Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

In general, personal data must be:

  • processed fairly and lawfully, as well as in a transparent manner;
  • accurate and, where necessary, up to date;
  • collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes (pupose limitation);
  • adequate, relevant and proportionate in relation to as well as limited to the purposes for which it is collected or processed (data minimisation); and
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed (storage limitation).

When determining the permissibility of data processing activities, a detailed review of the justification for processing is of utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed:

  • the existence of an explicit statutiry right or obligation;
  • the data subject's freely given consent, based on full disclosure and prior information;
  • the processing is necessary for the performance of a contract to which the data subject is a party;
  • vital interests of the data subject which necessitate the processing; or
  • overriding legitimate interests of the data controller (or a third person).

In practice, the overriding legitimate interests of the data controller, performance of a contract and the consent of the data subject are most relevant. However, the Data Protection Act does not accept general or mere business interests – such as processing for marketing purposes or within a group of companies – under the overriding interest regime. Thus, such data use may be conducted only with the data subject's consent.

Until now, there is also no privilege for intragroup data transfers. As the overriding legitimate interests exemption under the Data Protection Act is seldom accepted, consent requirements apply. This is particularly true when processing employee data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity is allowed to review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided by human resources tools. As a result, the data subject's consent is often the only valid justification for the processing, especially with regard to data processing for advertising purposes and intragroup data transfers.

This general principle will be slightly amended by the EU General Data Protection Regulation since its recitals outline that transmitting personal data within a group of undertakings for internal administrative purposes, as well as processing personal data for direct marketing purposes, might be permitted based on overriding legitimate interests of the data controller. However, as regards marketing, the implications of the Telecommunications Act 2003 and the EU ePrivacy Regulation must be considered. According to these provisions, electronic marketing generally requires the prior consent of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Data Protection Act 2000 does not set a maximum retention period for personal data. In general, personal data may be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.

Aside from these vague limits set out under the Data Protection Act, the Austrian Standard and Model Decree stipulates maximum retention periods for different data groups. In general, data may be retained until:

  • termination of the business relationship;
  • expiration of any warranty or guarantee claims (usually two years);
  • expiration of a specific legal retention period (usually seven years for accounting data); or
  • conclusion of any legal dispute in which the data is needed as evidence.

Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.

This principle of storage limitation will be upheld by the EU General Data Protection Regulation and the Data Protection Act 2018.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. Data subjects may exercise their right to information against the data controller, which must disclose the following on request:

  • the data being processed and the purposes for which it is processed;
  • the source of the personal data (ie, where and why it was collected);
  • the categories of data concerned; and
  • the recipients of the relevant data.

The data subject must demand disclosure in writing and prove its identity (in the case of an individual, this is usually done by submitting a copy of his or her passport). Data controllers must then provide all relevant data – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within eight weeks.

This right to information will be expanded by the EU General Data Protection Regulation. In addition to the above items, the data subject must be informed of:

  • the applicable data retention periods;
  • the rights to rectification, erasure and objection of personal data; and
  • the right to file a complaint with the data protection authority.

Further, the controller shall provide the data subject on request, with a copy of the personal data that is being processed (in a legible format).

Do individuals have a right to request deletion of their data?

Yes. Data subjects have the right to request correction (in case the data is inaccurate or incomplete) or deletion (especially in case data is no longer necessary for the controller or data subject withdraws its consent declaration) of their personal data and may object at any time to the processing of their data. In such case, the data controller must delete the relevant data within eight weeks (one month according to the EU General Data Protection Regulation – in exceptional cases even two months) and refrain from any future data processing or transfers.

Consent obligations

Is consent required before processing personal data?

A consent declaration is required if there is no other legal justification for data processing.

In order for consent to be valid, the data subject must be well aware of the data processing’s scope and content. For evidence purposes, a detailed written consent declaration is recommended (especially since the EU General Data Protection Regulation requires that the controller is able to demonstrate consent declarations). Such a declaration can also be made online by clicking on a checkbox indicating consent or by other electronic means. In any case, the consent declaration and provided information must be easily understandable and transparent (clear and plain language). In particular, the data subject must be informed about: 

  • the categories of processed or transferred data must be listed exhaustively;
  • the purpose of the processing or transfer must be described in detail; and
  • the data controller and any data recipients must be named (including their full addresses).

In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

In establishing the permissibility of data processing, a detailed review of the justification for the processing is of utmost importance. Aside from the data subject's freely given consent based on full disclosure, the following justifications are available:

  • the existence of an explicit statutory right or obligation;
  • the vital interests of the data subject;
  • the processing is necessary for the performance of a contract to which the data subject is a party; or
  • the overriding legitimate interests of the data controller (or a third person).

In practice, the performance of a contract as well as overriding legitimate interests of the data controller are the second most relevant justification after the data subject’s consent.

What information must be provided to individuals when personal data is collected?

The data controller must inform individuals of:

  • the data controller's name and address;
  • the data that is collected, processed or transferred;
  • the legal basis on which it is collected, processed or transferred;
  • the purposes (and possible recipients) for which it is collected, processed or transferred; and
  • the retention period for the data.

This right to information will be expanded according to Art 13 of the EU General Data Protection Regulation. In addition, the data subject must be informed about:

  • the name and contact details of the Data Protection Officer;
  • the intention to transfer data to a third country not providing an adequate level of data protection;
  • the rights to rectification, erasure and objection of personal data;
  • the right to file a complaint with the data protection authority;
  • the information that any consent provided can be withdrawn at any time;
  • the fact if and to what extent data collection is mandatory or required by law; and
  • information on any automated profiling.

Click here to view the full article.