III. Privacy topics
Internet and consumer privacy
The Trade and Commerce Act (Gewerbeordnung 1994 or GewO1) contains the prototype of direct marketing regulation in Austria. The use of sensitive data2 by direct marketing ventures and list brokers in principle depends on the data subject's consent. The data subject can demand the erasure or barring of data stored for marketing purposes free of charge. Also, persons can enrol in a so-called "Robinson-list", administered by a sub-division of the Austrian Economic Chamber (Wirtschaftskammer Ã–sterreich), which bars them from receiving advertising material and prevents their data from being used.
The Telecommunications Act3 and the E-commerce Act (E-Commerce-Gesetz or ECG4) contain rules on unsolicited commercial communications. Calls and facsimile transmissions for marketing purposes are not permitted without prior consent of the subscriber or a person authorised to use his line. The sending of electronic mail â€“ including SMS messages â€“ to customers for purposes of direct marketing or addressed to more than 50 recipients is in principle not permitted without the recipients' prior consent. Exceptions exist where the sender has received the contact details in the context of a sale or service to his customers, as long as they had the opportunity to object, free of charge and in an easy manner, to the use of these contact details and are not registered with a list according to section 7 ECG.
If the identity of the sender on whose behalf the communication is transmitted is disguised or concealed or if there is no valid address to which the recipient may send a request that such communications cease, the sending of electronic communications is prohibited.
Any person violating the rules outlined above commits an administrative offence punishable by a fine of up to â‚¬37,000.5 The 2007 Supervision of Securities Act (Wertpapieraufsichtsgesetz or WAG6) extends the TKG-regime to the unsolicited advertising of financial instruments and investments.
No specific information has been provided under this section.
Online behavioural marketing and search engine privacy
No specific information has been provided under this section.
Online social networks and virtual communities
No specific information has been provided under this section
Online youth safety
No specific information has been provided under this section.
In 2006 the Supreme Court issued an injunction proscribing the use of a biometric time reading system using fingerprint scanners in a hospital. The Court held that even the use of templates (and not the biometric raw data), created a connection with specific employees and fell within the ambit of human dignity. As measures touching upon human dignity can only be introduced by an employer/works council agreement. The decision virtually put an end to the use of biometric time recording systems.7
Another issue is the use of the Internet for private purposes at work. Even though employers can prohibit the private use of the Internet, introducing a permanent control system constitutes a measure interfering; upon human dignity and therefore requires an employers/works council (or contractual) agreement. Whether a total prohibition of private use would be enforceable (justifying a dismissal etc.) is more than doubtful.
A far more delicate problem concerns employers' control of the content of employees' private e-mails. In principle, under no circumstances is the employer authorised to read private communications, not even if the private use of the Internet is entirely forbidden. However, the employer has a right to exercise (a certain amount of) control over professional communications, hence private e-mails â€“ in order not to be read â€“ must be clearly labelled as such. With a view to the fact that evidence gathered illegally can be produced in court, even the labelling does not reliably grant privacy.8 E-mails with critical content should therefore not be sent via an employerâ€™s server.
The 2010 amendment to the Data Protection Act (DSG) explicitly prohibits purposeful monitoring of employees by video surveillance at their workplace.9 The surveillance of objects at the workplace for reasons other than efficiency control is not covered by this prohibition.
Health and genetic privacy
Like most other countries, Austria has laws requiring that carriers of certain dangerous infections be reported to health authorities.10 Exceptions to the general rule of medical confidentiality can be found where serious injuries have obviously been caused by criminal activity or in cases of child abuse. Another challenge results from the exchange of health data through electronic systems. The Gesundheitstelematikgesetz (GTelG11) regulates the use of telematics in the health service sector, including data security and information management. It deviates from the DSG insofar as only direct personal data fall within the scope of this law. The DSG in particular requires identity and legitimate authority of the data recipient to be sufficiently established. In contrast, the GTelG establishes minimum identity requirements as well as mechanisms trying to prevent misuse.
