AUSTRIA

The Austrian Data Protection Commission website: http://www.dsk.gv.at/DesktopDefault.aspx?alias=dsken

Datenschutzgesetz 2000 - DSG 2000 (as amended): http://www.dsk.gv.at/site/6230/default.aspx

What needs to be done prior to collection?

NOTIFY THE DATA PROTECTION COMMISSIONER

Section 17 – Duty of the Controller to Notify

(1)     Every controller shall, unless provided for otherwise in paragraphs 2 and 3, before commencing a data application, file a notification whose contents are laid down in Section 19 with the Data Protection Commission for the purpose of registration in the Data Processing Register. The duty to notify also applies to all circumstances that subsequently lead to the incorrectness or incompleteness of the notification

(2)     Data applications are not subject to notification

1)       Which solely contain published data, or

2)       Whose subject is the management of registers and catalogues that are by law open to inspection by the public, even if a legitimate interest for doing so must be demonstrated, or

3)       Which contain only indirectly personal data, or

4)       Which are carried out by natural persons for activities that are entirely personal or concern just the person’s family life (Section 45), or

5)       Which are carried out for journalistic purposes according to Section 48, or

6)       Correspond to a standard application. The Federal Chancellor can lay down an ordinance that some types of data applications and transmissions are standard applications, if they are carried out by a large number of controllers in similar fashion and if a risk to the data subject’s interest in secrecy deserving protection is unlikely considering the purpose of the use and the processed categories of data. The ordinance shall list for every standard application the authorised categories of data, the categories of data subjects and recipients as well as the maximum period of time during which the data may be stored.

(3)     Furthermore, data applications for the purpose of

1)       Protecting the constitutional institutions of the Republic of Austria, or

2)       Safeguarding the operational readiness of the federal army, or

3)       Safeguarding the interests of comprehensive national defence, or

4)       Protecting important foreign policy, economic or financial interests of the Republic of Austria or European Union, or

5)       Preventing and prosecuting of crimes

Shall be exempt from the duty to notify, insofar as this is necessary to achieve the purpose of the data application.

Section 19 – Required content of the Notification

(1)     A notification pursuant to Section 17 must contain

1.       The name (or other designation) and address of the controller and of his representative according to Section 6 paragraph 3 or of the operator pursuant to Section 50 paragraph 1; furthermore the registration number of the controller, insofar as one has already been assigned to him, and

2.       The proof of statutory competence or of the legitimate authority that the controller’s activities are permitted, if so required, and

3.       The purpose of the data application to be registered and the legal basis, as long as this is not included in the information according to subparagraph 2, and

4.       The categories of data subjects and the categories of data about them that are processed, and

5.       The categories of data subjects affected by the intended transmissions, the categories of data to be transmitted and the matching categories of recipient – including possible recipient states abroad – as well as the legal basis for the transmission, and

6.       Insofar as a permit by the Data Protection Commission is required  - the file number of the permit of the Data Protection Commission as well as

7.       A general description of data security measures taken pursuant to Section 14, which enable a preliminary assessment of the appropriateness of the security measures

A notification is insufficient if information is missing, obviously incorrect, inconsistent or so insufficient that persons accessing the register to safeguard their rights according to this Federal Act cannot obtain sufficient information as to the issue whether their interests in secrecy deserving protection could be infringed by the data application. In particular, inconsistency is given in case of a deviation of the notified content from the notified legal basis.

CONTACT THE DATA SUBJECT

Section 24 – The Controller’s duty to provide information

(1)     The Controller of a data application shall inform the data subjects when collecting data in an appropriate manner about

1.       The purpose of the data application for which the data are collected; and

2.       The name and address of the controller,

Insofar as this information is not already available to the data subject, with regard to the particular circumstances of the case

(2)     Information beyond the scope of paragraph 1 shall be given if this is necessary for a fair and lawful processing, in particular if

1.       The data subject has a right to object to intended processing or transmission of data pursuant to Section 28, or

2.       It is not clear for the data subject under the circumstances whether he is required by law to reply to the questions posed, or

3.       Data are to be processed in a joint information system that is not authorised by law

(3)     Where data have not been collected by asking the data subject, but through transmission from another application process of the same controller or from a data application of another controller, the information according to paragraph 1 may be omitted

1.       If the use of data is provided for by law or an ordinance, or

2.       If it is impossible to provide the information because the data subjects cannot be reached, or

3.       If, considering the improbability of infringements of the data subjects rights and the expense involved in reaching the data subjects and unreasonable effort would be required. In particular, this applies if data are collected for purposes of scientific research or statistics pursuant to Section 46 or address data pursuant to Section 47 and the requirement to inform the data subject is not explicitly stipulated. The Federal Chancellor may determine further cases by ordinance in which the duty to give information does not apply.

