Page 1

Tasks &
activities

Europe &
International

Legal Sources &
decisions

Download &
Left

Teens &
Kids

DE

Download & Links Questions and Answers

Documents

questions and answers

questions and answers

Table of Contents
Newsletter

•

Complaint to the data protection authority (DPO)

•

Drones and data protection?

•

The electronic health record ("ELGA")?

•

Date of birth in addressing official letters?

•

Google Street View?

•

GIS broadcasting fees?

•

Deletion from the internet?

•

Bankruptcy protection and credit bureaus

•

Media and data protection?

•

Legal advice?

•

When do I need a data protection officer?

•

Direct mail?

•

How do I answer a request for information?

•

Video surveillance by private individuals (including public sector private sector administration)

•

Dashcams / car cameras

•

Spam and data protection

•

Access and other rights

•

When do I need a data protection impact assessment?

•

Where do political parties get my campaign data from?

•

Are camera dummies allowed?

•

Questions and answers about the coronavirus (COVID-19)

Announcements of the
Data protection authority
Left
Information from the data protection authority
on the coronavirus (Covid-19)

Complaint to the data protection authority (DPO)
Requests for information, complaints and other submissions
1. Request for information
Legal basis:

Information obligation law,

Art. 57 para. 1 lit e GDPR

,

Section 32 (1) no.3 DSG

Communication channels: letter post, e-mail (no telephone hotline)

DPO's duty to re-register: yes (within 8 weeks)

Forms: no

The data protection authority provides general information about data protection law and the possibilities for
Enforcement of data subject rights. The questions must be within the legal remit of the DPO
fall. For example, the DSB is definitely the wrong address for technical problems on the Internet (typical
Example: "How can I prevent annoying spam e-mails?").

In order to fulfill the obligation to provide information, the DPO is not obliged to carry out extensive research,
Obtaining information from other authorities or drafting legal opinions. A request to the DSB
does not replace advice from a lawyer or another (specialized) advice center.

The DPO is not allowed to answer questions that would lead to a decision in a later complaint procedure
could anticipate (typical example: "My neighbor has pointed a video camera at our property;
is he allowed to do that?").

2. Suggestion of a test procedure
Legal basis:

Art. 57 para. 1 lit a GDPR

,

Art. 58 Para. 2 GDPR

Communication channels: letter post, e-mail

DPO's duty to re-register: no

Forms: no

Often the DPO receives "advertisements" or "reports", the grievances (for example those that do not comply with the GDPR
Design of a website or a neglect of data security measures). Often is
the writer himself or herself affected by data processing and possibly in
Right (

Chapter III GDPR ), but only wants information as a so-called whistleblower of the DSB

deliver and under no circumstances act as a complainant against the person responsible, for example because it is with
the latter is about one's own employer.

Justified cases are used as an opportunity for official examination procedures. The author of the report has in
In this case, however, no party status in the proceedings and no right to information about the outcome of the
Thing.

The DSB cannot guarantee that the identity of the reporter will be kept secret from the
Submit responsible persons during the entire procedure (including the appeal procedure), as it is for this
there is no express legal basis.

3. Filing a criminal complaint
Legal basis:

Art. 57 para. 1 lit a GDPR

,

Art. 58 Para. 2 lit i GDPR

Communication channels: letter post, e-mail

DPO's duty to re-register: no

Forms: no

For the prosecution of the criminal offense of data processing with the intention of profit or damage
(

Section 63) DSG
the police and the public prosecutor's offices are responsible.

Violations of the GDPR and the DSG are made if they are administrative violations (see
Art. 83 GDPR

and

Section 62),DSG
punished as part of administrative criminal proceedings.

The author of such an advertisement has no party position in the proceedings and no right to information about
the further procedure of the DSB. There is also no right of a data subject to impose a penalty.

The DSB cannot guarantee that the identity of the reporter will be kept secret from the
Submit the accused, as there is no legal basis for this.

4. Complaint to the data protection authority
Legal basis:

Art. 77 GDPR ,

§ 24 DSG ,

Section 32 (1) no.4 DSG

Communication channels: letter post, e-mail

Duty of the DPO to re-register: yes (information about the status of the procedure within 3 months, within 6 months
Decision by notification)

Forms: yes (documents, scroll to "Complaint Forms")

The complaint, the main legal protection instrument of the GDPR (

Art. 77 GDPR ), is after her

Classification in Austrian procedural law is a formal legal protection application. She must therefore have some
meet procedural requirements (

§ 24 DSG ).

Filing a complaint means that you are litigation with the designated
Respondents begin, which the DPO has to decide. You have to be the person in charge or
Can therefore designate processors in such a way that the DPO can identify them. Complaints "against
Unknown "are not permitted. The procedure is, unlike in court, but generally free of charge (none
Fees, no obligation to pay reimbursement).

The DSB recommends using the available forms (see link above, format: fillable PDF)
use. These can also be signed electronically.

Please note that there are different forms for complaints about injury from different
Rights according to § 1 DSG and Chapter III DSGVO (general data protection complaints) and from various
Rights according to Chapter 3 DSG (data protection complaints regarding intelligence services, police and
Criminal justice).

General data protection complaints can be submitted by complainants who are referred to in
Live or work in Austria, at the DSB also against foreign respondents from the private sphere
Sector if they have their (main) establishment in another EU member state (or
of the EEA) have (

Art. 77 para. 1 GDPR ) and the offense was committed abroad. Please notice that

cooperation with other supervisory authorities may take several weeks
and the data protection authority has no influence on the functioning of the partner authority. If necessary, takes place
an assignment to the competent foreign partner authority (especially if the complaint involves a
Controller / processor who does not have a branch in Austria); in this case it will
The entire procedure was conducted before the partner authority.

