Data Protection Act (Austria)

from Wikipedia, the free encyclopedia
Basic data
Title: Data Protection Act
Long title: Federal law for the protection of natural persons when processing personal data
Abbreviation: DSG
Previous title: Federal law on the protection of
personal data
Type: Federal law
Scope: Republic of Austria
Legal matter: Data protection law
Effective date: January 1, 2000
( Federal Law Gazette I No. 165/1999 )
Last change: BGBl. I No. 14/2019
Legal text: Data protection law in the RIS
Please note the note on the applicable legal version !

The Data Protection Act , together with the General Data Protection Regulation, regulates the protection of personal data in Austria . These include, for example, email address, date of birth or telephone number. This or similar information may only be passed on in special cases without the prior consent of the person concerned. The data protection authority is established by this law.

The first data protection law was installed with the Federal Law Gazette No. 565/1978 . Austria was thus one of the first European countries to have its own data protection authority. With this, the data protection commission was created (since 2012 data protection authority , DSB). The Data Protection Act implements Directive 95/46 / EC (Data Protection Directive) into national law and was fundamentally amended in 2005. With the 2013 amendment to the DSG ( Federal Law Gazette I No. 83/2013 of May 23, 2013), the data protection commission was replaced by the data protection authority.

Definitions (§ 4)

  • Personal data is information about persons whose identity has been determined or at least can be determined.
z. B. Name , SV no. , Addresses
  • Data is only indirectly personal if the personal reference of the data cannot be determined by the client, service provider or recipient using legally permissible means.
  • Sensitive data are defined by law: data on racial or ethnic origin, political opinion, trade union membership , religious or philosophical beliefs, health or sex life.
  • Consent is the valid, non-compulsory declaration of intent by the person concerned for the specific use of the data "with knowledge of the facts". This can be submitted in writing, verbally or conclusively (no formal requirement).

Spatial scope

The provisions apply in Austria.

In addition, to the use of data abroad, insofar as in other member states of the European Union for the purposes of a principal or branch of a client located in Austria (§ 3).

Public, private data

According to § 1 of the Data Protection Act, everyone has the right to confidentiality of personal data. However, public availability of this data precludes this claim. In the public sector (courts, offices, etc.), however, there is a certain obligation to provide information (see administrative assistance , enforcement assistance ).

Data security

Data security measures are organizational, personnel and technical measures for data security in order to ensure the correct use of data, to protect the data from destruction and loss, to ensure that it is used properly and that the data is not accessible to unauthorized persons.

Data secrecy ( confidentiality )

Data secrecy according to Section 6 of the Data Protection Act obliges clients, service providers and their employees to keep secret data from data applications that have been entrusted to them or have become accessible solely due to their professional activity, irrespective of other statutory confidentiality obligations, unless there is a legally permissible reason for transmission the entrusted or accessible data exists.

Employees may only transmit data on the basis of an express instruction from their employer. Unless such an obligation on their employees already exists by law, clients and service providers must contractually oblige them to transmit data from data applications only on the basis of instructions and to maintain data secrecy even after the termination of the employment relationship with the client or service provider.

Institutions according to the DSG

Data processing registers

The data processing register issues a seven-digit register number, the DVR number, to companies. In Austria, there is a general obligation to report every data application, but with a number of exceptions in individual cases.

Data protection authority

This article or section needs to be revised: Data Protection Commission has been replaced by the Data Protection Authority; DSG amendment 2013
Please help to improve it and then remove this marking.

The data protection authority is headed by a head. This is appointed by the Federal President at the suggestion of the Federal Government for a period of five years. The office of the data protection authority is set up in the Federal Chancellery, but the data protection authority is not bound by instructions.

Control powers of the data protection authority

The control powers arise from § 22 of the Data Protection Act:

  • Anyone can turn to the data protection authority for an alleged violation of their rights or obligations of a client or service provider.
  • The data protection authority is entitled to enter the client's or service provider's premises, to put data processing systems into operation, to carry out processing and to make copies of data carriers.
  • The data protection authority can make recommendations for the establishment of the lawful state, for which a reasonable period can be set for compliance.
  • If such a recommendation is not complied with within the set deadline, the data protection authority may a. initiate a procedure to check the registration, file a criminal complaint in accordance with Section 51 or 52, file a suit before the competent court in accordance with Section 32 (5).

No legal remedy is admissible against notices from the data protection authority. The appeal to the administrative court is permissible.

Data Protection Council

The data protection council is set up at the Federal Chancellery. He advises the federal government and the state governments on their request on legal issues of data protection.

The essential material duties

Basic right to data protection

All obligations arising from data protection law ultimately result from the fundamental right to data protection. This has constitutional status in Section 1 of the Data Protection Act and reads:

Everyone has the right to confidentiality of personal data concerning them, especially with regard to the respect for their private and family life, insofar as there is a legitimate interest in them. The existence of such an interest is excluded if data are not accessible to a claim to secrecy due to their general availability or their lack of traceability to the person concerned.

