Skip to main content

Recent decisions of the Austrian Data Protection Office (DSB)

Dr. Clemens Thiele, Partner of EuroCloud CPC Network

The article presents three interesting decisions on Austrian data protection law, in particular dealing with the scope of the right to access (1. and 2.) and the definition of video surveillance (3.).

1. Distribution of location data to the contractor - Case Nr DSB-D122.616/006-DSB/2016: In this decision the DSB is dealing with the question whether it is within the scope of the right of access / right to information of a contracting party to request location data from the mobile operator, which is processed in a communications network or by a communications service and which specifies the geographical location of the telecommunications terminal equipment of a user. Since the location data (GPS-data) is required as operational data for ""routing"" within the communications network – hence within the scope of service provision via mobile devices (eg calls, messages) –, the user cannot prevent/stop or switch off the generation of location data. Likewise this is the case with some apps, which enable the location tracking via GPS function of smartphones.

The complainant submitted an affidavit stipulating that he was the owner with sole power of disposal of the mobile device and discretion on the contract. The mobile operator refused to provide the contractor with the requested data. This justified by the fact that due to the specific provision of the TKG 2003 (Austrian Telecommunications Act) location data could only be transmitted on the basis of police investigations or judicial orders or rarely to emergency service operators.

As a result, the DSB shared the view of the mobile operator and stated that the restriction of the right of access / right to information is covered by case law of the OGH (Austrian Supreme Court), according to which the TKG 2003 only allows the data subject to obtain information on stored traffic data in regards to itemised billing. In this specific case, the restriction of the disclosure of information within the framework of the special provision of the TKG 2003 was to be preferred to the general right of access / right to information as laid down in § 26 (1) DSG 2000 (Austrian Data Protection Act).

2. Information about employees of the controller - Case Nr DSB-D122.671/0007-DSB/2017: The DSB had to assess whether or not the right to information includes the designation of specific employees of a controller.

The appellant had asked for general information on the employees of the controller who had requested their data in a certain period. Referring to the case law of the DSK (former Austrian Data Protection Commission), the DSB noted that the right of access / right to information only covers delivery operations to new clients, but not individual data processing by the controller´s employees. The names of the employees of the controller is also not ""data processed in connection with the information seeking person"" or ""available information on their origin"", which is why they are not covered by § 26 DSG 2000. In addition, the right of access / right to information should help to secure one´s rights to secrecy and to erasure. However, these rights are directed against the particular controller and not against his employees. In addition, the DSB acknowledged that the naming of particular employees of a controller is covered by the right of access / right to information if the person concerned has concrete indications that he has been infringed in his data protection rights by an employee of the controller. However, the information request must state such suspicions  clearly, so that the controller can decide whether the right of access / right to information of the data subject outweighs the right to secrecy of the employee. As the appellant did not express any concrete suspicion, the complaint was rejected.

3. Image documentation or video surveillance? - Case Nr. DSB-D122.453/0008-DSB/2016: The DSB had to decide whether occasional recording of helicopter take-offs and landings on a helicopter landing pad by a neighbour is to be considered as video surveillance  (Title 9a DSG 2000). After inspecting the image data, the DSB concluded that no video surveillance was carried out. The recordings were made on a case-by-case basis, by means of a hand-held camera and from different positions. They also did not show any image of the complainant. The image data was used for the documentation of events (flight movements and for the preservation of evidence). The data was not used systematically, in particular not by means of a permanently installed system, and not on a continuous basis. Therefore, the complainant did not have any specific right of access / right to information as provided in § 50 p. e DSG 2000.

External links: 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M., Austria

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.