We generally ask you for the following:
•

Provide complete information; in particular, anonymous complaints are not possible.

•

Use the German language for entries. The DPO must carry out all the procedures in this constitutional
Official language ( Art. 8 B-VG) to lead. English is not a permitted official language in Austria, but English
Translation in some forms is only intended to facilitate international cooperation.

•

Do not forget to bring copies of the necessary documents (for example proof of a request for information
or deletion).

•

If the DPO sends you an order to rectify the defect, answer it in due time, otherwise we will
the procedure ended for formal reasons (the appeal dismissed).

•

The DPO can be used in the case of excessive (therefore in cases of frequent repetition) or obviously unfounded
Submissions make use of their right to refuse treatment of the complaint or the
To impose costs on complainants as an exception (

Art. 57 Para. 4 GDPR )

Drones and data protection?
Drones
A "drone" is an unmanned aerial vehicle. Today's drones are remotely controlled and will be able to do so in the future
also be self-directed.

Drones can fall under both data protection law and aviation law. Both areas of law
are completely independent of each other.

Drones in the data protection act
Drones are only relevant under data protection law if they determine personal data. A toy
or model aircraft without cameras or other sensors does not fall under data protection law. The most common
The form of the data protection-relevant drone is an aircraft with a built-in camera that takes pictures
recorded and transmitted to the pilot by radio.

Drones are a new technology, but it can be said that existing legal rules for video cameras
are applicable to drones. After that, the video surveillance is public or other private
Persons not allowed.

Please note that civil injunctive relief may or may not exist
The data protection authority can impose a fine on you if the necessary conditions are met.

Drones in aviation law
Aviation law contains special provisions on drones, which you can find on the Austro Control website
can see.

Please note that the use of drones under aviation law is now standardized across Europe
was regulated. Corresponding information can be found on the

Drone website

the

European Aviation Safety Agency (EASA).

Additional information

•

Austrocontrol

The electronic health record ("ELGA")?
Information on ELGA

The electronic health record ("ELGA") is intended to provide electronic findings ("e-findings") and the medication data
("e-Medication") ready for healthcare providers.

I would like to deregister from ELGA
You can object to the inclusion of your data in ELGA.

According to § 3 ELGA Regulation 2015 (ELGA - VO 2015), Federal Law Gazette II No. 106/2015, is the main association of the Austrian
Social insurance agency is the place where an objection to the ELGA can be raised (the
Objection body).

Can I file an objection to ELGA with the data protection authority?
Please log off from ELGA in the manner described above.

Additional information

•

ELGA website of the Federal Ministry of Health

Date of birth in addressing official letters?
There are always inquiries and complaints to the data protection authority, whether the imprint
the date of birth is permitted next to the name in the addressing of an official letter.

With a certain regularity, these are letters in an administrative criminal case (e.g. because of a
street police violation).

According to Art. 9 Para. 1 of the General Data Protection Regulation), the date of birth is not one of the special categories
of data (formerly “sensitive data”), this may often be perceived differently personally.

The data protection authority assumes in consistent case law that the date of birth is then the
Addressing an official letter may be attached if it is to safeguard against confusion
of the addressee in the delivery procedure (e.g. due to the possible identity of a
Parent and a child living at the same address, which the authorities do not exclude from the start
can), and the thus secured legitimate interest in the confidentiality of the content before knowledge
by third parties outweighs disclosure of the non-sensitive date of birth.

This is certainly the case when it comes to the delivery of a letter that is sent directly to the
The addressee contains (administrative) criminal charges (e.g. in the case of a
Administrative penal order in accordance with Section 48 (3) of the Administrative Penal Act 1991 - VStG or a summons to
Questioning as a suspect in the criminal investigation proceedings).

There is no such overriding legitimate interest, for example according to case law, if with the
Only an information brochure has been delivered to the letter.

According to the case law of the data protection authority, the date of birth is also printed on a
Anonymous disposal (Section 49a VStG) is not permitted.

Google Street View?
The Google Street View service has also been available in Austria since July 12, 2018 (currently in Vienna, Graz and Linz).

The images are anonymized fully automatically by Google itself, but errors are possible. In every picture
there is a hyperlink "Report a problem" in the lower right corner. Inadequate anonymization of a
Facial or car license plate are reprimanded. It is also possible to have a house obscured.

A complaint due to a violation of the right to erasure is possible if the request is not granted.
Please save your application by printing it out or taking a screenshot.

GIS broadcasting fees?
Where did the GIS get my data from?
Under the license fee a bunch of regulated payment obligations is understood. Common
The feature is that you can have a radio receiver ready in your home or office
becomes liable to pay.

The broadcasting fees are not a contractual subscription fee for the reception of the programs of the public
legal Austrian Broadcasting Corporation (ORF). You can therefore not "cancel" the ORF reception.

A limited liability company is entrusted with the collection of the license fee, and its shares
the ORF and the federal government are reserved, the GIS Fee Info Service GmbH (short 'GIS').

In order to fulfill these obligations, in particular for the purpose of recording all radio participants, the GIS is a by law
granted privileged access to the data of the registration authorities. It receives data from the local
Registration registers (not from the central register). The legal basis for this is Section 4 (3)
Broadcasting Fee Act, Federal Law Gazette I No. 159/1999 as amended:

Bringing in the fees

§ 4. (1) The contribution of the fees and other related charges and fees including the
The decision on requests for exemption (Section 3 (5)) is incumbent on the "GIS Fee Info Service GmbH" (company).

