Support Centre

Austria - National GDPR Implementation Overview

May 2019

1. THE LAW

1.1. National implementing legislation of the GDPR

In Austria, the main national legislation on data protection is the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019) (only available in German here) ('DSG'). Notwithstanding its title, to a certain extent the DSG also protects personal data of legal persons. 

To supplement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and bring the DSG in line with the new data protection framework set out in the GDPR, the Federal Law Amending the DSG 2018 (only available in German here) entered into force on 25 May 2018. 

The DSG also serves as the implementing law for the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680). As a result, Sections 36 to 61 of the DSG only apply to data processing activities conducted by criminal authorities and are not related in any way to the national implementation of the GDPR.

The GDPR has also called for amendments to other national acts. Several hundred acts have been evaluated and amended, in particular, so that respective provisions comply with the requirements set out in Article 6(1)(c) and (e) of the GDPR to qualify as a valid ground of justification.

1.2. Guidelines

The Austrian data protection authority ('DSB') has issued a general guideline document on the GDPR (only available in German here). 

Further, the DSB has also published the following documents (all available in German here):

  • several template forms for data subjects to exercise their data subject rights, such as the right of access and right to erasure, as well as template forms to file complaints with the DSB; 
  • a form for data breach notifications as per Article 33 of the GDPR;
  • annual data protection reports; and
  • quarterly newsletters containing, among other topics, information on selected unpublished decisions.

1.3. Case Law

So far, there are already more than 50 published decisions dealing with GDPR questions, mainly in the areas of validity of grounds of legal justification (inter alia validity of consent declarations) and exercise of data subject rights. Approximately half of the decisions have been issued by the DSB (the first decisions were issued by the DSB on 28 May 2018). 

In addition, a number of decisions have been issued by the Federal Administrative Court, the appellate court against decisions of the DSB. Furthermore, the Supreme Court of Justice of the Republic of Austria has also ruled in two cases on GDPR issues.

Besides the published decisions, a much greater number of unpublished decisions on GDPR issues also exist.

2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

2.1. Main regulator for data protection

The main regulator for data protection in Austria is the DSB.

2.2. Main powers, duties and responsibilities

In addition to the duties set out in the GDPR, the DSG provides for the several additional powers, duties and responsibilities.

Section 21 of the DSG

Per Section 21 of the DSG, the DSB advises the committees of the National Council, the Federal Council, the Federal Government and the state governments on legislative and administrative measures upon their request. The DSB shall be consulted prior to the enactment of federal laws and ordinances in the area of data protection.

Section 22 of the DSG

Moreover, Section 22 of the DSG sets out that the DSB may request all necessary clarifications from data controllers or data processors in relation to the data processing under review, and has the right to request an inspection of data processing operations and related documents. Data controllers and data processors must provide all required support. 

Such supervisory activity shall be carried out with the greatest possible protection of the rights of the data controller, the data processor or third parties, as the case may be. In inspection cases, the DSB shall be entitled, after notifying the owner of the premises and the data controller or data processor:

  • to enter the premises where data processing operations are carried out;
  • to put data processing equipment into operation;
  • to carry out the processing operations to be inspected; and 
  • to make copies of data carriers to the extent strictly necessary for exercising its powers of inspection. 

Information received or collected by the DSB (or by its delegates in the course of their supervisory and inspection activities) may only be used for the purpose of fulfilling its duties and responsibilities as set out in applicable data protection legislation. In general, the DSB is therefore not entitled to share such information received or collected with other authorities. If the operation of a data processing system poses a substantial and immediate threat to the confidentiality interests of the data subjects, the DSB may order that the respective data processing activity be stopped immediately.

Section 24 of the DSG

The right to have a complaint handled by the DSB shall lapse if the complainant does not lodge it within one year of becoming aware of the adversarial event, but at the latest within three years of the alleged occurrence of the event. Section 24 of the DSG provides that complaints shall be rejected by the DSB if the complainant did not lodge it within the mentioned time limits above.

