Recent decisions of the Austrian Data Protection Office (DSB) and the Austrian Administrative Supreme Court (VwGH)


The article presents three interesting decisions on Austrian data protection law, in particular dealing with control measures at the work place (1.) the scope of the right to access (2.) and a company agreement concerning video surveillance (3.).

1. Evaluation of telephone data for official control measures

In the decision of 8.11.2017, DS: DSB-D122.718/0006-DSB/2017, the DPA had to deal with a question of the admissibility of control measures at the workplace. The complainant, a federal contract agent dismissed during the appeal proceedings, complained of alleged interference with his fundamental right to secrecy through investigations of the personnel office, which should have the suspicion of unlawful conduct reviewed. For this purpose, i.a. requests for individual documents for the complainant's extension line and the business cell phone were requested. With regard to the identification of (voice) telephone connections, the complaint was partially successful because the second sentence in § 79e (3) Beamtendienstgesetz 1979 (BDG = Civil Service Act), which is also applicable to contract staff, expressly excludes ‘telephony’ from the statutory control measures permitted by subsection 5a of the BDG 1979 (a provision which was only included in the legislative text in the course of the parliamentary deliberations). There was therefore a lack of a sufficient legal basis for the fundamental rights intervention. On the other hand, the DSB considered that the identification of data on other communication links, including text messages (SMS), was lawful, given that the necessary legal requirements for control measures were in place. The decision is final.

2. Information about communication processes:

In the decision of 17.12.2015, DS: DSB-D122.259/0008-DSB/2015, the DSB had to deal with the responsibility in the organizational structure of a church as well as with questions of the scope of the right to information on communication processes. The complainant wanted to know whether a pastoral worker (Deaconess of the Evangelical Church A.B.) had exchanged information with a representative of a nursing home operator about his complaints about the care of his father. Therefore, he demanded data protection information from the pastoral worker, her employer (Evangelical Church A.B.) and the regional church (Evangelical Church A. and H.B.); whereas the latter is registered in the data processing register (DVR) as sole responsible person. According to factual findings, there had been telephone calls and text messages, but the content data of the text massages had already been deleted. The DSB dismissed the complaint and stated that the data protection right of access is limited to data that is part of an at least partially automated process or a manual file. Thus, there is no need to provide information in general about communication content in human social life, such as the content of telephone conversations. Regarding this, there is no need to take any evidence. The decision is final.

3. Company agreement video surveillance

With the findings of 23.10.2017, Ro 2016/04/0051, the VwGH has annulled the decision of the BVwG (Austrian Federal Administrative Court) of 13.07.2016. Subject matter was the refusal to register a video surveillance system registered with the data processing registry (DVR), in which the company agreement to be submitted pursuant to section 50c (1) sentence DSG 2000 was not provided. In its content, the VwGH has essentially confirmed the decision of the BVwG and the DSB and in particular stated that the DSB can independently assess as a preliminary question whether or not to conclude a company agreement pursuant to § 96a ArbVG (Labor Constitution Act). However, the appellant also complained about the lack of oral proceedings before the BVwG. He did not explicitly ask for this. However, the need for oral proceedings derives from the request for testimony by several persons. Although the BVwG may, under certain conditions, refrain from oral proceedings in accordance with section 24 (4) VwGVG (Administrative Court Procedure Act), the challenged decision is lacking a sufficient justification by BVwG and thus, the appeal was successful.


Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M.


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.