The DPA maintains the database register, which is accessible online. Anyone may consult the register. Federal authorities must declare all of their files to the DPA for registration purposes. Private persons must declare their files if:
- they regularly process sensitive personal data or personality profiles; or
- they regularly disclose personal data to third parties.
The files must be registered prior to processing. The DPA issues regulations on the registration of files and on the maintenance and publication of the register. It may also provide for exemptions from the duty to declare or register for certain types of files, provided the processing does not endanger the privacy of the persons affected.
The data controller is not required to declare his files if:
- private persons are processing the data in terms of a statutory obligation;
- the data controller uses the data exclusively for publication in the edited section of a periodically published medium and does not pass on any data to third parties without informing the data subjects;
- the data is processed by journalists who use the data file exclusively as a personal work aid;
- the data controller has designated a data protection officer who independently monitors internal compliance with data protection regulations and maintains a list of the data files;
- the data controller has acquired a data protection quality mark under a certification procedure and has notified the Commissioner of the result of the evaluation;
- the data files are from suppliers or customers, provided they do not contain any sensitive personal data or personality profiles;
- the data files include data used exclusively for purposes unrelated to specific persons, in particular for research, planning and statistics;
- the data files are archived data files and the data are preserved solely for historical or scientific purposes;
- the data files contain only data that have been published or that the data subjects have themselves made generally accessible and they have not expressly prohibited their processing;
- the data maintained in case preventive measures cannot ensure data protection;
- the data files comprise accounting records;
- the data files are secondary data files for personnel management of the controller of the data file, provided they do not contain any sensitive personal data or personality profiles.