Skip to main content

Two selected decisions on Austrian data protection law

|
Hon.-Prof. Dr. Clemens Thiele, LL.M. (AT), Partner of EuroCloud CPC Network

A case of the DSB (Austrian Data Protection Office) and one of the VwGH (Austrian Administrative Supreme Court) are presented below. The first concerns the question of the admissibility of generating a personal file number on the basis of the birth date. The Supreme Court-decision deals with the issue of identity verification in connection with a request for information.

1. DSB Case Nr. DSB-D122.454/0006-DSB/2016: In this case  the DSB had to decide whether it is admissible to use the birth date to form a personal file number (basic number for procedures for granting services of minimum allowance in the province of Salzburg). This question was answered in the negative, and a subsequent intervention by a district administrative authority in the complainant's right of secrecy was determined. Decisive for this administrative finding were the lack of an explicit statutory authorization and the lack of evidence that the use of the birth date to form a personal number of files is essential for the performance of a task legally transferred to the district administrative authority (§ 8 Abs 3 Z 1 DSG 2000 – Austrian Data Protection Act). Whether this manner of creating a file number was given in some way (e.g. by a hierarchically superodinated operator or technically by the software producer) is not decisive for questions of data protection responsibility. This use of data contradicts the principle of data economy (materiality of the data application for the purpose being pursued) stated in § 6 Z 3 DSG 2000 (in implementation of Art 6 para 1 lit c Data Protection Directive 95/46/EU) and the principle of the most sensitive means according to § 7 Abs 3 DSG 2000. Therefore, the complaint was granted (in a partial decision and to the district administrative authority only). The decision is not legally binding since the district administrative authority filed an (administrative) appeal to the Federal Administrative Court on 31st Aug 2016.

2. VwGH Case Nr. Ra 2016/04/0014: By decision of 4th July 2016, Ra 2016/04/0014, the Austrian Administrative Supreme Court granted an “extraordinary” appeal of the DSB and overturned the contested decision of the Federal Administrative Court. The judgment contains some basic statements on the right to information.The DSB appealed because – in its view – the Federal Administrative Court had wrongly assumed that certificate of registration constitutes a suitable proof of identity pursuant to § 36 para 1 DSG 2000. In addition, the DSB claimed that the case law of the Supreme Court lacked of an answer to the question of whether a request for information given by a lawyer for his client to a private principal (in terms of data protection rights) requires an attached special authority. In its judgement the Austrian Administrative Supreme Court stated that a certificate of registration pursuant to § 19 MeldeG (Austrian Registration Act) is not suitable proof of identity. A proof of identity is one that serves the purpose of proof of identity (which is not the case for a certificate of registration). Further, it stated, that it is insufficient to rely on the power of attorney towards private principals (in terms of data protection rights). In this case, the private principal may also require a documentary proof of authorisation. Since, however, the DSG 2000 also provides for a deviation from written form in case of information requests, the “appropriate form” of the proof of identity cannot always be regarded as formally strict. The decisive factor is that the principal is reliably enabled to verify the identity of the requesting party with the person whose data are to be the subject of the information. (http://www.eurolawyer.at)

 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M., attorney in Austria (anwalt.thiele@eurolawyer.at)

External links:

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}