What Needs to be Done Prior to Collection

Contact the data subjects

Contact Data Protection Commission

The Controller's Duty to Provide Information

Sect.24

(1) The controller of a data application shall inform the data subjects when collecting data in an appropriate manner about

1. the purpose of the data application for which for which the data is collected, and

2. the name and address of the controller,

insofar as this as this information is not already available to the data subject, with regard to the particular circumstances of the case.

1. the data subject has a right to object to intended processing or transmission of data pursuant to sect.28 or

2. it is not clear for the data subject under the circumstances whether he is required by law to reply to the questions posed, or

3. data is to be processed in a joint information system that is not authorized by law.

(3) Where data has not been collected by asking the data subject, but through transmission from another application purpose of the same controller or from a data application of another controller, the information according to para.1 may be omitted

1. if the use of data is provided for by law or an ordinance or

2. if it is impossible to provide the information because the data subjects cannot be reached or

3. if, considering the improbability of infringements of the data subjects' rights and the expense involved in reaching the data subjects, an unreasonable effort would be required. In particular, this applies if data is collected for purposes of scientific research or statistics pursuant to sect.46 or address data pursuant to sect.47 and the requirement to inform the data subject is not explicitly stipulated. The Federal Chancellor may determine further cases by ordinance in which the duty to give information does not apply.

(4) There shall be no duty to provide information regarding such data applications that are not subject to notification pursuant to sect.17 para.2 and 3.

Contact Data Protection Commission

Controller’s duty to notify

Sect.17

(1) Every controller shall, unless provided for otherwise in paras.2 and 3, before commencing a data application, file a notification whose contents are laid down in sect.19 with the Data Protection Commission for the purpose of registration in the Data Processing Register. The duty to notify also applies to all circumstances that subsequently lead to the incorrectness or incompleteness of the notification.

(2) Data applications are not subject to notification

1. which solely contain published data or

2. whose subject is the management of registers and catalogues that are by law open to inspection by the public, even if a legitimate interest for doing so must be demonstrated or

3. which contain only indirectly personal data or

4. which are carried out by natural persons for activities that are entirely personal or concern just the person's family life (sect.45) or

5. which are carried out for journalistic purposes according to sect.48 or

6. correspond to a standard application. The Federal Chancellor can lay down in an ordinance that some types of data applications and transmissions are standard applications, if they are carried out by a large number of controllers in similar fashion and if a risk to the data subjects' interest in secrecy deserving protection is unlikely considering the purpose of the use and the processed categories of data. The ordinance shall list for every Standard Application the authorised categories of data, the categories of data subjects and recipients as well as the maximum period of time during which the data may be stored.

(3) Furthermore, data applications for the purpose of

1. protecting the constitutional institutions of the Republic of Austria or

2. safeguarding the operational readiness of the federal army or

3. safeguarding the interests of comprehensive national defence or

4. protecting important foreign policy, economic or financial interests of the Republic of Austria or the European Union

5. preventing and prosecuting of crimes

shall be exempt from the duty to notify, insofar as this is necessary to achieve the purpose of the data application.

Required Content of the Notification

Sect.19

(1) A notification pursuant to sect.17 must contain

1. the name (or other designation) and address of the controller and of his representative according to sect.6 para.3 or of the operator pursuant to sect.50 para.1; furthermore the registration number of the controller, insofar as one has been already assigned to him, and

2. the proof of statutory competence or of the legitimate authority that the controller's activities are permitted, if so required and

3. the purpose of the data application to be registered and the legal basis, as long as this is not included in the information according to sub-para.2 and

4. the categories of data subjects and the categories of data about them that are processed and

5. the categories of data subjects affected by intended transmissions, the categories of data to be transmitted and the matching categories of recipients -including possible recipient states abroad- as well as the legal basis for the transmission and

6. -insofar as a permit by the Data Protection Commission is required- the file number of the permit of the Data Protection Commission as well as

7. a general description of data security measures taken pursuant to sect.14, which enable a preliminary assessment of the appropriateness of the security measures.

(2) If a large number of controllers has to carry out data applications in similar fashion and the prerequisites for a Standard Application do not apply, the Federal Chancellor can designate Model Applications by ordinance. Notifications of data applications whose content corresponds to a Model Application need to contain only the following:

1. the designation of the model application according to the model ordinance and

2. the designation and address of the controller as well as proof of statutory competencies or of legitimate authority, as far as this is required, and

3. the registration number of the controller, insofar as one has been already assigned to him.

(3) A notification is insufficient if information is missing, obviously incorrect, inconsistent or so insufficient that persons accessing the register to safeguard their rights according to this Federal Act cannot obtain sufficient information as to the issue whether their interests in secrecy deserving protection could be infringed by the data application. In particular, inconsistency is given in case of a deviation of the notified content from the notified legal basis.

The forms for the notification are found on the website. Notification costs nothing and has to be in German. Failure to notify is punishable with a fine of up to 9,445Euro under sect.52 para.2 sub-para1, DSG 2000.