Austria implemented the EU Data Protection Directive 95/46/EC with the Data Protection Act, Federal Law Gazette part I No. 165/1999 as amended (“Act”).
Definition of Personal Data
Personal Data is defined as information relating to an identified or identifiable subject.
Definition of Sensitive Personal Data
Sensitive personal data refers to data relating to racial or ethnic origin, political opinions, trade union membership, religious or philosophical belief, health or sex life of a natural person.
National Data Protection Authority
Austrian Data Protection Commission
- Unless an exemption applies, data controllers who process personal data by automatic means must notify the Data Protection Authority (“DPA”), who keep a register of all data applications. The Data Protection Register is accessible by the public. Changes to the data application will require the notification to be amended.
- An exemption applies to so called standard applications, which are defined by decree of the Federal Chancellor.
- The notification shall inter alia include the following information (as outlined in the DPA standard notification form):
- the title and purpose(s) of the data application;
- the controller’s contact details and if relevant the controller’s representatives’ contact details;
- the categories of personal data processed;
- whether sensitive data is processed;
- the recipients of the data;
- the legitimate authority for the data application;
- a description of security measures; and
- in cases where an approval by the DPA for the foreign data transfer is required, the reference of the respective order of the DPA.
Data Protection officers
There is no legal requirement in Austria for organisations to appoint a data protection officer.
Collection and Processing
Data controllers may collect and process personal data if they have legitimate authority and in addition any of the following conditions are met:
- the data subject consents, such consent can be revoked at any time;
- the processing is necessary to enable the controller to fulfill an explicit legal authorization or
- the processing is necessary to protect the vital interests of the data subject;
- the processing is necessary to enable the controller or third parties to protect a legitimate interest, except where such interest is overridden by the interests of the data subject, such as:
- the processing is necessary to fulfill a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into such a contract;
- the processing is necessary to perform a task in the public interest;
- the processing is necessary to exercise official authority;
- the processing is necessary to protect the vital interests of a third party; or
- the processing is necessary for the establishment, exercise or defense of legal claims of the controller before a public authority.
- Where sensitive personal data is processed, a different, exhaustive list of specific conditions applies. With regard to sensitive data, the legitimate interest in confidentiality will not be infringed in the following circumstances:
- where the data was clearly made public by the data subject;
- where the data is used only in indirectly personal form;
- where the use of the data is authorized or required by law and in the public interest;
- where the data is used by state authorities for inter authority assistance;
- where the data relates exclusively to the exercise of a public function of the data subject, revocation being possible any time;
- where the data subject has given explicit consent to the use of the data;
- where processing or disclosure is necessary to safeguard the vital interests of the data subject, and consent cannot be obtained in due time;
- where the use of the data is necessary to safeguard the vital interests of a third party;
- where the use of the data is necessary for the enforcement, exercise or defense of legal claims of the data controller before the authorities, provided such data has been lawfully collected;
- where the data is used only for private purposes, for statistical or research purposes, or for the purpose of informing or interviewing the data subject;
- where the use of the data is necessary for compliance with labor or employment law;
- where the use of the data is required for medical prevention, medical diagnostics, health care or treatment, or for the administration of medical services, and the data is only used by medical staff or other persons who are subject to an obligation of secrecy; or
- where data regarding political or ideological opinions of natural persons is used by non profit organisations, with political, philosophical, religious or trade union objectives, within the legitimate scope of their activities, and such data relates to members, supporters, or other persons who have on a regular basis expressed their interest in the objectives of the relevant organisation.
Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall at least include information on the identity of the controller and the purposes of the processing.
The data controller should also inform the data subject of other aspects necessary to ensure that the processing is fair, such as whether or not it is obligatory to respond and the right to object to the processing.
A transfer of personal data is only lawful, if:
- the data originates from a lawful data application;
- the recipient can show a legitimate authority to receive the data; and
- the interests of the data subjects are preserved.
- A transfer to recipients outside the EU/European Economic Area requires the prior approval of the DPA, unless:
- the recipient resides in a country, which by decree of the Federal Chancellor provides for “adequate protection” (e.g. companies which adhere to the US/EU Safe Harbor principles);
- the data subject has without any doubt consented to the transfer;
- a contract between the controller and the data subject or a third party, that has been concluded clearly in the interest of the data subject, cannot be fulfilled except by the trans-border transmission of data;
- the data has been published legitimately in Austria;
- data is transferred or committed that is only indirectly personal to the recipient;
- the trans border transfer is authorized by regulations that are equivalent to a statute in the Austrian legal system and are immediately applicable;
- the data is for private purposes;
- the transfer is necessary for the establishment, exercise or defense of legal claims before a foreign authority and the data was collected legitimately;
- the transfer is expressly named in a standard application; or
- the transfer is made from a data application that is exempted from registration.
The DPA shall grant its approval if, in the specific case, adequate protection can be evidenced. Such safeguards may inter alias result from contractual clauses, e.g. by standard contractual clauses approved by the European Commission, or via an organisation’s Binding Corporate Rules.
Data controllers and processors must implement the appropriate technical and organisational measures, depending on the technological state of the art and the cost incurred in execution, to protect personal data against accidental or intentional destruction or loss, unauthorized disclosure or access and against all other unlawful forms of processing.
The Act thereby lists particular measures, such as a regulation of the rights of access to data and the right to operate on data.
Since the beginning of 2010, the Act has required a data controller to notify the data subjects in an appropriate way, if it realizes that the data in its data application has been systematically or
in a material way unlawfully used, unless the potential damage of the data subjects is negligible or the notification would require unreasonable expense.
Anybody can raise a complaint with the DPA. The DPA is authorized to investigate data applications in any case of reasonable suspicion. It has the power to request clarification from the data controller and inspect documentation.
A violation of a data subject’s right to secrecy, rectification or deletion of data must be brought before the competent civil court.
Failure to comply with the Act may be sanctioned by the competent administrative authority with fines up to EUR 25,000.
The Act does not specifically address (electronic) marketing, while the use of personal data for marketing purposes clearly falls within the remit of the Act. It is arguable that the processing of personal data within the scope of the business is permissible for marketing purposes. However, it is argued that the consent of the data subjects is required.
Electronic marketing is also regulated by the Austrian Telecommunications Act (Telecommunications gesetz 2003, “TKG”). Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful, if the sending is for direct marketing purposes and to more than 50 recipients. No consent is required if the data has been obtained in the course of the sale of goods or provision of services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of his or her personal data and the recipient has not previously declared, by requesting
to be entered on to the relevant list (maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR)), that he or she does not want to be contacted.
Online Privacy (Including Cookies and Location Data)
Online privacy is specifically regulated by the TKG.
– Traffic Data held by communications services providers (“CSPs”) must be erased or anonymity when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained for purposes of invoicing the services. In such a case, if the invoice has been paid and no appeal has been lodged with the CSP within three months the Traffic Data must be erased or anonymised.
– Location Data may only be processed for value added services and with consent of the user. Even in case of consent, the user must be able to prohibit the processing by simple means, for free and for a certain time period.
– The relevant section of the TKG stipulates that a user must give informed consent for the storage of personal data, which includes a cookie. The user has to be aware of the fact that consent for the storage or processing of personal data is given, as well as the details of the data to be stored or processed, and has to agree actively. Therefore obtaining consent via some form of pop up or click through agreement seems advisable. Consent by way of browser settings, or a pre-selected check-box etc. is probably not sufficient in this respect. If for technical reasons the short term storage of content data is necessary, such data must be deleted immediately thereafter.