Until the end of the proceedings before the DSB, data controllers and data processors may subsequently remedy the alleged infringement, e.g. by responding to the complainant's requests. If the DSB finds the alleged infringement to be completely remedied, the proceedings will be closed.

Within three months of lodging the complaint, the DSB has to inform the complainant of the status and outcome of the investigations.

3. NOTIFICATION | REGISTRATION

3.1.    National requirements

In accordance with the GDPR, Austria has repealed its prior notification and registration regime. As of 25 May 2018, data controllers are no longer obliged to register and notify their data processing activities with the data processing register, however the data processing register will still be maintained by the DSB for archival purposes until 31 December 2019. No new entries or changes may be made to the contents of the data processing register and any registrations added become irrelevant. 

Anyone may access the data processing register, however accessing the registration file, including any notices of approval contained therein, shall only be granted if the applicant for access credibly proves that he/she is a data subject in relation to the respective data processing activity and unless there are overriding confidentiality interests of the data controller or other third parties. 

Registration proceedings still pending at 25 May 2018 are deemed to have been terminated.

4. DATA SUBJECT RIGHTS

4.1. Variations of GDPR on right of information to be provided

Pursuant to Section 4(6) of the DSG, the right of information of the data subject (pursuant to Article 15 of the GDPR) cannot be applied vis-à-vis a data controller, notwithstanding other statutory restrictions, if the provision of this information would endanger a business or trade secret of the data controller or third parties.

Attorneys at law and public notaries are not required to fulfill their information duties as per Articles 13 and 14 of the GDPR or to answer to data subject access requests as per Article 15 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act (last amended in 2019) (only available in German here) ('the Attorneys Act') and Section 37 of the Public Notaries Act (last amended in 2018) (only available in German here) ('the Public Notaries Act')) to ensure the protection of the rights and freedoms of their own client or third parties, or to ensure the enforcement of civil claims.

4.2. Variations of GDPR on right to erasure

Pursuant to Section 4(2) of the DSG, if the correction or deletion of personal data cannot be carried out immediately because of economic or technical reasons, and so can only be carried out at certain times, the processing of the personal data concerned must be restricted with effect pursuant to Article 18(2) of the GDPR until the correction or deletion of personal data can be carried out.

Attorneys at law and public notaries are not required to answer to data subject erasure requests, as per Article 17 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

Some regulations (mainly in the health sector) restrict the obligation to answer data subject erasure requests.

4.3. Variations of GDPR on right to restriction of processing

As per Section 22(4) of the DSG, in pending proceedings, the DSB may also order a restriction of processing in accordance with Article 18 of the GDPR at the request of a data subject, by means of an official decision, if the data controller fails to comply with an obligation in this regard in due time.

Attorneys at law and public notaries are not required to answer to data subject restriction requests as per Article 18 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

A number of sector specific laws restrict the obligation to answer data subject restriction requests, mainly in the context of public registers and in the health sector.

4.4. Variations of GDPR on right to data portability

Attorneys at law and public notaries are not required to answer to data subject data portability requests as per Article 20 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act, respectively) to ensure the protection of the rights and freedoms of their own client, third parties or to ensure the enforcement of civil claims.

Some regulations (mainly in the health sector) restrict the obligation to answer data subject data portability requests.

4.5. Variations of GDPR on automated individual decision-making, including profiling

The right of a data subject not to be subject to a decision based solely on automated processing, including profiling, as set out in Article 22 of the GDPR shall not apply vis-à-vis attorneys at law and public notaries to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act, respectively) to ensure the protection the rights and freedoms of their own client, third parties or to ensure the enforcement of civil claims.

5. CHILDREN

5.1. National regulation of the processing of children's data and age of consent

Pursuant to Section 4(4) of the DSG, in relation to an offer of information society services made directly to a child, a child can lawfully consent to the processing of their personal data where they are at least 14 years old.

For all other data processing activities (i.e. not related to an offer of information society services), children can in any case validly consent if they are at least 14 years old. 

In individual cases, however, it might also be possible that a younger child can give his/her valid consent, provided that the child possesses the required capabilities for understanding the scope and consequences of consenting in the individual situation.