* (2) The company is also responsible for providing the public with comprehensive information on fees and charges
Obligation to report, the form of payment and the ongoing implementation of suitable measures for
Registration of all radio participants. *

(3) The company has to record all radio participants. For this purpose the registration authorities have to
Requests by the company for these names (first and last names), gender, date of birth and accommodation of the in
to persons reported to their area of ​activity in the form corresponding to the respective state of the art
to transfer. The company may only use the transmitted data for the purpose of executing this
Use federal law; it has to ensure that the data is only used to the extent permitted
and has to take precautions against abuse. The data transmitted by the registration authorities are included at the longest
To delete the expiry of the calendar year following receipt; the data of those reported are not to be deleted
Persons who, despite being requested to do so, have failed to notify pursuant to Section 2 (5).

(4) The company can use the services of third parties to carry out the collection. Debt collection can be done without
separate consent of the radio participant for a maximum of two months in advance, whereby the due date
for the first time on the first working day of the month in which the report is made and thereafter every first working day of the
occurs in the second following month.

(5) The company can make agreements with the broadcaster on the due date and the form of the
Pay the license fee if this simplifies the assessment or collection of the fee.

Attention: Anyone who, despite being requested by the GIS, does not make a declaration as to whether they are at their place of residence
Operates radio reception systems, the reporting data of which may be stored by the GIS for longer than a year
become. Anyone who gives false information can be liable to prosecution.

Deletion from the internet?
The right to erasure according to Art. 17 GDPR is fundamentally also available on pages on the Internet (actually on the World Wide
Web - WWW).

Particularities:
When applying the right from deletion, the following points must be observed in particular:

I am in a search engine!
Search engines only find existing websites, similar to a telephone book or company register. If you at
a search with Google or another search engine find personal data about yourself,
this data was not generated by the search engine, but only found and processed for search queries.
So visit the original page and first try to contact the owner of the page (who is usually
from the imprint) to assert your right to deletion. A complaint against one
Search engine operators are possible (see below), but deletion from the index of a search engine does not have any
Effects on the page on which the data is located.

Is the information still available?
Search engine results can be out of date. Search engines adopt changes to websites
often with a certain time lag. Therefore, always check whether the information is still on the
linked page.

Search engines catalog the content of the World Wide Web and often - in order to shorten the
Search process and as an aid in the event of failures - copies of publicly available content (e.g. the so-called
"Google cache"). These caches are checked and updated at regular intervals. It
It can therefore be that a website content that has already been deleted at the source still has such a copy
"can be found.

When the information has been removed from the net it is only a matter of time before all search engines do the
re-index changed page. In such a case it may be advisable to wait until the
Search engine corrects itself instead of immediately requesting deletion.

How do I find myself on the internet?
You can search for your name using a search engine to see if there are any entries about you
gives. Please note the following:

•

The internet includes

Billions of websites

and also other data. It is therefore always possible that

You have a "name twin" on the network. This also applies to people who always thought their name was
unique! Therefore, whenever you come across a page with your name on it, you should be critical of its content, however
do not relate everything on the net to itself. The data protection act protects your personal data,
but does not give you the right to have the data of another person with the same name deleted.
•

Search engines can provide search results that match the search terms, but
are completely irrelevant. The results of Internet searches must therefore always be read and interpreted
become.

•

Modern search engines also provide pages with terms and names in different spellings. This is
A valuable help in searching if you have typed a word incorrectly, but it can also lead to incorrect or
lead to nonsensical results.

Secure the page!
Web pages can be changed quickly or change automatically. You should therefore keep your details on the side
and always document the state of the page when considering legal action. Print out the page
or take screenshots before contacting an authority.

Is the data protection authority responsible?
The Austrian data protection authority can currently only help to a limited extent for websites abroad.

Basically, a website must have an imprint, with the help of which you can determine in which country
the owner of the page can be found.

For deletion
Before you contact an authority, you must ask the operator of the site to delete it yourself (as well as
in the event of deletion from other databases!). Contact the operator and describe yours
Concern and request deletion in accordance with Art. 17 GDPR.

Many pages have their own procedures for deletion or complaints against abuse:

•

Google Inc. offers one

Request for removal from search results according to European

Data protection law
•

Facebook Inc. maintains a page on which you

•

Youtube.com (owned by Google Inc.) offers one

Report abuses of all kinds

.

Privacy Complaint Page

.

Cancellation lawsuit against search engine operators
The European Court of Justice (ECJ) ruled on May 13, 2014 that the operator of the search engine Google
has to delete references (hyperlinks) to personal data from its index under certain circumstances
(

Case C 131/12)

.

•

The court ruled that Google Inc. is subject to the European data protection directive 95/46 / EC. The
Directive has been superseded by the General Data Protection Regulation (GDPR), but changes this assessment
little.

•

Furthermore, the court ruled that the processing of personal data in a country of
EU exists if the search engine operator is in a member state for the promotion of the sale of the
Search engine advertising space and this sale itself a branch or subsidiary
operates, even if this subsidiary does not maintain the search index itself. This is a lawsuit against
allowed by the search engine operator.

•

A search engine operator must delete data, even if it is published on a website
was lawful.

•

The court has also ruled that the right to erasure can be restricted if the
affected person plays a role in public life and the public has an overriding interest
has to have access to the relevant information.