The material scope of protection of this fundamental right includes the confidentiality of personal data . This fundamental right is consequently seen as an addition to Article 8 ECHR . The personal protection area includes natural persons and legal persons .

Indirectly, this results in the approach of data protection law that personal data should not be used as such, unless there is an exception that allows this. The solution to data protection problems is therefore always a search for exceptions to find out whether the use of data is permitted or not. In this respect, Austrian data protection law also speaks of the data protection law prohibition with reservation of permission .

Data protection principles

Section 37 of the Data Protection Act contains various principles according to which data processing must take place, such as the principle of good faith, the principle of purpose limitation, the principle of materiality, the principle of factuality and timeliness and the principle of anonymization.

The formal duties

Data protection impact assessment

In accordance with Section 52 of the Data Protection Act, the person responsible must carry out a data protection impact assessment to protect the rights and legitimate interests of the persons affected by the data processing and other persons concerned.

DSK approval for international traffic

The transmission and release of data to recipients in member states of the European Union is not subject to any restrictions within the meaning of Section 13. This does not apply to data traffic between clients in the public sector in matters that are not subject to the law of the European Communities (§ 12 Paragraph 1).

Furthermore, data traffic with recipients in third countries with adequate data protection does not require authorization in accordance with Section 13 (Section 12 (2)). The Federal Chancellor's ordinance determines which third countries guarantee adequate data protection. Due to a data protection adequacy regulation and EU decisions, these are Argentina, Canada, Switzerland, Guernsey, Isle of Man and US companies that have submitted to the provisions of the Safe Harbor Agreement.

In addition, according to Section 12 (3) of the Data Protection Act, data traffic abroad is not permitted if

  1. the data has permissibly been published in Germany or
  2. Data that is only indirectly personal for the recipient, is transmitted or made available or
  3. the transfer or release of data abroad is provided for in legal provisions that have the status of a law in domestic law and are directly applicable, or
  4. Data from data applications are transmitted for private purposes (Section 45) or for journalistic activities (Section 48) or
  5. the person concerned has given his consent to the transfer or release of his data abroad without any doubt or
  6. a contract concluded by the client with the person concerned or with a third party clearly in the interest of the person concerned cannot be fulfilled other than by transmitting the data abroad or
  7. the transmission is necessary for the establishment, exercise or defense of legal claims before foreign authorities and the data has been lawfully determined, or
  8. the transmission or provision is expressly stated in a standard ordinance (Section 17 (2) no.6) or model ordinance (Section 19 (2)) or
  9. it concerns data traffic with Austrian offices abroad or
  10. Transfers or transfers are made from data applications that are exempt from the reporting obligation in accordance with Section 17 (3).

All other data transfers or data transfers must be approved in advance by the data protection commission in accordance with Section 13 of the Data Protection Act. The data protection commission can link the approval to the fulfillment of conditions and obligations.

If there is no generally applicable adequate level of data protection in the recipient country, the approval must be approved if there is adequate data protection for the transfer or release specified in the application for approval in a specific individual case; or the client demonstrates that the confidential interests of those affected by the planned data traffic are adequately safeguarded abroad, too.

This is typically done with the aid of the EU's "standard contractual clauses", which are signed between the sender and recipient of the data and then sent to the data protection commission with the application for approval.

Especially in international corporations, the approval of the most varied of data streams has grown into a time-consuming and cost-intensive task due to the lack of a "corporate privilege", which has met with criticism. The most recent development is the introduction of so-called binding corporate rules (BCRs), which are intended to create a uniform level of data protection and thereby improve the approval process.

Approval of information network systems by DSK

According to § 4 Z 13 of the Data Protection Act, an information network system is the joint processing of data in a data application by several clients and the joint use of the data in such a way that each client also has access to the data in the system that the other clients have in the system were made available. A typical case is, for example, that in a group, several group companies work into the same database (e.g. customer, CRM, employee database).

For an information network system, an operator must be appointed in accordance with Section 50 of the Data Protection Act.

Information network systems must be approved in advance by the DVR in accordance with Section 18 (2) no. 4 of the Data Protection Act.

Written service contract for outsourcing

Section 11 (2) of the Data Protection Act stipulates that agreements between the client and the service provider on the details of the service provider obligations must be recorded in writing for the purpose of preserving evidence.

This obligation is often overlooked; even long outsourcing contracts or service level agreements often do not contain any provisions on data protection law.

The data protection commission provides a sample contract for download on its website.

Data confidentiality obligation

Employees may only transmit data on the basis of an express order from their employer. See above on data secrecy.