6. PROCESSING OF SPECIAL CATEGORIES OF DATA & CRIMINAL CONVICTIONS

6.1. National regulation concerning the processing of special categories of data and criminal conviction data

Processing of special categories of personal data

The DSG does not contain general derogations for the processing of special categories of data. However, the DSG provides for specific rules in the following situations:

  • pursuant to Section 7(3) of the DSG, special categories of data may only be processed for archiving purposes in the public interest, scientific of historical research purposes or statistical purposes if there is an important public interest in the data processing activity at hand;
  • regarding the processing of personal data in the event of a disaster, as per Section 10(4) of the DSG, special categories of data may only be transferred to close relatives if they can prove their identity and their status as relatives and the transfer is necessary to safeguard their rights or those of the data subject; and
  • regarding image recordings, Section 12(4)(4) of the DSG prohibits the evaluation of personal data obtained by means of image recording on the basis of special categories of data as a selection criterion.

In addition, sector specific laws in the health sector (e.g. the Federal Act on Data Security Measures when using personal electronic Health Data (Health Telematics Act 2012)) provide for special provisions on the processing of genetic data, biometric data or data concerning health.

Processing of criminal convictions data

Pursuant to Section 4(3) of the DSG, the processing of personal data concerning judicial or administrative criminal acts or omissions, also including suspicions on the commission of criminal offences, as well as criminal convictions or preventive measures, is permissible only if:

  • there is an express statutory authorisation or obligation to process such data; or 
  • the permissibility of the processing of such data results from legal duties of care or the processing is necessary to safeguard the legitimate interests of the data controller or a third party pursuant to Article 6(1)(f) of the GDPR, and the manner in which the data processing is carried out ensures that the interests of the data subject are safeguarded.

7. DATA PROTECTION OFFICER

7.1. Additional/varied requirements on DPO appointment, role and tasks

Pursuant to Section 5 of the DSG, the data protection officer ('DPO') and the persons acting on his or her behalf shall be obliged to maintain secrecy in the performance of their duties, without prejudice to other duties of confidentiality. This applies in particular to the identity of data subjects who have contacted the DPO and to circumstances that allow conclusions to be drawn about them, unless the data subject has expressly released the DPO from confidentiality. The DPO and the persons acting on his/her behalf may use the information gathered in the course of their activities exclusively for the performance of their duties and are obliged to maintain secrecy even after their duties have ceased.

If, in the course of his or her duties, a DPO obtains knowledge of data for which a person subject to the control of the DPO is entitled to a statutory right to refuse to give evidence, this right shall also apply to the DPO and the persons acting on his/her behalf, to the extent that the person entitled to the above mentioned statutory right, has exercised the same. 

Within the scope of the DPO's right to refuse to make a statement, his/her files and other documents are prohibited from being seized or confiscated.

8. DATA BREACH NOTIFICATION

8.1. Variation/exemptions on breach notification obligation

Attorneys at law and public notaries are not obliged to inform data subjects of a data breach as per Article 34 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties or to ensure the enforcement of civil claims.

8.2. Sectoral obligations

Directive on Privacy and Electronic Communications (Directive 2002/58/EC), as implemented in the Federal Act Enacting the Telecommunications Act (last amended in 2018) (only available in German here) ('TKG'), stipulates a separate data breach notification duty for telecoms and internet providers. Providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches. The notification must be done no later than 24 hours after the detection of a personal data breach, where feasible. A second notification, containing additional information must then be made within three days. Breached providers must also notify affected subscribers or individuals of any breach that is likely to adversely affect their personal data or privacy.

Directive on Security Network and Information Systems (Directive (EU) 2016/1148), as implemented in the Federal Act on the Safeguarding of a High Level of Security of Network and Information Systems and Amending the TKG 2018 (only available in German here), sets a range of network and information security requirements which apply to operators of essential services and digital service providers including enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors. For incidents having a significant impact on the continuity of the essential services they provide, these operators are obliged to notify the competent authority without undue delay. This notification obligation does not necessarily require personal data to be affected.

Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC (Regulation (EU) No 910/2014) ('the Regulation') provides a legal framework for electronic identification and trust services such as the creation, verification and validation of electronic signatures or certificates for website authentication. Pursuant to Article 19 of the Regulation, providers of such services shall, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body and, where applicable, other relevant bodies, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein. Thus, where personal data is affected in such cases, the DSB would have to be notified within 24 hours rather than 72 hours pursuant to Article 33 of the GDPR. Furthermore, where the incident is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the persons concerned shall also be notified without undue delay.

9. DATA PROTECTION IMPACT ASSESSMENTS

9.1. National activities subject to prior consultation/authorisation

The DSB has issued a list of processing activities for which a Data Protection Impact Assessment ('DPIA') must be carried out by the data controller (only available in German here).

In particular, the DSB outlined that a DPIA must be carried out in the following circumstances:

  • processing operations involving an assessment or a classification of natural persons, including the creation of profiles and forecasts, for purposes concerning work performance, economic situation, health, personal preferences and interests, reliability, behaviour, whereabouts or movement of the person, solely being based on automated processing and potentially having negative legal, physical or financial consequences;
  • processing of data for the purpose of evaluating the conduct and other personal aspects of natural persons and which may be used by third parties to make automated decisions having legal effects on the persons evaluated or which similarly significantly affect them;
  • processing operations aimed at the observation, supervision or control of data subjects, in particular, by means of image and related acoustic data processing, and concerning: 
    • data collected through networks or aiming at systematic and extensive monitoring of publicly accessible areas;
    • public places, which can be entered by unspecified groups of persons;
    • roads with public transport which can be used by everyone under the same conditions;
    • locations which due to an obligation to contract may be entered by any person;
    • locations which, in the public interest, may be entered by any person;
    • image processing using mobile cameras for the purpose of preventing or countering dangerous attacks or criminal conduct in public and private spaces;
    • image and acoustic processing to prevent and protect persons or property on private real estate used for residential purposes when such real estate is not used exclusively by the responsible person and all authorised users living in the common household;
    • churches, houses of prayer, insofar as they are not already covered above, and other institutions serving the practice of religion in the community;
  • processing of data using or applying new or novel technologies or organisational solutions which make it more difficult to assess the impact on the persons concerned and the social consequences, in particular through the use of artificial intelligence and the processing of biometric data, provided that the processing does not merely involve the reproduction of facial images in real time;
  • merging and/or cross-checking data sets from two or more processing operations carried out for different purposes and/or by different controllers, going beyond the processing operations normally expected of a data subject, provided that through the use of algorithms decisions might be taken that can significantly harm the data subject; and
  • processing operations carried out on the most personal sphere, even if the processing is based on consent.

In the case of employment, a DPIA shall not be necessary for the above situations where there is a respective works council agreement or respective agreement with the staff committee. The DSG has clarified that systematic monitoring shall mean processes which take place within a framework of a system or in advance, and which are organised and methodically carried out.

Furthermore, a DPIA has to be carried out if a processing activity meets two or more of the following criteria:

  • extensive processing of special categories of data;
  • extensive processing of personal data on criminal convictions and offences;
  • collection of location data within the meaning of the TSK which are processed in a communications network or by a communications service and which indicate the geographical location of the telecommunications terminal equipment of a user of a public communications service;
  • processing data of data subjects in need of protection, such as minors, employees, patients, mentally ill persons and asylum seekers; and 
  • merging and/or cross-checking data sets consisting of two or more processing operations carried out for different purposes and/or by different data controllers, in a data processing operation going beyond the processing operations normally expected by a data subject, provided that the processing operations are carried out for purposes for which not all the data to be processed were collected directly from the data subject.

9.2. National activities not subject to prior consultation/authorisation

The DSB has issued a list of processing activities which are exempt from DPIAs (only available in German here).

At first, a DPIA is not required to be carried out for data processing activities which had not been subject to the notification requirement under the 'old' data protection regime or, which had been subject to prior approval by the DSB under the 'old' data protection regime, provided that, in both cases, the relevant data processing activity had already commenced on 24 May 2018, fulfils all requirements as set out in the GDPR, and had not been materially changed after 25 May 2018.

Furthermore, a DPIA does not have to be conducted for specific data processing activities in the following fields, as long as these are conducted in the manner set out in the DSB's list (i.e. regarding purpose, data categories and/or data controllers):

  • customer administration, accounting, logistics, bookkeeping;
  • personnel administration;
  • member administration;
  • customer care and marketing for own purposes;
  • property and inventory management;
  • register, evidence, books;
  • access management for IT systems;
  • access control systems;
  • stationary image processing and the associated acoustic processing for surveillance purposes (video surveillance);
  • real-time image and acoustic data processing;
  • image and acoustic processing for documentation purposes;
  • patient/client/customer management and fee accounting of individual physicians, health service providers and pharmacies;
  • legal and advisory professions;
  • archiving, scientific research and statistics;
  • statements of support;
  • financial management of local authorities and other public bodies;
  • public tax administration;
  • grant administration by public bodies;
  • public relations and information activities by public officials and their business apparatuses;
  • file management and procedural management;
  • organisation of events; or
  • awards and honours.

10. PROCESSING FOR SCIENTIFIC OR HISTORICAL RESEARCH PURPOSES

10.1. National implementation of Article 89 of the GDPR

Pursuant to Section 7 of the DSG, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which do not involve personal data as a result, the data controller may process any personal data which: 

  • are publicly accessible;
  • the data controller has collected for other research activities or also other legit purposes; or
  • are pseudonymised data for the data controller and the identity of the data subject cannot be determined by legally permissible means.

In relation to all other data processing activities for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, personal data may be used only:

  • as provided for in special statutory provisions;
  • with the consent of the data subject; or
  • after prior approval of the DSB.

Such approval by the DSB shall be granted at the request of the data controller if:

  • it is impossible to obtain the consent of the data subject because he/she cannot be contacted or it otherwise involves a disproportionate amount of work;
  • there is a public interest in the respective data processing activity; and
  • the professional qualification of the data controller to conduct the respective data processing activity is made plausible.

The DSB may make the approval dependent upon the fulfilment of additional conditions and obligations insofar as this is necessary to safeguard the interests of the data subject.

Special categories of data may only be processed for archiving purposes in the public interest, scientific of historical research purposes or statistical purposes if there is an important public interest in the data processing activity at hand.

Furthermore, it must be ensured by the data controller that personal data are processed only by persons who are subject to a legal duty of confidentiality with regard to the subject matter of the activity or whose reliability in this respect is otherwise made plausible.

11. SANCTIONS

Administrative sanctions

Subject to the provisions of Article 83 of the GDPR, the DSB may impose administrative fines.

Pursuant to Section 11 of the DSG, however, in the case of primary infringements, the DSB shall make use of its remedial powers (in particular, by issuing warnings) instead of imposing fines.

Section 30 of the DSG contains a specific rule on fines to be imposed on legal persons and in particular states that legal persons may also be held liable for infringements of the provisions of the GDPR if a lack of supervision or control by the management of the legal person enabled such infringements to be committed by a person acting for the legal person.

Unless the offence constitutes an offence under Article 83 of the GDPR or is punishable by a more severe penalty under other administrative penal provisions, an administrative offence punishable by a fine of up to €50,000 is committed by anyone who:

  • intentionally obtains unlawful access to data processing or intentionally maintains a recognisably unlawful access;
  • deliberately transmits data in violation of the obligation to data secrecy;
  • deliberately obtains personal data in the event of a disaster under false pretences;
  • operates an image processing system not in line with the specific requirements set out in the DSG; or
  • refuses an inspection by the DSB.

Administrative fines may not be imposed on public authorities, bodies governed by public law, other public bodies or private bodies insofar as they exercise public authority.

