Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management In what circumstances can personal data be collected, stored and processed? In general, personal data must be:
- processed fairly and lawfully;
- accurate and, where necessary, up to date;
- collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes;
- adequate, relevant and proportionate in relation to the purposes for which it is collected or processed; and
- kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed.
When determining the permissibility of data processing activities, a detailed review of the justification for processing is of utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed:
- the existence of an explicit legal right or obligation;
- the data subject's freely given consent, based on full disclosure;
- vital interests of the data subject which necessitate the processing; or
- overriding legitimate interests of the data controller (or a third person).
In practice, the overriding legitimate interests of the data controller and the consent of the data subject are most relevant. For example, overriding interests may justify data processing in order to execute a contract. However, the Data Protection Act does not accept general or mere business interests – such as processing for marketing purposes or within a group of companies – under the overriding interest regime. Thus, such data use may be conducted only with the data subject's consent.
There is also no privilege for intragroup data transfers. As the overriding legitimate interests exemption under the Data Protection Act is seldom accepted, consent requirements apply. This is particularly true when processing employee data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity is allowed to review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided by human resources tools. As a result, the data subject's consent is often the only valid justification for the processing, especially with regard to data processing for advertising purposes and intragroup data transfers.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records? The Data Protection Act does not set a maximum retention period for personal data. In general, personal data may be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.
Aside from these vague limits set out under the Data Protection Act, the Austrian Standard and Model Decree stipulates maximum retention periods for different data groups. In general, data may be retained until:
- termination of the business relationship;
- expiration of any warranty or guarantee claims (usually two years);
- expiration of a specific legal retention period (usually seven years for accounting data); or
- conclusion of any legal dispute in which the data is needed as evidence.
Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.
Do individuals have a right to access personal information about them that is held by an organisation? Yes. Data subjects may exercise their right to information against the data controller, which must disclose the following on request:
- the data being processed and the purposes for which it is processed;
- the origin of the personal data (ie, where and why it was collected);
- the categories of data concerned; and
- the recipients of the relevant data.
The data subject must demand disclosure in writing and prove its identity (in the case of an individual, this is usually done by submitting a copy of his or her passport). Data controllers must then provide all relevant data – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within eight weeks.
Do individuals have a right to request deletion of their data? Yes. Data subjects have the right to request correction or deletion of their personal data and may object at any time to the processing of their data. In such case, the data controller must delete the relevant data within eight weeks and refrain from any future data transfers.
Consent obligations Is consent required before processing personal data? A consent declaration is required if there is no other legal justification for data processing.
In order for consent to be valid, the data subject must be well aware of the data’s scope and content. For evidence purposes, a detailed written consent declaration is recommended. Such a declaration can also be made online by clicking on a box indicating consent or by other electronic means. In any case, the consent declaration must be easily understandable and transparent – in particular:
- the categories of processed or transferred data must be listed exhaustively;
- the purpose of the processing or transfer must be described in detail; and
- the data controller and any data recipients must be named (including their full addresses).
In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.
If consent is not provided, are there other circumstances in which data processing is permitted? In establishing the permissibility of data processing, a detailed review of the justification for the processing is of utmost importance. Aside from the data subject's freely given consent based on full disclosure, the following justifications are available:
- the existence of an explicit legal right or obligation;
- the vital interests of the data subject; or
- the overriding legitimate interests of the data controller (or a third person).
In practice, the overriding legitimate interests of the data controller is the second most relevant justification after the data subject’s consent.
What information must be provided to individuals when personal data is collected? The data controller must inform individuals of:
- the data that is collected, processed or transferred;
- the legal basis on which it is collected, processed or transferred;
- the purposes for which it is collected, processed or transferred; and
- the retention period for the data.
Data transfer and third parties
Cross-border data transfer What rules govern the transfer of data outside your jurisdiction? Austrian data protection law distinguishes between data transfer to another data controller (C2C) and transfer to a data processor (C2P). A C2C data transfer is established when the recipient of personal data uses it for its own or other purposes and thus also acts as data controller. A C2P data transfer is established when data is sent to a third person that acts merely on the data controller’s behalf.
Notification The Data Protection Authority must generally be notified of a C2C data transfer (there are only a few standardised exemptions to this requirement in the Austrian Standard and Model Decree). A C2P data transfer triggers no notification duty, as long as the underlying data processing either is notified or falls within the scope of the Austrian Standard and Model Decree.
Data processing agreement All data controllers are generally allowed to engage data processors (C2P data transfer). Data processors must limit processing to the extent necessary to fulfil the purposes of the data controller and comply with data security rules. As such, a written data processing agreement must be concluded. Provided that the data processor is located in the European Economic Area or in a third country providing an adequate level of data protection, a brief model contract will be sufficient. If the recipient data processor is located in a third country without an adequate level of data protection (eg, the United States or India), a more detailed data processing agreement (and approval) will be required.
Approval Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located in a third country without an adequate level of data protection (eg, the United States, India and Singapore). The approval procedure must be initiated separately for each recipient and be based on either signed EU standard contractual clauses or binding corporate rules. Such C2C and C2P data transfers can commence only on receipt of formal approval. However, no approval is required if:
- merely indirect personal data is to be transferred;
- the data subject has provided its explicit consent; or
- the data transfer is explicitly mentioned in a standard application.
Are there restrictions on the geographic transfer of data? Yes. Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located outside the European Economic Area in a third country without an adequate level of data protection (eg, the United States, India and Singapore).
Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing? Yes. There is some facilitation for C2P data transfers. C2P transfers usually require no notification, but do require a data processing agreement in writing. The Data Protection Authority’s approval is required only if data is transferred outside the European Economic Area.
Click here to view the full article.