Unless such an obligation on their employees already exists by law, the client and service provider must contractually oblige them to transmit data from data applications only on the basis of instructions and to maintain data secrecy even after the end of the work (service) relationship with the client or service provider (Section 15 (2)).

The contractual obligation can be in the service contract, for example, but also in a separate document, such as a confidentiality agreement or a "privacy policy" to be signed by the employee.

The individual rights

Right to secrecy

Arises from the basic right in § 1 of the Data Protection Act.

Right to information

According to § 26, the client has to provide the data subject with information about the data processed on his person. The first information of a year on the current data must be provided free of charge (according to Paragraph 6).

The information must state the processed data, the available information about their origin, any recipients or groups of recipients of transmissions, the purpose of the data use and the legal bases for this in a generally understandable form.

At the request of the person concerned, the names and addresses of service providers must also be disclosed if they are commissioned to process their data.

The company must comply with a request for information within eight weeks or justify in writing why it is not given or not given in full. If the request for information is not dealt with or not completely or properly dealt with, the person concerned can complain to the data protection commission. The complaint can be made "informally", for example in writing or by email to the DSK.

Right to correction or deletion

According to § 27, every client must correct or delete data if:

  1. he became aware of the inaccuracy of data or the inadmissibility of their processing, or
  2. at the reasoned request of the person concerned.

Within eight weeks of receipt of a request for correction or deletion, the request must be complied with and the person concerned must be notified or justified in writing why the requested deletion or correction is not carried out.

Special provisions

Use in a family setting

According to § 45 of the Data Protection Act, natural persons may process data for exclusively personal or family activities if they were communicated to them by the person concerned or if they were otherwise lawfully received, in particular in accordance with § 7 Paragraph 2. Such data may only be transmitted for other purposes with the consent of the person concerned.

Statistical data collection

Section 46 of the Data Protection Act contains special provisions for scientific research and statistics.

Address directories

Special provisions for address publishers in § 151 GewO.

No data protection officer in Austria

The role of a data protection officer is essentially a German invention that has only been adopted in a few other countries. The EU data protection guideline 95/46 / EG contains in Article 18 (2) several different possibilities for the member states to simplify the reporting obligation. The data protection officer is only one option. The Austrian data protection law does not provide for a company data protection officer.

Even if there is no obligation to appoint a company data protection officer, it is quite common, especially in larger companies, to deal with a certain person with data protection law agendas, for example in order to comply with formal obligations such as reporting and approval obligations, the processing of requests for information according to § 26 to ensure and to have an "interface" to the works council in questions of personal data processing. The ministerial draft for the amendment to the DSG 2008 contains an obligation to appoint a data protection officer for companies with at least 20 employees (Section 15a). This is criticized several times in the statements. This obligation is no longer included in the revised draft (DSG amendment 2010).

Employee data protection

Sections 96 and 96a ArbVG contain provisions u. a. about personnel data systems, personnel assessment systems, personnel monitoring systems. Such systems may be subject to a works council.

A typical case for a works council obligation is the company video surveillance of employees, which moreover has to be approved in advance at the DVR if the video images are stored digitally.

Another case in which both works council obligations and reporting and approval obligations can be triggered at DVR and DSK is the introduction of whistleblowing systems.

Compensation and Penalties

Compensation

According to Section 33 of the Data Protection Act, damages are to be sued through civil law.

Criminal criminal provisions

  • Section 51 of the Data Protection Act: Use of data for profit and damage purposes, up to 1 year imprisonment.
  • Criminal offenses of the "computer criminal law" in the StGB, z. B. § 126a StGB data corruption. Up to 5 years imprisonment.

Administrative penal provisions

  • Up to 25,000 euros fine for intentional or unlawful access to a data application, intentional breach of data secrecy or if data is used, not provided, not corrected or not deleted contrary to a final judgment or decision or if data is deliberately deleted in violation of Section 26 (7) of the Data Protection Act .
  • Up to 10,000 euros fine for non-compliance with the reporting obligation, data transfer abroad without the approval of the data protection commission, violation of disclosure or information obligations, gross neglect of security measures.

The attempt is punishable. In all cases, media and programs can be pronounced "expired" (i.e. they are no longer usable).

The district administrative authority is responsible for the decision.

Innovations in the processing of personal data through amendment of the DSG

When the EU General Data Protection Regulation (GDPR) came into force on May 25, 2018, it became directly applicable in every EU member state. However, the GDPR contains numerous opening clauses (= agreements deviating from the standard), which give national legislators legal leeway for certain areas. In order to implement these opening clauses, there were consequently two amendments to the Data Protection Act 2000 by the Data Protection Adjustment Act 2018 and the Data Protection Deregulation Act 2018. In particular when processing personal data, the GDPR brought about significant changes:

  • Waiver of the obligation to notify the data protection authority (data processing register)
  • Clearly defined distribution of duties between "controller" and "processor"
  • Data protection through technology design and data protection-friendly default settings ("privacy by design / privacy by default")
  • Keeping a data processing directory
  • Obligation to report data protection violations to the authorities and, if applicable, to the person concerned within 72 hours
  • Obligation to carry out a data protection impact assessment during processing operations and, if necessary, to consult the data protection authority
  • Appointment of a data protection officer
  • New information obligations and data subject rights
  • The powers and tasks of the data protection authority have been expanded
  • Tightening of the processing of image and acoustic recordings
  • Significant increase in fines

Use was made of the opening clauses in the Drugs and Medical Devices Act, for example. For example, the rights to deletion and data portability in accordance with Art. 17 and Art. 20 GDPR are excluded according to Section 39 (3a) AMG and Section 49 (5) MPG. An exception was also anchored in Section 2d (6) of the Research Organization Act (FOG). Accordingly, all rights according to Art. 89 Paragraph 1 GDPR do not apply.

See also

literature

  • Bauer / Reimer, Handbook on Data Protection Law (Vienna) 2009
  • Dohr, Pollirer, Weiss, Knyrim: DSG, commentary . Loose-leaf collection (Manz Verlag, Vienna)
  • Jahnel, Handbook of Data Protection Law (Vienna) 2010
  • Knyrim: Practical manual on data protection law, guidelines for correct registration, processing, transmission, consent, outsourcing, advertising and much more. Verlag Manz, Vienna, 2nd edition 2012 Link to the book
  • Stephan Gärtner: Hard negative features put to the test of data protection law. A legal comparison between German, English and Austrian law . Publishing house Dr. Kovac, Hamburg 2011, ISBN 978-3-8300-5418-4 .
  • Reimer: The data protection consent . Diss Uni Vienna, 2010.
  • Knyrim, General Data Protection Regulation - The new data protection law in Austria and the EU (Verlag Manz, Vienna 2016). [1]
  • Knyrim (ed.), Der DatKomm, practical commentary on data protection law, GDPR and GDPR commentary in fascicles (Manz Verlag, Vienna 2018). [2]

Magazines

  • Dako - concrete data protection (Manz Verlag, Vienna) [3]
  • ZIIR - Journal for Information Law with a focus on data protection, media and personality law, e-commerce law as well as fair trading and intellectual property law (Verlag Österreich, Vienna) [4]

Web links

Individual evidence

  1. About us. ( Memento of the original from July 21, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. dsb.gv.at  @1@ 2Template: Webachiv / IABot / www.dsb.gv.at
  2. a b c d e Stephan Gärtner: Hard negative features on the test bench of data protection law. A legal comparison between German, English and Austrian law , Verlag Dr. Kovac, Hamburg, 2011, pp. 329-330
  3. http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm
  4. Decision of the commission regarding standard contractual clauses for the transfer of personal data to third countries . European Commission. Archived from the original on January 11, 2008. Retrieved February 14, 2019.
  5. http://www.preslmayr.at/puplikation/ArtikelKnyrim_Rechtspanorama%2030.10.06.pdf ( Memento of October 5, 2007 in the Internet Archive )
  6. http://www.preslmayr.at/puplikation/ArtikelKnyrim_Datenschutz%20und%20Datenrettung%20beim%20Outsourcing__EcolexHeft504.pdf ( Memento from October 5, 2007 in the Internet Archive )
  7. Model contracts . Data Protection Commission. Archived from the original on March 5, 2014. Retrieved February 14, 2019.
  8. The right to information ( Memento of the original from January 18, 2016 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. dsk.gv.at, accessed on August 20, 2013  @1@ 2Template: Webachiv / IABot / www.dsb.gv.at
  9. What the republic knows about me diepresse.com
  10. Supreme Court decision on the use of "own data" for download ( Memento from October 5, 2007 in the Internet Archive )
  11. ^ Society for data protection and data security : Job profile of data protection officer: A German "Success Story" with a role model , April 27, 2005
  12. ^ Austrian Parliament: 182 / ME (XXIII. GP) Amendment to the Data Protection Act 2008
  13. Statement of the Data Protection Council on the 2008 amendment to the DSG  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF; 167 kB)@1@ 2Template: Toter Link / www.parlament.gv.at  
  14. Statement by the Chamber of Commerce on the 2008 amendment to the DSG  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF; 1.6 MB)@1@ 2Template: Toter Link / www.parlament.gv.at  
  15. Statement by the Austrian Red Cross on the 2008 amendment to the DSG  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF; 75 kB)@1@ 2Template: Toter Link / www.parlament.gv.at  
  16. DSG amendment 2010
  17. Supreme Court decision on Section 33 ( Memento from October 5, 2007 in the Internet Archive )