that the ordinary
p.(None): Dishes stays upright.
p.(None): (5) Violations of the Data Protection Act 2000, which were not pending at the time this Federal Act came into force, are after
p.(None): to assess the legal situation after the entry into force of this federal law. A criminal offense that was implemented prior to the entry into force of this federal law
p.(None): has to be judged according to the legal situation which is more favorable for the offender in its overall effect; this also applies to the appeal procedure.
p.(None): (6) Submissions by data subjects pursuant to Section 24 are exempt from federal administrative levies.
p.(None): (7) The sending posts have a number of members and substitute members of the Data Protection Council corresponding to Section 15 (1) 1 to 6
p.(None): Federal Ministry of Constitution, Reforms, Deregulation and Justice to be announced in writing within two weeks from May 25, 2018. The
p.(None): Constituent meeting of the Data Protection Council must take place within six weeks from May 25, 2018. Until the election of the new chairman and the
p.(None): the two vice-chairmen remain the previous chairman and the two previous vice-chairmen in their function.
p.(None): (8) Special provisions regarding the processing of personal data in other federal or state laws remain unaffected.
p.(None): (9) Prior to the entry into force of this Federal Act pursuant to Sections 13, 46 and 47 DSG 2000, legally valid permits issued by the data protection authority remain
p.(None): unaffected. Consent given under the Data Protection Act 2000 remains in effect provided that it complies with the requirements of the GDPR.
p.(None): Come into effect
p.(None): Section 70. (1) The remaining provisions of this Federal Act also enter into force on January 1, 2000.
p.(None): (2) Sections 26 (6) and 52 (1) and (2) in the version of the Federal Law Gazette I No. 136/2001 come into force on January 1, 2002.
p.(None): (3) Section 48a (5) in the version of the Federal Law Gazette I No. 135/2009 comes into force on January 1, 2010.
p.(None): (4) The table of contents, section 4 subsection 1 no.4, 5, 7 to 9, 11 and 12, section 8 subsection 1, 2 and 4, section 12 subsection 1, the renumbering of the paragraphs in section 13, section 16 Paragraphs 1 and 3,
p.(None): Section 17 (1), 1a and 4, Section 19 (1) (3a) and (2), renumbering of paragraphs in Section 19, Sections 20 to 22a including headings, Section 24 (2a) and Section 24 (4) , § 26
p.(None): Paragraphs 1 to 8 and 10, Paragraph 28 Paragraph 3, Paragraph 30 Paragraph 2a, 5 to 6a, Paragraphs 31 and 31a including headings, Paragraph 32 Paragraphs 1, 4, 6 and 7, Paragraph 34 Paragraph 1 , 3 and 4, § 36 paragraph 3, 3a and 9,
p.(None): Section 39 (5), Section 40 (1) and (2), Section 41 (2) 4a, Section 42 (1) 1, Section 42 (5), Section 46 (1) 2 and 3, Section 2 to 3a, § 47 para. 4, § 49 para. 3, § 50 para. 1 to 2a, the
p.(None): 9a. Section, Section 51, Section 52 Paragraphs 2 and 4, Section 55, Section 61 Paragraphs 6 to 9 and Section 64 in the version of the Federal Law BGBl. I № 133/2009 come into effect on January 1, 2010
p.(None): Force. At the same time, section 4 (1) 10, section 13 (3) and section 51 (2) shall lapse.
p.(None): (5) Section 36 (6) as amended by Federal Law Gazette I No. 133/2009 comes into force on July 1, 2010.
p.(None): (6) Section 37 (2), Section 38 (2) and Section 61 (9) in the version of the Federal Law Gazette I No. 57/2013 come into force on May 1, 2013.