Since first steps to implement the Health Reform Act 2005 (Gesundheitsreformgesetz 200512) were taken in 2006, the Electronic Health File (Elektronische Gesundheitsakte or ELGA) has been a most controversial issue. Proponents describe ELGA as a key instrument in Austrian e-health ambitions that electronically administers all relevant health data while sufficiently protecting patients' rights, especially with a view to data protection.13 It enables authorised persons to access all available health data regardless of time or location of treatment. Opponents fear the abolishment of medical confidentiality and criticise the imprecise definition of health care service providers who are granted access to ELGA. Patients have no access to the health care service provider index.14 Finally, the term "health data" is defined extremely broadly, comprising personal data on the physical and psychological well-being as well as data gathered in the course of determining that status, including accounting for health services and patients' health-related habits and environmental influences.15 ELGA is about to be introduced and implemented by the "ELGA limited" (ELGA GmbH), which was founded in 2009 and took over the agenda of "Arge ELGA" as of 1 January 2010.16
The Genetic Engineering Act (Gentechnikgesetz or GTG17) requires confidentiality of personal data gathered through genetic analysis and gives the person examined a right to access as well as a right to information. The use of non-anonymous data for any other than the original purpose requires the written consent of the data subject. The GTG also contains an explicit prohibition on the use of genetic data by employers and insurance companies.18 The DSG includes specific provisions on scientific research.19 Apart from that it deals with medical data in a very general way, considering it "sensitive data", consequently benefitting from a more rigid protection.
The Banking Act (Bankwesengesetz or BWG20) deals with special requirements and restrictions concerning the use of client data. The central provision concerning privacy, Section 38, which has quasi-constitutional status, guarantees bank client confidentiality. Section 38 contains a set of exceptions, covering court orders in criminal proceedings or administrative proceedings for certain fiscal offences. Austria has adopted a new anti money laundering law according to the standards of the Organisation for Economic Cooperation and Development (OECD). Banks now have to establish the identity of customers wishing to open an account or of non-customers wishing to conduct financial transactions exceeding the limit of â‚¬15, 000.21 Due to criticsâ€™ claims that Austria was creating a tax haven a 2009 law loosened the requirements for interstate cooperation.22 Banking institutions are now obliged to transmit all foreseeably relevant data (via the Austrian Ministry of Finance) upon a foreign public authority's request proving at least a reasonable suspicion of tax evasion.23 Banking institutions must also comply with the DSG. They are not allowed to use personal data obtained through client accounts for other purposes. Section 18 DSG requires the prior registration of data applications whose purpose is to give information on the data subject's creditworthiness.24
As a rule, creditworthiness ratings by private agencies are data applications open to inspection by the public.25 The service provider (i.e. the controller) has a duty to inform the data subject about the purposes for which the data is collected and the name and address of the controller. However, violating the principle of fair and lawful use26, this duty is often ignored, which makes the entry unlawful27 and is in itself sufficient to have the data erased.28 Once per year a data subject has the right â€“ free of charge â€“ to ask for information about the processed data, its origin, recipients, transmissions, purpose, and legal basis. If law does not mandate the inclusion of data in a data application open to inspection by the public, such as a creditworthiness database, the data subject can object at any time and without any need to give reasons. As a consequence the data must be erased within eight weeks.29 According to the Supreme Court (OGH) data subjects also have the option to object partially and demand corresponding erasure.30 Erasure means the physical (not just logical) erasure. Reorganising data is not sufficient for controllers to comply with their duty.31
The Consumer Credit Act 2010 (Verbraucherkreditgesetz or VKrG32) introduces an exception to the right to objection for joint information systems of crediting institutions registered with the Data Protection Commission (DSK), such as the "Consumer Credit Evidence" or the banking institutions' "Warning List". In these cases erasure of data is subject to considerably stricter requirements.33
- 1. BGBl. Nr. 194/1994 as amended. See Section 151 GewO.
- 2. Section 4 item 2 DSG.
