Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Two selected decisions on Austrian data protection law

17.02.2017

A case of the DSB (Austrian Data Protection Office) and one of the VwGH (Austrian Administrative Supreme Court) are presented below. The first concerns the question of the admissibility of generating a personal file number on the basis of the birth date. The Supreme Court-decision deals with the issue of identity verification in connection with a request for information.

1. DSB Case Nr. DSB-D122.454/0006-DSB/2016: In this case  the DSB had to decide whether it is admissible to use the birth date to form a personal file number (basic number for procedures for granting services of minimum allowance in the province of Salzburg). This question was answered in the negative, and a subsequent intervention by a district administrative authority in the complainant's right of secrecy was determined. Decisive for this administrative finding were the lack of an explicit statutory authorization and the lack of evidence that the use of the birth date to form a personal number of files is essential for the performance of a task legally transferred to the district administrative authority (§ 8 Abs 3 Z 1 DSG 2000 – Austrian Data Protection Act). Whether this manner of creating a file number was given in some way (e.g. by a hierarchically superodinated operator or technically by the software producer) is not decisive for questions of data protection responsibility. This use of data contradicts the principle of data economy (materiality of the data application for the purpose being pursued) stated in § 6 Z 3 DSG 2000 (in implementation of Art 6 para 1 lit c Data Protection Directive 95/46/EU) and the principle of the most sensitive means according to § 7 Abs 3 DSG 2000. Therefore, the complaint was granted (in a partial decision and to the district administrative authority only). The decision is not legally binding since the district administrative authority filed an (administrative) appeal to the Federal Administrative Court on 31st Aug 2016.

2. VwGH Case Nr. Ra 2016/04/0014: By decision of 4th July 2016, Ra 2016/04/0014, the Austrian Administrative Supreme Court granted an “extraordinary” appeal of the DSB and overturned the contested decision of the Federal Administrative Court. The judgment contains some basic statements on the right to information.The DSB appealed because – in its view – the Federal Administrative Court had wrongly assumed that certificate of registration constitutes a suitable proof of identity pursuant to § 36 para 1 DSG 2000. In addition, the DSB claimed that the case law of the Supreme Court lacked of an answer to the question of whether a request for information given by a lawyer for his client to a private principal (in terms of data protection rights) requires an attached special authority. In its judgement the Austrian Administrative Supreme Court stated that a certificate of registration pursuant to § 19 MeldeG (Austrian Registration Act) is not suitable proof of identity. A proof of identity is one that serves the purpose of proof of identity (which is not the case for a certificate of registration). Further, it stated, that it is insufficient to rely on the power of attorney towards private principals (in terms of data protection rights). In this case, the private principal may also require a documentary proof of authorisation. Since, however, the DSG 2000 also provides for a deviation from written form in case of information requests, the “appropriate form” of the proof of identity cannot always be regarded as formally strict. The decisive factor is that the principal is reliably enabled to verify the identity of the requesting party with the person whose data are to be the subject of the information. (http://www.eurolawyer.at)

 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M., attorney in Austria (anwalt.thiele@eurolawyer.at)

External links:

 

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.