Two selected decisions on Austrian data protection law
1. DSB Case Nr. DSB-D122.454/0006-DSB/2016: In this case the DSB had to decide whether it is admissible to use the birth date to form a personal file number (basic number for procedures for granting services of minimum allowance in the province of Salzburg). This question was answered in the negative, and a subsequent intervention by a district administrative authority in the complainant's right of secrecy was determined. Decisive for this administrative finding were the lack of an explicit statutory authorization and the lack of evidence that the use of the birth date to form a personal number of files is essential for the performance of a task legally transferred to the district administrative authority (§ 8 Abs 3 Z 1 DSG 2000 – Austrian Data Protection Act). Whether this manner of creating a file number was given in some way (e.g. by a hierarchically superodinated operator or technically by the software producer) is not decisive for questions of data protection responsibility. This use of data contradicts the principle of data economy (materiality of the data application for the purpose being pursued) stated in § 6 Z 3 DSG 2000 (in implementation of Art 6 para 1 lit c Data Protection Directive 95/46/EU) and the principle of the most sensitive means according to § 7 Abs 3 DSG 2000. Therefore, the complaint was granted (in a partial decision and to the district administrative authority only). The decision is not legally binding since the district administrative authority filed an (administrative) appeal to the Federal Administrative Court on 31st Aug 2016.
2. VwGH Case Nr. Ra 2016/04/0014: By decision of 4th July 2016, Ra 2016/04/0014, the Austrian Administrative Supreme Court granted an “extraordinary” appeal of the DSB and overturned the contested decision of the Federal Administrative Court. The judgment contains some basic statements on the right to information.The DSB appealed because – in its view – the Federal Administrative Court had wrongly assumed that certificate of registration constitutes a suitable proof of identity pursuant to § 36 para 1 DSG 2000. In addition, the DSB claimed that the case law of the Supreme Court lacked of an answer to the question of whether a request for information given by a lawyer for his client to a private principal (in terms of data protection rights) requires an attached special authority. In its judgement the Austrian Administrative Supreme Court stated that a certificate of registration pursuant to § 19 MeldeG (Austrian Registration Act) is not suitable proof of identity. A proof of identity is one that serves the purpose of proof of identity (which is not the case for a certificate of registration). Further, it stated, that it is insufficient to rely on the power of attorney towards private principals (in terms of data protection rights). In this case, the private principal may also require a documentary proof of authorisation. Since, however, the DSG 2000 also provides for a deviation from written form in case of information requests, the “appropriate form” of the proof of identity cannot always be regarded as formally strict. The decisive factor is that the principal is reliably enabled to verify the identity of the requesting party with the person whose data are to be the subject of the information. (http://www.eurolawyer.at)
Article provided by: Hon.-Prof. Dr. Clemens Thiele, LL.M., attorney in Austria (anwalt.thiele@eurolawyer.at)
External links:
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at