p.(None): (7) The table of contents, section 5 (4), section 10 (2), section 12 (4), section 13 (1), section 2 (3), 4 and 6, section 16 (1) and section 17 Paragraph 1, Section 18 Paragraph 2, Section 19 Paragraph 1 Z 6 and
p.(None): Paragraph 2, Section 20 Paragraphs 2 and 5 Z 2, Section 21 Paragraph 1 Section 3, Section 22 Paragraphs 2 to 4, Section 22a Paragraph 1, 3 to 5, Section 23 Paragraph 2, Section 26 Paragraph 2, 5 and 7, § 27 paragraphs 5 and 7, the heading to § 30,
p.(None): Section 30 subsections 1, 2, 2a, 4 to 6a, the heading to Section 31, Section 31 subsections 1, 2, 5, 6 and 8, Section 31a, Section 32 subsections 5 to 7, Section 34 subsection 3 and 4, the heading to § 35, § 35 paragraph 1, §§ 36
p.(None): up to 40 including headings, Section 41 (2) 1, Section 44 (6) and (8), Section 46 (2) 3 and 3, Section 47 (3) and (4), Section 48a (2), Section 50 1 and 2, Section 50b (2), Section 50c
p.(None): Paragraph 1, Section 52 Paragraph 2 Numbers 2 and 3 as well as Section 5, Section 54 Paragraph 2 and Section 61 Paragraphs 8 to 10 in the version of Federal Law BGBl. I No. 83/2013 come into effect on January 1, 2014 in
p.(None): Force. At the same time, § 41 Paragraph 2 No. 4a and the DSK Compensation Ordinance, Federal Law Gazette II No. 145/2006, cease to apply. The for the appointment of the head of the
p.(None): The data protection authority and its deputy necessary organizational and personnel measures can take place before the federal law comes into force
p.(None): Federal Law Gazette I No. 83/2013.
p.(None): (8) (constitutional provision) Section 2 (2) and Section 35 (2) in the version of Federal Law BGBl. I No. 83/2013 come into force on January 1, 2014.
p.(None): (9) The title, the table of contents, the 1st main piece, the name and heading of the 2nd main piece, the 1st, 2nd, 3rd and 4th section, the heading and
p.(None): Description of the 5th section, § 35 paragraph 1, the description and heading of the 3rd main piece, the 1st, 2nd and 3rd section, the heading and description of the
p.(None): Section 4, Sections 58 and 59 including headings and the 4th and 5th main sections in the version of the Federal Law BGBl. I № 120/2017 come into force on May 25th
p.(None): 2018 in force. In Art. 2, the 1st, 2nd, 3rd, 4th, 5th and 6th section appear, the designation and the heading of the 7th section, the heading to § 35, §§ 36 to 44
p.(None): including headings, the 8th, 9th, 9a. and Section 10, the designation and heading of Section 11, Sections 53 to 59 including headings, Section 61 (1) to (3)
p.(None): and 5 to 10 as well as §§ 62 to 64 including the headings in the version before the amendment BGBl. I No. 120/2017 with the expiry of May 24, 2018.
p.(None): (10) The Standard and Model Ordinance 2004 - StMV 2004, Federal Law Gazette II No. 312/2004, the Data Processing Register Ordinance 2012 - DVRV 2012, Federal Law Gazette II
p.(None): No. 257/2012, and the data protection adequacy regulation - DSAV, Federal Law Gazette II No. 521/1999, will expire on May 24, 2018.
p.(None): (11) (Constitutional provision) Section 35 (2) as amended by Federal Law BGBl. I No. 23/2018 comes into force on May 25, 2018.
...
Orphaned Trigger Words
p.(None): cannot be elected to the National Council.
p.(None): (5) The term of office of the members and substitute members in accordance with paragraph 1 items 1 to 6 begins with their posting to the Data Protection Council and ends
p.(None): 1. upon dismissal by the sending agency (para. 1) by means of a written notification to the Federal Ministry for the Constitution, reforms,
p.(None): Deregulation and justice with simultaneous naming of a new member or substitute member,
p.(None): 2. with the announcement of the resignation by the member or substitute member by means of a written notification to the Federal Ministry for
p.(None): Constitution, reforms, deregulation and justice or
p.(None): 3. at the latest with the new election of the main committee of the National Council in accordance with Sections 29 and 30 of the 1975 Law on Rules of Procedure, Federal Law Gazette No. 410/1975.
p.(None): 3 applies to members of the Data Protection Council named in accordance with Paragraph 1 no. 7.
p.(None): (6) After the new election of the main committee of the National Council (para. 5 no. 3), the former presidium conducts the business up to § 17 para
p.(None): constituent meeting of newly appointed members and replacement members. Within a period of two weeks from the election of the main committee
p.(None): of the National Council, the sending agencies have a number of members and replacement members corresponding to paragraph 1 to the Federal Ministry of
p.(None): Announce the constitution, reforms, deregulation and justice in writing. The reappointment of members and substitute members is permitted.
