What Needs to be Done Prior to Collection

Contact the data subject

Contact the Federal Commissioner

Section 33 Notification of the data subject

1) If personal data are stored for the first time for one’s own purposes without the data subject's knowledge, the data subject shall be notified of such storage, the type of data, the purposes of collection, processing or use and the identity of the controller. If personal data is stored in the course of business without the data subject's knowledge for the purpose of transfer, the data subject shall be notified of their initial transfer and of the type of data transferred. In the cases covered by the first and second sentences above, the data subject shall also be notified of the categories of recipients, in so far as he cannot be expected to assume transfer to such recipients according to the circumstances of the individual case concerned.

(2) Notification shall not be required if

1. the data subject has received knowledge by other means of the storage or transfer of the data,

2. the data is stored merely because it may not be erased due to legal statutory or contractual provisions on its preservation or exclusively serve purposes of data security or data protection control and notification would require disproportionate effort.

3. the data must be kept secret in accordance with a legal provision or by virtue of its nature, in particular on account of an overriding legal interest of a third party

4. the law expressly provides for such storage or transfer,

5. storage or transfer is necessary for the purposes of scientific research and notification would require disproportionate effort,

6. the relevant public body has stated to the controller of the filing system that publication of the data would jeopardise public safety or order or would otherwise be detrimental to the Federation or a Land,

7. the data is stored for one’s own purposes and

a) is taken from generally accessible sources and notification is unfeasible on account of the large number of cases concerned or

b) notification would considerably impair the business purposes of the controller of the filing system, unless the interest in notification outweighs such impairment, or

8. the data is stored in the course of business for the purpose of transfer and

a) is taken from generally accessible sources in so far as they relate to those persons who published these data or

b) the data is compiled in lists or otherwise combined (Section 29 (2), No. 1 (b) of this Act) and notification is unfeasible on account of the large number of cases concerned

The controller shall stipulate in writing under what conditions notification shall not be provided in accordance with sentence 1, Nos. 2 to 7.

Contact the Federal Commissioner

Section 4d Obligatory registration

1) Prior to putting automated processing procedures into operation, private controllers of the competent supervisory authorities, public controllers of the Federation and postal and telecommunications companies shall register such procedures with the Federal Commissioner for Data Protection and Freedom of Information in accordance with Section 4e.

(2) Obligatory registration shall not apply if the controller has appointed a data protection official.

(3) Obligatory registration shall additionally not apply if the controller collects, processes or uses personal data for its own purposes, provided that a maximum of nine employees are concerned with the collection, processing or use of personal data and either consent has been obtained from the data subject or the collection, processing or use serves the purposes of a contract or a quasi-contractual fiduciary relationship with the data subject.

(4) Sub-sections 2 and 3 above shall not apply in cases of automated processing in which the controller concerned stores personal data in the course of business

1. for the purpose of transfer or

2. for the purpose of anonymized transfer.

(5) In so far as automated processing operations involve risks for the rights and liberties of the data subject, they are subject to examination prior to the beginning of processing (prior checking). Prior checking is to be carried out in particular when

1. special categories of personal data (Section 3 (9)) are to be processed or

2. the processing of personal data is intended to appraise the data subject's personality, including his abilities, performance or conduct, unless a statutory obligation applies, the data subject's consent has been obtained or the collection, processing or use serves the purposes of a contract or a quasi-contractual fiduciary relationship with the data subject.

6) Prior checking is the responsibility of the data protection official. The latter shall carry out prior checking after receiving the list in accordance with the first sentence of Section 4g (2). In cases of doubt, he is to refer to the supervisory authority or, in the case of postal and telecommunications companies, to the Federal Commissioner for Data Protection and Freedom of Information.

Section 4e Contents of the obligatory registration

In so far as automated processing procedures are subject to obligatory registration, the following information is to be furnished:

1. The name or title of the controller,

2. the owners, managing boards, managing directors or other lawfully or constitutionally appointed managers and the persons placed in charge of data processing,

3. the address of the controller,

4. the purposes of collecting, processing or using data,

5. a description of the groups of data subjects and the appurtenant data or categories of data,

6. the recipients or categories of recipients to whom the data may be transferred,

7. the standard periods for the erasure of data,

8. any planned data transfer in third states,

9. a general description enabling preliminary assessment as to whether the measures in accordance with Section 9 to guarantee the safety of processing are adequate.