Personal data, including sensitive personal data in terms of the Data Protection Act of 25 September 20201(FADP), and legal entities’ data, including sensitive data in terms of Article 57r paragraph 2 of this Act, may be processed in records and process management systems, provided they serve:
to process items of business;
to organise operational processes;
to determine whether data on a specific person are being processed;
to facilitate access to documentation.
Other federal authorities and bodies outside the Federal Administration may be granted access to personal data, including sensitive personal data in terms of the FADP, and to legal entities’ data, including sensitive legal entities’ data in terms of Article 57r paragraph 2 of this Act, provided disclosure is permitted by law.
Records and process management systems may contain sensitive personal data in terms of the FADP and sensitive legal entities’ data in terms of Article 57r paragraph 2 of this Act, provided the data results from the correspondence or from the nature of the business or the document.
Access to sensitive personal data in terms of the FADP and to sensitive legal entities’ data in terms of Article 57r paragraph 2 of this Act may only be granted to persons who require access in order to fulfil their task.