The Austrian Data Protection Commission recently decided that an internet service provider (ISP) which offers website hosting services is a data processor under the Data Protection Act (120.819/006-DSK/2003).

The case arose when the claimant queried whether his data had been processed through a data processor. The respondent denied having used a data processor, but the commission found that it had a contract with an ISP for website hosting. Thus, it was necessary for the commission to clarify whether an ISP is a data processor under the Data Protection Act 2000.

The commission opined that under the act a data processor processes data that has been supplied by the data controller for the production of a given assignment.

Article 2 of the EU Data Protection Directive states that 'processing' means:

    "any operation or set of operations which is performed upon personal data, whether by automatic means, such as collection, recording, storing, disclosures by transmission, dissemination or otherwise making available".

A 'processor' is "an individual or legal entity that processes personal data on behalf of the controller".

The commission stated that from the interpretation of the wording of the directive, it is clear that a person who processes personal data merely by storing it is considered to be a processor if he acts in accordance with the instructions of the controller. The term 'processor' in the directive evidently corresponds to the term 'data processor' in the Austrian data protection legislation.

Accordingly, the commission concluded that the business of website hosting, which under Article 16 of the Austrian E-commerce Act allows the transmission of personal data, is a work that qualifies the host provider as a data processor under the Data Protection Act.

For further information on this topic please contact Barbara Kurz or Rainer Knyrim at Preslmayr Attorneys at Law by telephone (+431 533 16 95) or by fax (+431 535 56 86) or by email ([email protected] or [email protected]).