Recent decisions of the Austrian Data Protection Office (DSB)

19.08.2017

The article presents three interesting decisions on Austrian data protection law, in particular dealing with the scope of the right to access (1. and 2.) and the definition of video surveillance (3.).

1. Distribution of location data to the contractor - Case Nr DSB-D122.616/006-DSB/2016: In this decision the DSB is dealing with the question whether it is within the scope of the right of access / right to information of a contracting party to request location data from the mobile operator, which is processed in a communications network or by a communications service and which specifies the geographical location of the telecommunications terminal equipment of a user. Since the location data (GPS-data) is required as operational data for ""routing"" within the communications network – hence within the scope of service provision via mobile devices (eg calls, messages) –, the user cannot prevent/stop or switch off the generation of location data. Likewise this is the case with some apps, which enable the location tracking via GPS function of smartphones.

The complainant submitted an affidavit stipulating that he was the owner with sole power of disposal of the mobile device and discretion on the contract. The mobile operator refused to provide the contractor with the requested data. This justified by the fact that due to the specific provision of the TKG 2003 (Austrian Telecommunications Act) location data could only be transmitted on the basis of police investigations or judicial orders or rarely to emergency service operators.

As a result, the DSB shared the view of the mobile operator and stated that the restriction of the right of access / right to information is covered by case law of the OGH (Austrian Supreme Court), according to which the TKG 2003 only allows the data subject to obtain information on stored traffic data in regards to itemised billing. In this specific case, the restriction of the disclosure of information within the framework of the special provision of the TKG 2003 was to be preferred to the general right of access / right to information as laid down in § 26 (1) DSG 2000 (Austrian Data Protection Act).

2. Information about employees of the controller - Case Nr DSB-D122.671/0007-DSB/2017: The DSB had to assess whether or not the right to information includes the designation of specific employees of a controller.

The appellant had asked for general information on the employees of the controller who had requested their data in a certain period. Referring to the case law of the DSK (former Austrian Data Protection Commission), the DSB noted that the right of access / right to information only covers delivery operations to new clients, but not individual data processing by the controller´s employees. The names of the employees of the controller is also not ""data processed in connection with the information seeking person"" or ""available information on their origin"", which is why they are not covered by § 26 DSG 2000. In addition, the right of access / right to information should help to secure one´s rights to secrecy and to erasure. However, these rights are directed against the particular controller and not against his employees. In addition, the DSB acknowledged that the naming of particular employees of a controller is covered by the right of access / right to information if the person concerned has concrete indications that he has been infringed in his data protection rights by an employee of the controller. However, the information request must state such suspicions  clearly, so that the controller can decide whether the right of access / right to information of the data subject outweighs the right to secrecy of the employee. As the appellant did not express any concrete suspicion, the complaint was rejected.

3. Image documentation or video surveillance? - Case Nr. DSB-D122.453/0008-DSB/2016: The DSB had to decide whether occasional recording of helicopter take-offs and landings on a helicopter landing pad by a neighbour is to be considered as video surveillance  (Title 9a DSG 2000). After inspecting the image data, the DSB concluded that no video surveillance was carried out. The recordings were made on a case-by-case basis, by means of a hand-held camera and from different positions. They also did not show any image of the complainant. The image data was used for the documentation of events (flight movements and for the preservation of evidence). The data was not used systematically, in particular not by means of a permanently installed system, and not on a continuous basis. Therefore, the complainant did not have any specific right of access / right to information as provided in § 50 p. e DSG 2000.

External links: 

Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M., Austria

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.at

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.