Please note that despite this judgment, a general statement about a right to erasure against
Search engine operator is not possible. A complaint to the data protection authority is possible if the
Deletion is denied. Also consider that each search engine operator would have to be prosecuted individually,
to remove a page from its search index. Given the market share of the search engines one would have to
always ask two to four search engine operators for deletion, so that one page is difficult or impossible
can be found. A complaint against the owner of the original page is therefore the optimal solution.

Google Inc. offers a special page for such deletion requests:

Request for removal from search results in accordance with European data protection law

Microsoft Inc. also has a page for deletion requests:

Request to block Bing search results in accordance with the case law of the European Union

Bankruptcy protection and credit bureaus
Credit bureaus and data processing for the protection of creditors are generally permitted. The
Trade regulations regulate the credit agencies in § 152 Trade Regulations 1994, Federal Law Gazette No.
194/1994 as amended. The banks are permitted to provide general banking information about the economic
A company's position if it does not expressly object to the provision of information (Section 38 Para.
2 no.6 Banking Act - BWG, Federal Law Gazette No. 532/1993 as amended).

There are several databases in which the banks hold data on the payment history and creditworthiness of the customer
collect. Before May 25, 2018, these databases were known as "Small credit evidence (consumer credit evidence)"
and "Warning list of banks" reported to the data processing register.

Correction and deletion
In principle, it is possible to have entries corrected and deleted by credit agencies and banks.
When applying the right from deletion, the following points must be observed in particular:

It is advisable to obtain information first so that precise information can be given as to what is being removed
shall be. The right to information (Art. 15 GDPR) is available for this purpose. Some credit bureaus offer one
own, faster information service.

Companies that inquire with a credit reporting agency expect at least one basic record of the
available to future customers. If all data has been deleted after a request for deletion, this can be
easily lead to the fact that the company cannot even get this minimal information and therefore the
Considers customers questionable and rejects them.

It can therefore make sense to assert the right to rectification instead of the right to erasure.

Media and data protection?
Due to a statutory exception clause (Section 9 DSG), media companies (in particular newspapers,
Magazines as well as television and radio stations, all including their online reporting), media services
(News agencies) or their employees (editors, freelance journalists) in connection with their
Reporting from Chapter II (principles), with the exception of Art. 5, Chapter III (rights of the data subject),
Chapter IV (controller and processor), with the exception of Articles 28, 29 and 32, Chapter V (transfer
personal data to third countries or to international organizations), Chapter VI (Independent
Regulatory Authorities), Chapter VII (Cooperation and Consistency) and Chapter IX (Regulations for Special
Processing situations) to processing that is carried out for journalistic purposes or for scientific,
artistic or literary purposes, except. From the provisions of the
According to the Data Protection Act, Section 6 (data secrecy) must be applied in such cases.

Media companies, media services and media employees are also not obliged to provide information, deletion
or to answer requests for corrections that relate to the content of the report. You are in
The data protection authority is not accountable for the same connection. Corresponding entries at
the data protection authority are not processed in terms of content and are therefore useless.

These exceptions are intended to protect, among other things, the legally guaranteed editorial secrecy and freedom of the media.

If you feel that your privacy has been violated by media coverage, you should go against it
Appeal to the relevant provisions of the Media Act (judicially).

Outside the media privilege

The exceptions mentioned only apply to the use of data in connection with reporting.
Other activities carried out by media representatives or other employees of media companies
do not fall under the privilege of § 9 DSG, e.g. advertising and distribution of media products.

Page 2

Legal advice?
The data protection authority provides the parties with substantive information on your pending proceedings before the
Data protection authority.

It is possible to ask the data protection authority for general legal information. Please direct your question
in writing to the authority.

The data protection authority is obliged in accordance with Article 57 (1) (e) GDPR, upon request of every person concerned
Provide information about the exercise of their rights under this Regulation. These
However, support is not suitable to replace a lawyer and must also not be the result of proceedings
anticipate.

We therefore ask for your understanding that no legal assessments are made in the context of a written request
content-related advisory services are provided for the application and interpretation of legal provisions
can. Binding decisions can only ever be made at the end of a specific procedure.

Consult the information on our website before formulating an inquiry.

When do I need a data protection officer?
Under certain circumstances, a controller and also a processor must have a
Appoint a data protection officer whose task is to identify the person responsible or the
To advise processors, to monitor compliance with data protection regulations and to communicate with the
To cooperate with the supervisory authority (Art. 37-39 GDPR).

The controller and the processor must appoint a data protection officer if

1.

the processing is carried out by an authority or public body, with the exception of courts,
who act in the context of their judicial activity,

2.

the core activity of the person responsible or the processor in the implementation of
There are processing operations which, due to their type, scope and / or purposes, involve a
require extensive regular and systematic monitoring of data subjects,
or

3.

the core activity of the controller or the processor in extensive processing
special categories of data in accordance with Art. 9 GDPR or of personal data relating to criminal law
There are convictions and criminal offenses in accordance with Art. 10 GDPR.

The Article 29 Data Protection Working Party has issued a guideline on this: Guidelines on data protection officers.
The guideline is not binding, but suitable as an aid.

Direct mail?
Who is responsible?
There are two cases of directly addressed advertising mail:

1.

Self-promotion with the help of the customer database: Art. 21 Para. 3 GDPR offers a right to object to a
Processing for direct marketing purposes.

2.

Advertising by a direct marketing company: Such companies operate a business ( "Adressverlage
and direct marketing companies " according to § 151 of the trade regulations 1994 - GewO 1994). They offer
regularly not only services in the design, printing and dispatch of advertising letters
( "Mailings" ), but also run their own data applications in which the data is more possible
Advertising addressees are processed and convey the exchange of customer data for advertising purposes
between companies ( "list broking" ).

How do they know that?
Very often the question is asked how it is possible for direct marketing companies to target advertising
send, for example, advertising letters that appeal to a certain age group (young people, seniors) or at least apparently - based on the income of the addressee.

Direct marketing companies provide personal data manually and through automatic systems
"Marketing Classifications" . Corresponding programs can use statistical empirical values ​to provide certain
Calculate probabilities, for example from the first name the probability of a certain age group
to belong, or from the address the probability of belonging to a certain income bracket. Out
the age group can in turn calculate the probability of the target group for certain
To include health products or medical services.

Precise data, such as the date of birth, often come from a company's customer database,
with whom you have a permanent business relationship.

With list broking it can also be that the advertiser is targeting the customer files of certain luxury and
Branded goods retailers and directs its marketing message to a specific group of buyers.

What can you do about it?
You can rely on a blacklist (Robinson list) against mailings from domestic direct marketing companies.
let sit. (§ 151 Abs. 9 GewO, see below)

Entering this blacklist does not help

•

against mailings sent by foreign direct marketing companies;

•

against self-promotion by companies that you run as customers,

•

against official information and

•

against political advertising.

•

The Robinson List is only effective against personally addressed advertising, not against direct mail or
Advertising slips on the front door. On the other hand, the sticker "Please no unaddressed advertising", which you can use with the
Austrian Chamber of Commerce.

•

The Robinson List does not work against email or fax advertising. This type of advertising is in accordance with Section 107
Telecommunications Act 2003 prohibited.

A complete deletion from the data applications of a direct marketing company (or a
Objection to the use of data) is also possible. However, it cannot be ruled out
that the company will later collect and use your data again (from legal sources). One
Permanent exclusion from this cycle of data transfers is only guaranteed by inclusion in the blacklist.

Your other rights
Direct marketing companies are obliged to provide information under data protection law.

A direct marketing company must be within three months of a mailing, even if it is the data
not (no longer) processed (e.g. with list broking), provide information about the origin of the data.

Before the transmission ( "sale" ) to or the release of a customer file for list broking by a
For direct marketing companies, a company must obtain the consent of those concerned. Most of the time this is done
already on the occasion of the initial collection of your customer data. You then have the option of giving your consent
refuse or revoke them later.

How do I answer a request for information?
The right to information according to Article 15 GDPR is a value-free right to information. It does not involve an allegation
against you, your organization or your employees. You need to answer a
As a rule, requests for information do not require a lawyer.

If a request for information is received, you must respond within one month. You need either the
provide the requested information or state the reasons why no information is provided, as well as the possibility of
lodge a complaint with a supervisory authority (Art. 12 Para. 3 and 4 GDPR). This period can be extended by another two
Months can be extended if this takes into account the complexity and number of applications
is required.

You must always react, even if you think that you have no data about this person
to process. The only exception is if requests for information are manifestly unfounded or excessive
(especially in the case of frequent repetition). Then you can refuse the information or a
Demand appropriate remuneration (Art. 12 Para. 5 GDPR). It is (still) unclear under which a request for information will be made
can be regarded as manifestly unfounded, and it is therefore recommended to also apply in unclear cases
reply.

Who has to provide information?
The duty to provide information rests with the person responsible, i.e. the natural or legal person, authority,
Institution or other body that alone or jointly with others decides on the purposes and means of the processing
of personal data.

The proof of identity
If you, as the person responsible, have reasonable doubts about the identity of the natural person who made the request
Provides information, so you can request additional information to confirm the identity of the
data subject are required.

In contrast to the previous legal situation, proof of identity is no longer mandatory.

What if I can't identify those affected?
Art. 11 GDPR contains provisions in the event that the purposes for which personal data are processed
identification of the data subject is not required (this can affect pseudonymised data). The
The person responsible is not obliged to merely comply with the General Data Protection Regulation
Retain, obtain or process information in order to identify the data subject.

If you can make credible that this is the reason why you are unable to contact the person concerned
identify, the information can be refused (Art. 12 Para. 2 GDPR).

Can I refuse to provide information?
When requests for information are manifestly unfounded or excessive (especially in the case of more frequent
Repetition) you can refuse the information or demand a fee (Art. 12 Para. 5 GDPR). It is still)
unclear under what conditions a request for information can be assessed as manifestly unfounded,
and it is therefore recommended to answer even in unclear cases.

In addition, I can refuse to provide information in the following cases:

By legal provisions of the European Union or of the member states to which the controller or the
The duty to provide information can be restricted in a law, provided that such
Restriction respects the essence of fundamental rights and freedoms and in a democratic
Society is a necessary and proportionate measure. Restrictions include. in areas
such as public safety, to protect the data subject or the rights and freedoms of others
or to enforce civil law claims (the full list can be found in Art. 23 GDPR).

The right to information from the data subject in accordance with Art. 15 GDPR exists vis-à-vis a public authority
Responsible party not if by providing this information the fulfillment of one of the responsible parties
legally assigned task is endangered.

The right to information from the data subject in accordance with Art. 15 GDPR exists vis-à-vis a person responsible
without prejudice to other legal restrictions, as a rule not if by issuing these
Information would endanger a business or trade secret of the person responsible or third parties.

