Draft: Create a privacy policy agreement

!! Work in progress !!

Problem

• Personal data needs to be processed in order to proceed with the Fachverfahren and to provide orientation or advice to the citizen who initiated the request.
• Some of this data is sensitive.
• Users need to be aware of the laws allowing data processing if they initiated the request themselves.

Goal

Define a privacy policy within the NEO context (or copy the one from BundID?)

ACs

The privacy policy must contain the following:

• OZG_8 : § 3a OZG - Personal data, including particularly sensitive data, may be processed for the purpose of advising users, provided that the processing is purpose-specific, necessary, and initiated by the users.

• OZG_28 : § 8 section 8 OZG - With the permission of the user(s), certain data may be transferred to the competent authority, an administrative process, or an online service. This data comes from OZG_18; OZG_19, OZG_21, OZG_23, OZG 24, and OZG_37 - OZG_40.

• OZG_29 : § 8 section 8 OZG - The data referred may only be used by third parties if this is necessary for the support or processing of an administrative service. The body receiving the data is responsible for ensuring that the transfer is legally permissible. In principle, the data may only be used for the purpose for which it was transmitted, unless a law expressly permits more.

• OZG_30 : § 8 section 9 OZG - If processing is permitted under OZG_23 - OZG_28, special categories of personal data within the meaning of Article 9(1) GDPR may also be processed. When processing such data, appropriate and specific measures must be taken to protect the data subject in accordance with the current state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

• OZG_37 : § 9 section 1 OZG - An electronic administrative act is considered to have been notified when the decision is retrieved from the user account's mailbox by the user or an authorized person.

• OZG_38 : § 9 section 1 OZG - The administrative act is considered to have been notified on the fourth day after it has been made available. In case of doubt, the authority must prove the date on which it was made available.

• OZG_39 : § 9 section 1 OZG - The user or authorized person will be informed of the retrieval options via the address provided by him/her no later than on the day of the delivery.

• OZG_40 : § 9 section 1 OZG - If the administrative act is accessed before a possible re-notification, the date of the first access shall be considered the date of receipt.

  ....

Notes/ resources

• Can we copy as much as possible from BundID?
• See requirements reference at the RE table -> https://nextcloud.fitko.de/f/2205505

Who needs to be involved / informed

• reviewers:
• involved:
• informed: