TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

What Needs to be Done Prior to Shipping


Transborder Transmission and Committing of Data not Subject to Licensing Sect.12


(1) The transmission and committing of data to recipients in member states of the European Union is not subject to any restrictions in terms of sect.13. This does not apply to data exchange between public sector controllers in fields that are not subject to the law of the European Union.

(2) No authorization pursuant to sect.13 shall be required for data exchange with recipients in third countries with an adequate level of data protection. The countries that have an adequate level of data protection shall be enumerated in an ordinance of the Federal Chancellor in accordance with sect.55 sub-para.1. The decisive consideration as to the adequacy of the protection shall be the implementation of the principles of sect.6 para.1 in the foreign legal system as well as the existence of effective guarantees for their enforcement.

(3) Furthermore, transborder data exchange shall not require authorization if

1. the data has been published legitimately in Austria or

2. data is transferred or committed that is only indirectly personal to the recipient or

3. the transborder transmission or committing is authorised by regulations that are equivalent to a statute in the Austrian legal system and are immediately applicable or

4. data from a data application for private purposes (sect.45) or for journalistic purposes (sect.48) is transmitted or

5. the data subject has without any doubt given his consent to the transborder transmission or committing or

6. a contract between the controller and the data subject or a third party that has been concluded clearly in the interest of the data subject cannot be fulfilled except by the transborder transmission of data or

7. the transmission is necessary for the establishment, exercise or defence of legal claims before a foreign authority and the data was collected legitimately or

8. the transmission or committing is expressly named in a standard ordinance (sect.17 para.2 sub-para.6) or model ordinance (sect.19 para.2) or

9. the data exchange is with Austrian governmental missions and offices in foreign countries or

10. the transmissions or committings are made from a data application that is exempted from notification according to sect.17 para.3.

(4) If the transborder transmission or committing in cases not covered by the preceding paragraphs is necessary

1. to safeguard an important public interest or

2. to safeguard a vital interest of a person

and of such urgency that the authorization of the Data Protection Commission required according to sect.13 cannot be obtained in time without risk to the above-mentioned interests, it may be performed without a permit, but must be notified to the Data Protection Commission immediately.

(5) The legality of a data application in Austria according to sect.7 is a prerequisite for every transborder transmission or committing. Furthermore, transborder committings require the written promise of the processor abroad to the domestic controller -or in the case of sect.13 para.5 to the domestic processor- that he shall respect the obligations of a processor according to sect.11 para.1. This is not applicable if the processing abroad is provided for in regulations that are equivalent to a law in the Austrian legal system and are immediately applicable.



Transborder Transmission and Committing of Data Subject to Licensing Sect.13

(1) Insofar as a case of transborder data exchange is not exempted from authorization according to sect.12, the controller has to apply for a permit by the Data Protection Commission (sect.35) before the transmission or committing. The Data Protection Commission can issue the permit subject to conditions and obligations.

(2) The permit shall be given, taking into consideration the promulgations pursuant to sect.55 sub-para.2, if the requirements of sect.12 para.5 are met, and despite the lack of an adequate general level of data protection in the recipient state

1. an adequate level of data protection exists for the transmission or committing outlined in the application for the permit in this specific case; this is then to be judged considering all circumstances relevant to the use of data, such as the type of data used, the purpose and duration of use, the country of origin and final destination as well as the general and sectoral legal provisions, professional rules and security standards applying in the third country; or

2. the controller can satisfactorily demonstrate that the interests in secrecy deserving protection of the data subject of the planned data exchange will be respected outside of Austria. In particular, contractual guarantees by the recipient to the applicant about the circumstances of the use of data are significant for the decision.

(3) Controllers of the public sector shall enjoy the rights of a party to the proceedings for issue of a permit, even with regard to the data applications they perform to in execution of the law

(4) In the case of data applications subject to notification, the Data Protection Commission shall put a copy of each ruling authorising the transborder transmission or committing of data on the notification file and enter the fact that authorization has been granted into the Data Processing Register (sect.16).

(5) Deviating from para.1, a domestic processor can apply for a permit if, in order to fulfil his contractual duties vis-à-vis multiple controllers, he wishes to enlist the service of a specific processor outside of Austria. The actual committing shall only be performed with the consent of the controller. The controller shall report to the Data Protection Commission from which of his data applications subject to notification the authorised committing to the processor shall take place; this is to be entered into the Data Processing Register.

(6) The transmission of data to representations of foreign governments or intergovernmental institutions in Austria shall be treated as transborder data exchange with regard to the requirement for authorization according to para.1.

(7) If the Federal Chancellor has decreed by ordinance that, despite the lack of an adequate general level of data protection in the recipient state, the requirements according to para.2 sub-para.1 are met for specific categories of data exchange with this recipient state, the obligation to obtain a permit is replaced by an obligation to notify the Data Protection Commission. The Data Protection Commission shall prohibit the notified data exchange within six weeks after receiving the notification if it is not attributed to one of the categories regulated in the ordinance or if it does not fulfil the requirements according to sect.12 para.5; otherwise the transmission or committing is permitted.


Please refer to the Austrian Data Protection Commission website for further details of the statute
© TRILANTIC - All rights reserved. | Disclaimer | Client Login