(4) There shall be no duty to provide information regarding such data applications that are not subject to notification pursuant to Section 17 paragraphs 2 and 3

What needs to be done prior to shipping?

Section 12 – Transborder Transmission and Committing of Data not subject to Licensing

(1)     The Transmission and Committing of data to recipients in Member States of the European Union is not subject to any restrictions in terms of Section 13. This does not apply to data exchange between public sector controllers in fields that are not subject to the law of the European Union.

(2)     No authorisation pursuant to Section 13 shall be required for data exchange with recipients in third countries with an adequate level of data protection. The countries that have an adequate level of data protection shall be enumerated in ordinance of the Federal Chancellor in accordance with Section 55 Sub Paragraph 1. The decisive consideration as to the adequacy of the protection shall be the implementation of the principles of Section 6 Paragraph 1 in the foreign legal system as well as the existence of effective guarantees for their enforcement

(3)     Furthermore, transborder data exchange shall not require authorisation if

1.       The data have been published legitimately in Austria, or

2.       Data are transferred or committed that are only indirectly personal to the recipient, or

3.       The transborder transmission or committing is authorised by regulations that are equivalent to a Statute in the Austrian legal system and are immediately applicable, or

4.       Data from a data application for private purposes (Section 45) or for journalistic purposes (Section 48) is transmitted, or

5.       The data subject has without any doubt given his consent to the transborder transmission or committing, or

6.       A contract between the controller and the data subject or a third party that has been concluded clearly in the interest of the data subject cannot be fulfilled except by the transborder transmission of data, or

7.       The transmission is necessary for the establishment, exercise or defence of legal claims before a foreign authority and the data were collected legitimately, or

8.       The transmission or committing is expressly named in a standard ordinance (Section 17) or model ordinance (Section 19), or

9.       The data exchange is with Austrian governmental missions and offices in foreign countries, or

10.    The transmissions or committings are made from a data application that is exempted from notification according to Section 17 Paragraph 3 

(4)     If the transborder transmission or committing in cases not covered by the preceding paragraphs is necessary

1.       To safeguard an important public interest, or

2.       To safeguard a vital interest of a person

And of such urgency that the authorisation of the Data Protection Commission required according to Section 13 cannot be obtained in time without risk to the above mentioned interests, it may be performed without a permit, but must be notified to the Data Protection Commission immediately.

(5)     The legality of a data application in Austria according to Section 7 is a prerequisite for every transborder transmission or committing. Furthermore, transborder committings require the written promise of the processor abroad to the domestic controller that he shall respect the obligations of a processor according to Section 11 Paragraph 1. This is not applicable if the processing abroad is provided for in regulations that are equivalent to a law in the Austrian legal system and are immediately applicable

Section 13 – Transborder Transmission and Committing of Data Subjects to Licensing

(1)     Insofar as a case of transborder data exchange is not exempted from authorisation according to Section 12, the Controller has to apply for a permit by the Data Protection Commission before the transmission or committing. The Data Protection Commission can issue the permit subject to conditions and obligations.

(2)     The permit shall be given, taking into consideration the promulgations pursuant to Section 55 subparagraph 2, if the requirements of Section 12 paragraph 5 are met, and despite the lack of an adequate general level of data protection in the recipient state

1.       An adequate level of data protection exists for the transmitting or committing outlined in the application for the permit in this specific case; this is then to be judged considering all circumstances relevant to the use of data, such as the type of data used, the purpose and duration of use, the country or origin and final destination as well as the general and sectoral legal provisions, professional rules and security standards applying in the third country; or

2.       The controller can satisfactorily demonstrate that the interests in secrecy deserving protection of the data subject of the planned data exchange will be respected outside of Austria. In particular, contractual guarantees by the recipient to the applicant about the circumstances of the use of data are significant for the decision

(3)     Controllers of the public sector shall enjoy the rights of a party to the proceedings for issue of a permit, even with regard to the data applications they perform to in execution of the law

(4)     In the case of data applications subject to notification, the Data Protection Commission shall put a copy of each ruling authorising the transborder transmission or committing of data on the notification file and enter the fact that authorisation has been grated to the Data Processing Register

What are the sanctions for non-compliance?

Part 6 – Legal Remedies

This section is quite detailed – Please refer to the Statute

Please refer to the Austrian Data Protection Commission website for further details on the Statute