What is the content of the information?
The content of the information is the data itself and the following information:

a) the purposes of the processing;

b) the categories of personal data that are processed;

c) the recipients or categories of recipients to whom the personal data has been disclosed
have been or are still being disclosed, especially for recipients in third countries or international
Organizations;

d) if possible, the planned duration for which the personal data will be stored, or if this is not the case
is possible the criteria for determining this duration;

e) the existence of a right to correction or deletion of the personal data concerning you or
to restriction of processing by the person responsible or a right to object to this
Processing;

f) the right to lodge a complaint with a supervisory authority;

g) if the personal data are not collected from the data subject, all available
Information about the origin of the data;

h) the existence of automated decision-making including profiling in accordance with Art. 22 Paragraphs 1 and 4
GDPR and - at least in these cases - meaningful information about the logic involved and the
Scope and the intended effects of such processing for the data subject.

If personal data is transmitted to a third country or to an international organization, the
data subject has the right to be informed about the appropriate guarantees in accordance with Art. 46 GDPR in connection with the
Transmission to be informed.

The right to receive a copy must not affect the rights and freedoms of any other person.

In what form is the information to be given?
The information is in a precise, transparent, understandable and easily accessible form in a clear and
convey plain language; this applies in particular to information that is specifically aimed at children. The
The information is transmitted in writing or in another form, possibly also electronically. The
The person responsible provides a copy of the personal data that is the subject of the processing
Available. For all further copies that the person concerned requests, the person responsible can request a
demand reasonable remuneration based on administrative costs. The person concerned makes the application
electronically, the information must be made available in a common electronic format, if
she does not state otherwise.

Can I delete the data immediately?
No. The right to information serves to inform the person concerned and in principle does not contain any reproach. There are
a right to deletion (Art. 17 GDPR), but a request for information is not a request for deletion.

What happens if I don't provide any information or if I exceed the deadline?
The person concerned can complain to the data protection authority if within the period of one month
(extendable for a further two months) no or insufficient information is provided.

Therefore, please provide the information even if the deadline has already expired. A late response is
a deficiency that can also be remedied during the ongoing process in accordance with Section 24 (6) DSG.

Violation of the right to information can result in a fine.

What should I do if the request for information is sent to the wrong place?
It can happen that a request for information is mistakenly sent to the wrong place. If you think so,
that you cannot be meant at all, you should react anyway and inform the consignor that they
have no data about him. If the deadline for providing information expires without feedback, the person concerned can
Make a complaint to the data protection authority.

If requests for information are obviously unfounded, you can refuse to provide information or pay a fee
request (Art. 12 Para. 5 GDPR). It is (still) unclear under which a request for information is considered obvious
can be considered unfounded, and it is therefore recommended to answer even in unclear cases.

Authorities must also pay attention to Section 6 AVG.

Video surveillance by private individuals (including the private sector administration of the
public authority)
The GDPR permits the use of image processing systems (video surveillance) in the private sector
within certain limits.

It must be assessed on a case-by-case basis whether video surveillance is lawful.

The following reasons can justify the use of video surveillance:

•

Protection of people's lives

•

Protection of the health and physical integrity of people

•

Protection of property (e.g. home)

In all cases, the following parameters should be used:

•

the video surveillance takes place temporally and locally only to the extent absolutely necessary. An involvement
public traffic areas (e.g. pavement or street) is only permitted if the protective purpose
the video surveillance could otherwise not be fulfilled (for example surveillance of a pavement
bordering facade to protect against property damage up to a maximum of 50 centimeters).
In any case, neighboring properties may not be filmed

•

the video surveillance is appropriately marked (by signs, stickers and the like)

•

the recordings are overwritten / deleted at regular intervals . A storage period of up to 72
The data protection authority considers hours to be permissible in any case

•

The recordings are only evaluated if necessary (for example to determine who has a
Damaged)

•

other, more lenient means would prove to be inadequate (e.g. blocking systems,
Security systems and the like)

As a rule, the legal basis for video surveillance in the private sector is Article 6 (1) (f) GDPR
(legitimate interests of the person responsible), as stated in the case law of the ECJ - see judgment C708/18 - is considered. In certain cases, video surveillance can also be based on Article 6 Paragraph 1 lit.
GDPR (consent of the data subjects ).

Vacation photos or films that do not amount to identifying uninvolved persons
permissible, including, for example, recordings of ski runs with a helmet camera. Operation of cameras
Cars to collect evidence of wrongdoing by other road users (for example after an accident)
("Dashcams") are covered below.

Note: In certain cases, prior to commissioning video surveillance, no data protection
Impact assessment necessary (see DSFA-AV ); in certain cases, however, in any case , a data protection
Carry out an impact assessment (see DSFA-V ).

Please note:

•

The judgment as to whether video surveillance can be regarded as permissible is up to that
Responsible person. This test must be carried out before the system is commissioned . The same applies to the question
whether or not a data protection impact assessment has to be carried out in a specific case. The
In any case, the data protection authority does not carry out any preliminary assessments in this regard

•

There is no obligation to report such systems to the data protection authority

Dashcams / car cameras
A "Dashcam" (an abbreviation for "Dashboard Camera") is a video camera,
which is installed in the car and takes pictures of the road in front of the car through the windshield and
records. In addition, car cameras can also be attached to the rear window and side windows,
to record everything that happens around a car. Such cameras are mostly used too
Evidence in order to be able to understand what happened in the event of an accident.

Based on the previous case law of the Austrian and European supreme courts (cf.
the

Decision of the Administrative Court of 09/12/2016, Ro 2015/04/0011

European Court of Justice of December 11, 2014, C-212/13

, as well as that Judgment of the

) the data protection authority temporarily represents the

following legal opinion:

As a rule, dashcams will not be permitted because most of the common products are based on their configurations
(Recording area, storage period) other road users in an inadmissible manner in their fundamental rights
Affect data protection. Dashcams cannot be classified as completely inadmissible.

