§ 15 SDSG
Approval procedure and access to the record of processing activities
(1)1Any processing of personal data intended to be carried out by automated means shall require written or electronic approval before its commencement or before a significant modification. 2The approval declaration shall confirm that 1. the processing complies with Articles 5 and 6 of Regulation (EU) 2016/679, 2. a risk analysis carried out taking into account the requirements of Article 32 of Regulation (EU) 2016/679 has resulted in a security concept showing that appropriate technical and organisational measures have been taken to ensure a level of protection appropriate to the risk for the rights and freedoms of the data subjects, and 3. a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679 has been carried out for procedures that are likely to result in a high risk to the rights and freedoms of the data subjects. 3The approval shall be given by the controller. 4In the case of joint procedures, the competence for the approval may be agreed in accordance with Article 26(1) of Regulation (EU) 2016/679. 5The approval declaration shall be appended to the record pursuant to Article 30 of Regulation (EU) 2016/679.
(2)Paragraph 1 sentence 1 shall not apply to 1. procedures whose sole purpose is the maintenance of a register intended for public information or open to inspection by all persons who can demonstrate a legitimate interest, 2. procedures insofar as they involve the creation of data collections that are only kept temporarily and are erased within three months of their creation, 3. procedures that run using commercially available word processing programs, 4. procedures that serve exclusively for data security and data protection supervision, 5. procedures that serve exclusively for finding files, applications or records (registry procedures), 6. procedures that serve exclusively for monitoring deadlines and time limits, 7. room, inventory and software directories, 8. library catalogues and reference directories, or 9. address directories that are used exclusively for sending information to data subjects.
(3)1The record pursuant to Article 30 of Regulation (EU) 2016/679, including the approval declaration pursuant to paragraph 1, may be inspected by anyone free of charge. 2This shall not apply to information pursuant to Article 30(1) second subparagraph (g) and (2)(d) of Regulation (EU) 2016/679 insofar as the security of the procedure would thereby be impaired. 3Sentence 1 shall not apply to 1. procedures of the constitutional protection authority, 2. procedures that serve the prevention of threats or the prosecution of criminal offences, and 3. procedures of the tax investigation service insofar as the responsible body declares, in the individual case, that inspection is incompatible with the fulfilment of its tasks. zur Einzelansicht § 15 Fünfter Abschnitt Durchführungsbestimmungen zu den Artikeln 51 bis 59 der Verordnung (EU) 2016/679 (Landesbeauftragte oder Landesbeauftragter für Datenschutz)