p.(None): (7) The constituent meeting of the Data Protection Council must take place no later than six weeks after the election of the main committee of the National Council and
p.(None): is to be convened by the Federal Ministry for the Constitution, Reforms, Deregulation and Justice.
p.(None): (8) The activities of the members and substitute members of the Data Protection Council are voluntary. Members and alternate members of the Data Protection Council who
p.(None): living outside of Vienna, are entitled to reimbursement of the reasonable travel costs in accordance with the stipulations if they attend meetings of the Data Protection Council
p.(None): the federal travel fee regulations. The fees and reimbursements are retrospectively from the Federal Ministry of the Constitution,
p.(None): To instruct reforms, deregulation and justice.
p.(None): Chair and management
p.(None): Section 16. (1) The Data Protection Council shall adopt rules of procedure by resolution.
p.(None): (2) The data protection council shall have a chairman from among its members with a simple majority in the constitutive meeting from the present election proposals
p.(None): and elect two vice-chairmen. Runoff elections are permitted. The election proposals are made to the members and substitute members at the same time as the
p.(None): Announce invitation to the constituent meeting. Reelection is permitted.
p.(None): (3) The term of office of the chairperson and the deputy chairperson ends
p.(None): 1. upon occurrence of one of the requirements of section 15 subsection 5 lines 1 to 3,
p.(None): 2. upon announcement of the resignation of the function by the chairperson or one of the deputy chairpersons by means of a declaration in the
p.(None): Meeting of the Data Protection Council or a written communication to the Federal Ministry for Constitution, Reforms, Deregulation and Justice or
p.(None): 3. after being voted out by the Data Protection Council with a simple majority of the votes cast and the presence of more than two thirds of its members or
p.(None): Substitute members.
p.(None): After the end of the term of office of the chairperson or a deputy chairperson, a new chairperson is immediately appointed
p.(None): to elect deputy chairman.
p.(None): (4) The chairperson elected in accordance with paragraph 2 represents the Data Protection Council externally.
p.(None): (5) The management of the Data Protection Council is the responsibility of the Federal Ministry for Constitution, Reforms, Deregulation and Justice. The Federal Minister for
p.(None): The constitution, reforms, deregulation and the judiciary have to provide the necessary personnel. In their work for the Data Protection Council, the
p.(None): Officials of the Federal Ministry for the Constitution, Reforms, Deregulation and Justice subject to the instructions of the Chairman of the Data Protection Council
p.(None): bound.
p.(None): Meetings and decision making
p.(None): Section 17. (1) The meetings of the Data Protection Council are convened by the chairman as required. Each member of the Data Protection Council can write the
p.(None): Request the convening of the Data Protection Council stating the desired subject of the negotiation. If there is such a request, the chairman has
p.(None): to schedule the session to take place no later than four weeks after the request is received.
p.(None): (2) Each member of the Data Protection Council is - except in the case of justified prevention - obliged to attend the meetings of the Data Protection Council
p.(None): participate. The substitute member will only attend the meeting if the member is unable to attend.
p.(None): (3) The presence of more than half of its members or substitute members is required for deliberations and decision-making in the Data Protection Council.
p.(None): A simple majority of the votes cast is sufficient to pass resolutions. In a tie vote, the Chairman shall be decisive.
...
p.(None): and 5 to 10 as well as §§ 62 to 64 including the headings in the version before the amendment BGBl. I No. 120/2017 with the expiry of May 24, 2018.
p.(None): (10) The Standard and Model Ordinance 2004 - StMV 2004, Federal Law Gazette II No. 312/2004, the Data Processing Register Ordinance 2012 - DVRV 2012, Federal Law Gazette II
p.(None): No. 257/2012, and the data protection adequacy regulation - DSAV, Federal Law Gazette II No. 521/1999, will expire on May 24, 2018.
p.(None): (11) (Constitutional provision) Section 35 (2) as amended by Federal Law BGBl. I No. 23/2018 comes into force on May 25, 2018.
