Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

In general, according to Article 5 of the EU General Dara Protection Regulation (GDPR), personal data must be:

  • processed fairly and lawfully, as well as in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes (purpose limitation);
  • accurate and, where necessary, up to date;
  • adequate, relevant and proportionate in relation to as well as limited to the purposes for which it is collected or processed (data minimisation);
  • accurate and, where necessary, kept up to date;
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed (storage limitation); and
  • processed in a manner that ensures appropriate security of the personal data.

When determining the permissibility of data processing activities, a detailed review of the justification for processing is of the utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed (Article 6 of the GDPR):

  • the existence of an explicit statutory right or obligation;
  • the data subject's freely given consent based on full disclosure and prior information;
  • the processing is necessary for the performance of a contract to which the data subject is a party; or
  • the processing is necessary based on the legitimate interests of the data controller (or a third person).

In practice, the legitimate interests of the data controller, performance of a contract and consent of the data subject are most relevant. However, the Data Protection Authority often has a strict approach as regards legitimate interests. Thus, the legal basis of all data processing activities based on legitimate interests should be documented in detail while clearly outlining the main argumentation.

There is also no privilege for intragroup data transfers. Such data transfers may be justified by legitimate interests. However, the Data Protection Authority is rather strict and reluctant to accept legitimate interest when processing employees' data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity can review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided for by human resources tools.

The recitals of the GDPR outline that transmitting personal data within a group of undertakings for internal administrative purposes, as well as processing personal data for direct marketing purposes, may be permitted based on the data controller’s overriding legitimate interests. However, as regards marketing, the implications of the Telecommunications Act 2003 and the EU ePrivacy Regulation must be considered. According to these provisions, electronic marketing generally requires the data subject’s prior consent.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The GDPR does not set a maximum retention period for personal data. In general, personal data can be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.

Aside from the vague limits set out under the GDPR, the Austrian Standard and Model Decree 2004 stipulated maximum retention periods for different data groups. Although this decree expired on 25 May 2018, the retention periods still apply as best practice in Austria. In general, data may be retained until:

  • termination of the business relationship;
  • expiration of any warranty or guarantee claims (usually two years);
  • expiration of a specific legal retention period (usually seven years for accounting data); or
  • conclusion of any legal dispute in which the data is needed as evidence.

Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. Pursuant to Article 15 of the GDPR, data subjects may exercise their right to information against the data controller, which must disclose the following on request:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data has been or will be disclosed – in particular, recipients in third countries or international organisations;
  • the envisaged retention period; if this cannot be provided, the criteria used to determine that period;
  • the rights to rectification, erasure and objection of personal data;
  • the right to file a complaint with the Data Protection Authority;
  • the existence of automated decision making, including profiling; and
  • the significance and envisaged consequences of such processing for the data subject.

The data subject must demand disclosure in writing and prove its identity if the controller has reasonable doubts concerning the identity of the person making the request (this is usually done by submitting a copy of their passport). Data controllers must then provide all relevant information – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within one month of receipt of the request.

Further, on request, the controller must provide the data subject with a copy of the personal data that is being processed (in a legible format).

Do individuals have a right to request deletion of their data?

Yes. Pursuant to Articles 16 and 17 of the GDPR, data subjects have the right to request rectification (where the data is inaccurate or incomplete) or erasure (especially where the controller no longer requires the data or the data subject withdraws its consent declaration) of their personal data and may object at any time to the processing of their data on grounds relating to their particular situation. In such cases, the data controller must delete the relevant data within one month and refrain from any future data processing or transfers.

Consent obligations

Is consent required before processing personal data?

A consent declaration is required if there is no other legal justification for the data processing (ie, the data is unnecessary to perform the contract or ensure legitimate interests of the controller and there is no statutory obligation to process the data).

In order for consent to be valid, the data subject must be well aware of the data processing’s scope and content. For evidence purposes, a detailed written consent declaration is recommended (especially since the GDPR requires that the controller demonstrate that consent has been given). Such declarations can also be made online by clicking on a checkbox indicating consent or by other electronic means. In any case, the consent declaration and provided information must be easily understandable and transparent (clear and plain language). In particular, the data subject must be informed – in detail – about:

  • the categories of processed or transferred data;
  • the purpose of the processing or transfer; and
  • the data controller and any data recipients (including their full addresses).

In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

In establishing the permissibility of data processing, a detailed review of the justification therein is of the utmost importance. Apart from the data subject's freely given consent based on full disclosure, the following justifications are available and relevant in practice (Article 6 of the GDPR):

  • the existence of an explicit statutory right or obligation;
  • the vital interests of the data subject;
  • the processing is necessary for the performance of a contract to which the data subject is a party; or
  • the processing is necessary to ensure legitimate interests of the data controller (or a third person).

In practice, the performance of a contract as well as overriding legitimate interests of the data controller are the second most relevant justification after the data subject’s consent.

What information must be provided to individuals when personal data is collected?

According to Articles 13 and 14 of the GDPR, the data controller must inform individuals about:

  • the data controller's name and contact details;
  • the contact details of the data protection officer (if designated);
  • the purposes and legal basis for the processing;
  • the legitimate interests pursued by the controller or a third party, if applicable;
  • the recipients or categories of recipient;
  • the controller's intention to transfer personal data to a third country and reference to the appropriate or suitable safeguards and means, if applicable;
  • the retention period or at least criteria used to determine that period;
  • the information about the data subject's rights;
  • whether the provision of personal data is a statutory or contractual requirement; and
  • the existence of automated decision-making, including profiling.

Click here to view the full article.