The possible admissibility of dashcams is a decision on a case-by-case basis. The following parameters can be used in
Indicate an admissibility in individual cases:

•

The data processing is carried out for the sole purpose of documenting the course of the accident (a
Publication of accident videos on the Internet would no longer be covered by this purpose).

•

The inclusion of the public space (= street) is limited to the required amount (the
The reception area around the vehicle is limited to the bare essentials. There is no large-scale
Surveillance, the camera angle is tilted "downwards". The camera resolution is as low as possible
chosen so that only a small area around the vehicle can be clearly seen, further away
People or vehicles can no longer be identified)

•

In the case of storage, data will only be stored for the time that is absolutely necessary (on
Example 1 minute before the accident happened to a few seconds after an accident). Data will be
continuously overwritten as long as no accident has occurred. Accident data cannot be endless either
are saved, but only until the purpose has been achieved.

•

If the permanent storage of image data (= stop of the overwrite process) from a
deliberate action on the part of the person responsible (for example, by manually operating a
Memory button or by removing an SD card), in case of doubt the inadmissibility of the
Dashcam to be turned off. "Abusing" the dashcam for purposes other than documenting a
In such cases, the course of the accident can no longer be monitored. Only that is permitted
automatic storage of image data (= stop of the overwrite process) by means of predefined impulses
(Impact sensors, abrupt steering / driving / braking / acceleration maneuvers), without the possibility of a manual one
Storage by the driver.

•

Ensuring integrity and confidentiality through the use of encryption techniques and
Access restrictions.

It is expressly pointed out that no court decision has yet been made in relation to Dashcams
and their admissibility according to the GDPR!

Spam and data protection
"Spam" is unsolicited commercial email. Some unsolicited advertising emails come from European countries
Company, but the majority is international. There are estimates that 50% of the world's email traffic
consists of spam.

Spamming is generally prohibited in most countries. In Austria there is a ban on unwanted eMail advertising in

Section 107 Telecommunications Act 2003 . The competent authorities are the

Telecommunications offices.

It is theoretically possible to complain to the data protection authority about spam, but the chances are
Success are minimal. For a complaint, the name of the respondent must be known, which is the case with spam
rarely applies. Furthermore, most spammers have no data other than their email address and therefore cannot
say where the data came from. It must also be assumed that spammers are dubious, difficult
identify and uncooperative.

Complaints about violation of the right to deletion due to unsolicited advertising e-mails are therefore only available at
Established, reputable organizations make sense if, for example, unsubscribing from a newsletter does not work.

Access and other rights
The right to information helps you to obtain important information so that you can exercise further rights
can. The General Data Protection Regulation gives you a number of rights that you are well aware of how to exercise
need to know what data are available about you, such as the right to rectification (Art. 16 GDPR), the right to
Restriction of processing (Art. 18 GDPR) and the right to object (Art. 21 GDPR).

Please do not request information and deletion at the same time! The person responsible could be an inadequate
Provide information and then delete the data. A subsequent control by the data protection authority is then
only difficult to do.

When do I need a data protection impact assessment?
If a form of processing, especially when using new technologies, due to the nature of the
The scope, circumstances and purposes of the processing are likely to pose a high risk to the rights and
Freedoms of natural persons, then the person responsible has a data protection impact assessment in advance
by.

A data protection impact assessment is particularly necessary in the following cases:

a) systematic and comprehensive assessment of personal aspects of natural persons that relate to
automated processing including profiling and which in turn serves as the basis for decisions
serves, the legal effect against natural persons unfold or this in a similarly significant way
affect;

b) extensive processing of special categories of personal data (data on racial and
ethnic origin, political opinions, religious or ideological beliefs,
Union membership, genetic data, biometric data, health data or data on the
Sex life or sexual orientation) or personal data about criminal
Convictions and offenses or

c) systematic extensive monitoring of publicly accessible areas.

The impact assessment shall contain at least the following:

a) a systematic description of the planned processing operations and the purposes of the processing,
if applicable, including the legitimate interests pursued by the person responsible;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purpose;

c) an assessment of the risks to the rights and freedoms of data subjects and

d) the corrective actions planned to address the risks, including guarantees;
Security measures and procedures by which the protection of personal data is ensured and the
Evidence is provided that this regulation is complied with, with the rights and legitimate
The interests of the data subjects and other data subjects are taken into account.

A single
Estimation can be made.

If a data protection impact assessment shows that the processing would result in a high risk,
if the person responsible does not take any measures to contain the risk, the data protection authority is applicable
consult. The data protection authority can make written recommendations.

If the processing is necessary to fulfill a task in the public interest,
including processing for social security and public health purposes, the
Persons responsible under Austrian law are obliged to consult the data protection authority and
obtain their prior approval.

For already existing processing operations (data applications) there is basically no data protection
Carry out an impact assessment if these processing operations by the data protection authority are already to be carried out
an earlier point in time in the course of a DVR registration as part of a prior checking procedure according to § 18
Data Protection Act 2000 (DSG 2000) have been approved. With automatic registration via DVR-Online or
in cases in which the data protection authority has registered a data application, but not in the case of
Prior checking has been carried out - this applies to notifications not subject to prior checking before September 1, 2012 however, this is not an option. The details can be found in the data protection impact assessment
Exceptions Ordinance (DSFA-AV)

,

However, if there is a change in existing processing operations, a data protection
Carry out an impact assessment if the requirements of Art. 35 (1) GDPR apply.

The Data Protection Impact Assessment Exemption Regulation also contains other areas for which none
Data protection impact assessment is required.