p.(None): (12) The table of contents, section 4 subsections 1, 5 to 7, section 5 subsection 3 first sentence and section 5, section 9 including the heading, section 11 including the heading, section 12 subsection 3 no.2 and subsection 4 no 3,
p.(None): Section 14 (1), Section 15 (1), Section 5, Section 3, Section 5, Sections 1 and 2, Section 6, 7 and 8, Section 16 (3) Section 2 and Section 5, Section 19 Section 2 and 3, section 23 subsection 1, section 26 subsection 1, section 28, section 30 subsection 3 and
p.(None): 5, § 32 Paragraph 1 No. 1, § 36 Paragraph 1 and 2 No. 7, § 44 Paragraph 2, § 49 Paragraph 1 and 3, § 56 Paragraph 1, § 64 Paragraph 2, § 68 and § 69 paras. 5 and 7 in the version of the
p.(None): Federal Law BGBl. I № 24/2018 come into force on May 25, 2018. At the same time, section 45 (7) in the version prior to the amendment to Federal Law Gazette I No. 24/2018 shall cease to apply.
p.(None): Section 70 (1) to (8) in the version of the Federal Law Gazette I No. 24/2018 comes into force on the day following the announcement. As far as the in
p.(None): Federal Law BGBl. I № 24/2018 orders made on regulations created by the Data Protection Adaptation Act 2018, BGBl. I № 120/2017
p.(None): relate, the provisions of Federal Law BGBl. I No. 24/2018 take precedence over those of the Data Protection Adaptation Act 2018, BGBl. I No. 120/2017.
p.(None): (13) Section 16 (5) and Section 70 (6), (7), (9), (10) and (12) in the version of the Federal Law Gazette I No. 14/2019 come into effect at the end of the day of publication
p.(None): this federal law in force; at the same time, the entries for sections 60 and 61 in the table of contents are no longer valid. The entries for §§ 2 and 3 in
p.(None): The table of contents and § 4 (7) will expire on January 1, 2020.
p.(None): (14) (Constitutional provision) Sections 2 and 3 including headings will expire on December 31, 2019. Section 70 (8) and (11) as amended
p.(None): of Federal Law BGBl. I № 14/2019 comes into force on the day of the publication of this Federal Law; at the same time, § 61 including the heading is excluded
p.(None): Force.
p.(None): to the top
...
Appendix
Indicator List
Indicator | Vulnerability |
access | Access to Social Goods |
age | Age |
authority | Relationship to Authority |
child | Child |
children | Child |
crime | Illegal Activity |
criminal | criminal |
employees | employees |
ethnic | Ethnicity |
faith | Religion |
family | Motherhood/Family |
freedom of information | Access to information |
gender | gender |
hazard | Natural Hazards |
home | Property Ownership |
illegal | Illegal Activity |
impaired | Cognitive Impairment |
impairment | Cognitive Impairment |
language | Linguistic Proficiency |
linguistic | Linguistic Proficiency |
military | Soldier |
minority | Racial Minority |
occupation | Occupation |
officer | Police Officer |
opinion | philosophical differences/differences of opinion |
parents | parents |
party | political affiliation |
police | Police Officer |
political | political affiliation |
prison | Incarcerated |
property | Property Ownership |
racial | Racial Minority |
religious | Religion |
restricted | Incarcerated |
threat | Threat of Stigma |
union | Trade Union Membership |
unlawful | Illegal Activity |
vulnerable | vulnerable |
Indicator Peers (Indicators in Same Vulnerability)
Indicator | Peers |
child | ['children'] |
children | ['child'] |
crime | ['illegal', 'unlawful'] |
faith | ['religious'] |
home | ['property'] |
illegal | ['crime', 'unlawful'] |
impaired | ['impairment'] |
impairment | ['impaired'] |
language | ['linguistic'] |
linguistic | ['language'] |
minority | ['racial'] |
officer | ['police'] |
party | ['political'] |
police | ['officer'] |
political | ['party'] |
prison | ['restricted'] |
property | ['home'] |
racial | ['minority'] |
religious | ['faith'] |
restricted | ['prison'] |
unlawful | ['crime', 'illegal'] |
Trigger Words
consent
cultural
justice
protect
protection
risk
Applicable Type / Vulnerability / Indicator Overlay for this Input