Criminal sanctions

Pursuant to Section 63 of the DSG, anyone who, with the intention to unlawfully enrich themselves or a third party, or with the intention to thereby harm another person in his or her own interests in the fundamental right to data protection, uses, makes accessible to another person or publishes personal data which have been entrusted with or made accessible to them exclusively on the basis of their professional activity or which they have illegally obtained for themselves, although the data subject has a legitimate interest in keeping such data confidential, shall be punished by the court with imprisonment for up to one year, or with a monetary fine calculated up to 720 daily rates (depending on actual income), unless the offence is punishable by a more severe penalty under another provision.

12. OTHER SPECIFIC JURISDICTIONAL ISSUES

12.1. Obligation to data secrecy

Pursuant to Section 6 of the DSG, data controllers, data processors and their respective employees (including persons in an service relationship) shall, without prejudice to other statutory duties of confidentiality, keep personal data which have been entrusted to them or have become accessible to them exclusively on the basis of their professional employment confidential, as long as there is no legally permissible reason for a transfer of the personal data.

Employees may only transmit personal data on the basis of an explicit order of their respective employer. Data controllers and data processors shall, insofar as such an obligation of their employees does not already exist by law, contractually obligate them to transmit personal data from data processing activities only on the basis of such explicit orders and to be bound to data secrecy even after termination of the employment relationship with the respective data controller or data processor.

Data controllers and data processors shall instruct their employees about the respective orders applicable to them and about the consequences of an infringement of data secrecy.

12.2. Image processing

Sections 12 and 13 of the DSG contain special rules on image processing. For the purposes of these sections, image processing means the identification (for private purposes) of events in public or non-public locations by the use of technical equipment for image processing. Acoustic information is also part of the image processing process. 

Image processing is admissible only if:

  • it is necessary for the vital interests of a person;
  • the data subject has consented to the processing of his or her personal data;
  • it is ordered or permitted by special statutory provisions; or
  • there are overriding legitimate interests of the data controller or a third party in the individual case and the image processing is proportionate.

Such overriding legitimate interests are given in particular if:

  • the image processing serves to preventively protect persons or private property (used exclusively by the data controller) and does not extend beyond the property, with the exception of the unavoidable inclusion of public traffic areas;
  • the image processing is necessary to preventively protect persons or property in publicly accessible places, which are subject to the domestic authority of the data controller, where required as a result of already occurred infringements or of a special potential danger as per the nature of the location; or
  • the image processing pursues a private interest in documentation which is not directed towards the identifying recording of uninvolved persons or objects potentially enabling the indirect identification of such persons.

The following, however, are inadmissible in any case:

  • to make an image recording in the highly personal sphere of a data subject without his/her express consent;
  • image processing for the purpose of controlling employees;
  • the automated comparison of personal data obtained by means of image processing with other personal data for the creation of personality profiles without express consent of the data subject; and
  • the evaluation of personal data obtained by means of image processing on the basis of special categories of data as a selection criterion.

The data controller shall take appropriate data security measures taking into account the risk of the image processing activity and shall ensure that access to the image recordings and any subsequent modification thereof by unauthorised persons is excluded. The data controller shall, except for real-time monitoring, keep detailed records of each access, inspection or deletion operation. Personal data collected shall be deleted by the data controller if they are no longer needed for the purpose for which they were collected and if there is no other legal obligation to retain them. Storing such image data for more than 72 hours must be proportionate and must be recorded and justified separately. The data controller shall inform data subjects about the image processing activity and label the respective image recording systems appropriately. The data controller shall in any case be clearly identifiable from the labelling, unless the data subject already is aware of the specific data controller.

12.3. Address data

Section 8 of the DSG contains a specific provision on the use of address data for notifying and questioning data subjects. In general, transmitting address data of data subjects for notification or questioning purposes is only legitimate upon prior consent of all relevant data subjects, unless otherwise expressly provided by law. 

Only if interests in secrecy of the data subjects are unlikely to be compromised in light of the selection criteria and the subject of the notification or survey, consent shall not be required, provided that:

  • the data controller conducting the notification or survey already has all relevant address data; or 
  • when address data is to be transferred to third parties, there is a public interest in the notification or questioning; or
  • none of the relevant data subjects objected to the transfer within a reasonable time after having been informed of the details of such transfer of address data.