- 3. Section 107 TKG, setting rules for calls and facsimile transmissions on the one hand and electronic mail, including SMS messages on the other hand.
- 4. BGBl. I Nr. 152/2001. Sections 6 â€“ 8 ECG, covering electronic mail.
- 5. Section 109 (3) items 19 â€“ 21 TKG.
- 6. BGBl. I Nr. 60/2007. See Section 62.
- 7. OGH, 20 December 2006, 9 ObA 109/06 d. See Arbeitsverfassungsgesetz or ArbVG (Labour Constitution Act) Section 96 (1) item 3. See also ARGE DATEN, "OGH hat entschieden â€“ AUS fÃ¼r biometrische Stempeluhr" (Supreme Court Decides: No Biometric Time Recording Systems) 12 February 2007, at http://www2.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=0939....
- 8. Christine Kary, "'Big Brother" am Arbeitsplatz" ("'Big Brother' at Workplace"), Die Presse, 28 March 2007, at http://diepresse.com/home/wirtschaft/economist/293711/index.do ; see also Thomas Angermaier "Surfen und private E-mails am Arbeitsplatz" ("Surfing and Personal E-mails at Work"), PRVAnews, October 2008, at http://www.dbj.co.at/phps/start.php?noie=1&lang=de&content=publikationen....
- 9. Section 50a (5) DSG.
- 10. Epidemiegesetz (Law on Epidemics) 1950, Tuberkulosegesetz (Law on Tuberculosis) 1968, AIDS-Gesetz (Law on HIV) 1993, Geschlechtskrankheitengesetz (Law on Venereal Diseases) 1945. A complete list of all relevant infections can be obtained at http://www.infektionsnetz.at/.
- 11. See supra.
- 12. BGBl. I Nr. 179/2004, available at http://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2004_I_179/BGBLA_2004_....
- 13. See http://www.elga.gv.at/ (in German).
- 14. ARGE DATEN, "AMS, ELGA und das verlorene Ã„rztegeheimnis" ("ELGA and the Lost Secret of Doctors"), 16 February 2007, at http://www2.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=0859....
- 15. Section 2 item 1 GTelG, regulating the use of telematics in the health sector.
- 16. See http://www.elga.gv.at/index.php?id=3.
- 17. BGBl. Nr. 510/1994 as amended; see Section 71 GTG.
- 18. Section 67 GTG.
- 19. Sections 46, 47 DSG.
- 20. See supra.
- 21. Â§ 40 BWG.
- 22. Amtshilfe-DurchfÃ¼hrungsgesetz (Assistance Implementation Law) BGBl. I Nr. 102/2009.
- 23. Explanatory Report, German version available at http://www.parlament.gv.at/PAKT/VHG/XXIV/A/A_00681/imfname_161425.pdf.
- 24. A large part of complaints with the Data Protection Commission concerns databases on creditworthiness. See Datenschutzbericht 2009, supra at 35.
- 25. Section 4 item 7 DSG. Openness to public inspection is not excluded if the service requires pay for use. Supreme Court (OGH), 1 October 2008, 6 Ob 195/08 g.
- 26. Section 6 (1) item 1 DSG.
- 27. OGH, 15 December 2005, 6 Ob 275/05 t.
- 28. ARGE DATEN, "LÃ¶schungsanspruch gegenÃ¼ber Wirtschaftsauskunftsdiensten & Banken" ("Right to Erasure vis-Ã -vis Creditor Protection Agencies and Banks"), available at http://www.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=30575bvj.
- 29. Section 28 (2) DSG.
- 30. OGH, 1 October 2008, 6 Ob 195/08 g.
- 31. OGH, 15 April 2010, 6 Ob 41/10 p.
- 32. BGBl. I Nr. 28/2010, which entered into force in June 2010. See Section 7 (5) VKrG.
- 33. Sections 24, 27 and 28 (1) DSG. ARGE DATEN, "LÃ¶schungsanspruch gegenÃ¼ber Wirtschaftsauskunftsdiensten & Banken," supra.