The Article 29 Data Protection Working Party has drawn up a guideline on this: Guidelines on data protection impact assessments
(DPIA) and answering the question of whether processing within the meaning of Regulation 2016/679 "is likely a
entails high risk ". The guideline is not binding, but suitable as an aid.

Where do political parties get my campaign data from?
Various regulations at all levels of democratic suffrage give parties the right to
View lists of eligible voters, copy data from them and use them for political purposes
Process advertising.

This can be a permanently created file system (in particular that as shared processing
Central voter register managed by the Federal Ministry of the Interior and the municipalities - ZeWaeR according to
4 Voter Registration Act 2018

§

) as well as processing carried out on the occasion and for the purposes of a specific

Election or voting are carried out (for example, before a National Council election per electoral district,
Municipality or state electoral roll).

The European electoral record, which serves as the basis for the elections to the European Parliament, and therefore all of them
Union citizens with their main residence in Austria are also recorded with the help of ZeWaeR
guided (

§ 1 European Voter Registration Act ).

The basis for the registration of voter data are the population registers (

Section 2 (1) of the Voters' Registration Act 2018, Section 2

Paragraph 1 of the European Voter Registration
)
Act

In no case is it allowed to use data on the political convictions of the persons concerned
(Voters) to process.

The transmission of data from ZeWaeR to political parties is in

Section 4 (2) of the Voters Registration Acthow
2018

follows regulated:

"On February 10th and August 10th, the in

Section 1, Paragraph
cited data of
3 the electoral records of all

Municipalities, with the exception of area-specific personal identifiers, for the purposes of

Section 1 (2) of the

Political Parties Act 2012, Federal Law Gazette I No. 2012/56, as well as for statistical purposes on request free of charge to the zur
Representation of externally appointed bodies of the parties represented in the National Council by means of machine-readable
To transmit data carriers or by means of remote data processing. [...] "

The parties represented in the National Council therefore receive the latest data twice a year ( family names,
First names, academic degrees, gender, date of birth , for eligible voters with main residence in Germany
also the home address (possibly the e-mail address for Austrians abroad ) of everyone in the ZeWaeR
registered voters.

The political parties represented in general representative bodies (National Council, regional parliaments, municipal councils)
can also according to

Section 5 (2) of the Voters' Registration Acttransmission
2018
at any time at community level

request a printout of the electoral register (or a copy in PDF format).

Page 3

Other campaigning parties or candidates are entitled to nationwide elections in the run-up to the election
Data transmission by the municipalities in the form of copies or printouts of the
electoral rolls prepared for the relevant election (
Federal Presidential Election Act 1971

§ 27 National Council election regulations
,
§5

).

In each case, it is a matter of legally expressly regulated access to voter data (legal
Obligation of the person responsible to transmit). The corresponding data processing in accordance with

Art. 6

Paragraph 1 lit c GDPR
therefore does not require the consent of the data subjects. A contradiction (

Art. 21

GDPR ) against the processing of data for purposes of the electoral record or the assertion of the right to
Restriction of processing (
Voter Registration Act 2018

Art. 18 GDPR ) is excluded by law (

Section 4 (6)

)

The recipients of the data may use them for legitimate political advertising (e.g. advertising letters, invitations
for events) and statistical purposes. As political advertising, what the purpose of a
political party (" comprehensive influencing of state decision-making, in particular through participation in
Elections to general representative bodies and the European Parliament " ,

Section 1 (2) of the Political Parties) Act 2012

is conducive.

Any data processing based on data from ZeWaeR is required accordingly

Section 4 (3) of the Voters' Registration Act

2018 an express legal basis. A violation of this provision is punishable.

The recipients of the data are obliged to inform the groups of people concerned about the processing of their data
to inform. In principle, the same rules of the GDPR apply to political advertising as to any other
the processing of personal data person responsible.

The data of the electoral records kept at community level (as well as that of the European electoral records) are
to the extent that it is publicly available, as in accordance
Section
with5 (1) of the Voters Registration Acteveryone
2018
in it for the purpose
Control of the completeness and correctness of the data.

The election regulations for states, municipalities, chambers and student unions contain similar ones
Provisions.

Are camera dummies allowed?
A dummy video camera, i.e. a device that only looks like a camera but no data at all
records, does not fall under data protection law.

In the event of a complaint, the owner of the device must prove that it is really only a dummy.
The DPA recommends that all dummies put up a document showing that it
If it is a dummy, keep it (e.g. the invoice). This is in the case of complaints with the
Data protection authority against the alleged implementation of video surveillance a quick rebuttal of the
Accusation possible.

Dummy cameras may be inadmissible for other reasons. Dummies to deter burglars
or vandals are only allowed to protect their own property or property. Even the creation of the
Impression of surveillance vis-à-vis the neighbors is not permitted. For an injunction are
only the civil courts have jurisdiction (see, inter alia, the judgment of the Supreme Court
Ob 6 / 06k from March 28, 2007 or file number

File number 6

8Ob125 / 11g; 5Ob69 / 13b; 8Ob47 / 14s; 10Ob57 / 14a;

6Ob231 / 16p ).

The data protection authority cannot lodge a complaint because of impairment of privacy respectively
Investigate "harassment" by setting up dummy cameras. For such cases only the
Civil courts (injunctive relief) have jurisdiction.

Questions and answers about the coronavirus (COVID-19)
FAQ on data protection and coronavirus (COVID-19) (PDF, 518 KB)

Imprint & Copyright / Data Protection / Contact / Sitemap / Help & Accessibility / Newsletter