If the above requirements are not fulfilled in a specific case, a transfer of address data for notification or questioning purposes is only legitimate upon prior approval of the DSB. 

Such approval may be granted only if the transfer to third parties is made:

  • for the purpose of notification or questioning out of an important interest of the data subjects themselves;
  • resulting from an important public interest in such notification or questioning; or 
  • to questioning data subjects for scientific or statistical purposes, provided that, in all cases, overriding interests in secrecy of the data subjects do not conflict with the transfer. 

The DSB may make the approval dependent on the fulfilment of conditions and requirements as deemed necessary to safeguard the interests of the data subjects.

12.4. Data processing and freedom of expression and information

Pursuant to Section 9 of the DSG for the processing of personal data by media owners, publishers, and employees of a media company or service, for journalistic purposes of such companies or services, Article 85(2) of the GDPR, as well as the DSG, shall not apply. When exercising its powers vis-à-vis on such persons and entities, the DSB shall observe the protection of editorial secrecy.

Furthermore, to the extent necessary to reconcile the right to protection of personal data with the freedom of expression and information, the provisions of the GDPR set out in Article 85(2) of the GDPR (with the exception of Articles 5, 28, 29 and 32 of the GDPR) shall not apply to processing activities carried out for scientific, artistic or literary purposes. The obligation to data secrecy, as stipulated in Section 6 of the DSG, however, still applies.

12.5. Data processing in the event of a disaster

Pursuant to Section 10 of the DSG, in the event of a disaster, public sector officials and aid organisations may process personal data jointly to the extent necessary to provide assistance to the persons directly affected by the disaster, to locate and identify missing persons and deceased persons, and to inform relatives. Third parties may transfer such data to public sector officials and aid organisations, provided that it is needed for them to deal with the disaster and for the aforementioned purposes.

Personal data may also be transmitted to third countries insofar as this is absolutely necessary for the fulfilment of the aforementioned purposes. Information indicating that the data subject has committed a criminal offence may not be transmitted, unless this is absolutely necessary for identifying the data subject. The DSB must be informed, without delay, of such transmissions to third countries and of the detailed circumstances and the facts of such transmission. The DSB has the right to prohibit further data transfers to third countries, if necessary to protect the rights of data subjects, in particular, if the specific disaster situation does not demand such data transfer.

Upon a respective request from a close relative of a person actually or presumably directly affected by the disaster, data controllers are entitled to transmit personal data on the whereabouts of the person concerned and the state of research to such close relative if the close relative can prove the identity and relationship to the data subject. 

Regarding the processing of personal data in the event of a disaster, special categories of data may only be transferred to close relatives if they can prove their identity and their status as relatives and the transfer is necessary to safeguard their rights or those of the data subject.

Personal data processed for disaster management purposes (as highlighted above) shall be deleted immediately after they are no longer needed for such purposes.

12.6. Right to compensation and liability

Pursuant to Section 29 of the DSG, the general provisions of civil law apply to claims for compensation as per Article 82 of the GDPR. For such claims, the competent court of first instance shall be the regional court in the district where the claimant (i.e. the data subject) has his/her regular residence or domicile, or at the claimant's option, in the district where the defendant (i.e. the data controller or data processor) has his/her regular residence or principal place of business or establishment.

If, in the course of claim for compensation as per Article 82 of the GDPR, a data subject is represented by an institution, organisation or association within the meaning of Article 80(1) of the GDPR, and it is unclear whether the relevant criteria are fulfilled, the DSB shall, at the request of the respective court, issue a binding decision on this issue. The respective institution, organisation or association is a party to the proceedings before the DSB and, thus, would have the right to appeal such decision of the DSB.

12.7. Variations of GDPR on right to object

Attorneys at law and public notaries are not required to answer to data subject objection requests as per Article 21 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties or to ensure the enforcement of civil claims.

A number of sector specific laws restrict the obligation to answer data subject objection requests, mainly vis-à-vis public authorities, in the context of public registers and in the health sector.