menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Austria) language
Contact our local member in Austria mail_outline
Visit the website of Geistwert account_balance

arrow_backPrevious Article
Article 4
Next Articlearrow_forward

Definitions

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 4 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 4 keyboard_arrow_up

Articles related to article 4

Key words related to article 4

Show the recitals of the Regulation related to article 4 keyboard_arrow_down Hide the recitals of the Regulation related to article 4 keyboard_arrow_up

(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

(28) The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

Show the recitals of the Directive related to article 4 keyboard_arrow_down Hide the recitals of the Directive related to article 4 keyboard_arrow_up

(26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;

(27) Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data; whereas, in line with the definition in Article 2 (c), the different criteria for determining the constituents of a structured set of personal data, and the different criteria governing access to such a set, may be laid down by each Member State; whereas files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of this Directive;

The GDPR

Warning: the definitions of Article 4 are commented in the provision of the Regulation that appeared most clarifying to its content. Other provisions use the concepts defined in this article. They can be identified by inserting the concept as a keyword.

  1. personal data (see Article 2).

(3) processing (see Article 2).

 (3a) restriction of processing (see Article 18).

(3aa) profiling (see Article 22).

(3b) pseudonymisation (see Article 25).

(4) filing system (see Article 2).

(5) controller (see Article 3).

(6) processor (see Article 28).

(7) recipient (see Article 13).

(7a) third party (see Article 6).

(8) data subject’s consent (see Article 7).

(9) personal data breach (see Article 33).

(10) genetic data (see Article 9).

(11) biometric data (see Article 9).

(12) data concerning health (see Article 9).

(13) main establishment of the controller (see Article 56).

(14) representative (see Article 27).

(15) enterprise (see Article 47).

(16) group of undertakings (see Article 47).

(17) binding corporate rules (see Article 47).

(19) supervising authority (see Article 51).

(19a) supervising authority concerned (see Article 60).

(19b) cross-border processing (see Article 56).

(19c) relevant and reasoned objection (see Article 60).

(20) information society service (see Article 8).

(21) international organization (see Article 44).

The Directive

Definitions

Potential issues

No specific provision

Austria

 

”Only indirectly personal data” (§ 3 sub-para 1 DSG) does no longer exist:

The DSG defined data as being ”only indirectly personal” when the data relate to the subject in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means. 

If ”only indirectly personal data” are processed, the legal requirments pursuant to the DSG are much lower:

  • The use of only indirectly personal data shall not constitute an infringement of interests in secrecy deserving protection (§ 8 para 2 DSG);
  • The use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if (inter alia) the data are used only in indirectly personal form (§ 9 para 1 sub-para 2 DSG);
  • The international transfer of only indirectly personal data does not require a prior authorisation by the Austrian Data Protection Authority (Link) (§ 12 para 3 DSG); 

  • Data applications are not subject to notification (intera alia), which contain only indirectly personal data (§ 17 para 2 sub-para 3 DSG);

  • The rights of the data subject cannot be exercised insofar as only indirectly personal data are used (§ 29 DSG);

  • For the purpose of scientific or statistical research projects whose goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that (inter alia) are only indirectly personal for him/her (§ 46 para 1 sub-para 3 DSG).

No formal distinction between “committing of data” (sub-para 11) and "transmission of data” (sub-para 12) anymore:

The DSG makes a clear distinction between “committing of data”, namely the transfer of data from the controller to a processor in the context of a commissioned work, and "transmission of data”, namely the transfer of data to recipients other than the data subject, the controller or a processor, in particular publishing of data as well as the use of data for another application purpose of the controller.

arrow_back Previous ArticleArticle 4Next Article arrow_forward
arrow_back Previous ArticleArticle 4 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Guidelines for identifying a controller or processor’s lead supervisory authority (5 April 2017)

(Endorsed by the EDPB)

Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data. Article 4(23) of the General Data Protection Regulation (GDPR) defines ‘cross-border processing’ as either the:

- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or the

- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

This means that where an organisation has establishments in France and Romania, for example, and the processing of personal data takes place in the context of their activities, then this will constitute cross-border processing.

Alternatively, the organisation may only carry out processing activity in the context of its establishment in France. However, if the activity substantially affects – or is likely to substantially affect - data subjects in France and Romania then this will also constitute crossborder processing.

Link

Guidelines on Personal data breach notification under Regulation 2016/679 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.

The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach7. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.

Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals8, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.

The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.

In its Opinion 03/2014 on personal data breach notification9, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.

The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.

Link

Retour au sommaire
arrow_back Previous Article Article 4 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Bodil Lindqvist

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Link

C-342/12 (30 May 2013) - Worten

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’, within the meaning of that provision.

2.      Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 do not preclude national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

Judgment of the Court 

C-131/12 (13 May 2014) - Google Spain et Google

1.      Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

2.      Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

3.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

4.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

Opinion of Advocate general

Judgment of the Court

C-683/13 (19 June 2014) - Pharmacontinente - Saúde e Higiene e.a.

1.     Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is covered by the concept of ‘personal data’ as referred to in that provision.

2.    Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.

3.    It is for the referring court to determine whether the employer’s obligation to provide the national authority responsible for monitoring working conditions access to the record of working time so as to allow its immediate consultation may be considered necessary for the purposes of the performance by that authority of its monitoring task, by contributing to the more effective application of the legislation relating to working conditions, in particular as regards working time, and, if so, whether the penalties imposed with a view to ensuring the effective application of the requirements laid down by Directive 2003/88/EC of the European Parliament and of the Council of 4 November 2003, concerning certain aspects of the organisation of working time, are consistent with the principle of proportionality.

Judgment of the Court

C-434/16 ( 20 December 2017) - Nowak

Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision.

Opinion of advocate general

Judgment of the court

C-210/16 (5 June 2018) - Wirtschaftsakademie Schleswig-Holstein

Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the concept of ‘controller’ within the meaning of that provision encompasses the administrator of a fan page hosted on a social network.

Opinion of Advocate general

Judgment of court

C-25/17 (10 July 2018) - Jehovan todistajat

 1.  Article 2(c) of Directive 95/46 must be interpreted as meaning that the concept of a ‘filing system’, referred to by that provision, covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

2.  Article 2(d) of Directive 95/46, read in the light of Article 10(1) of the Charter of Fundamental Rights, must be interpreted as meaning that it supports the finding that a religious community is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.

Opinion of Advocate general 

Judgment of the court

C-345/17 (14 février 2019) - Buivids

1.      Article 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive.

2.      Article 9 of Directive 95/46 must be interpreted as meaning that factual circumstances such as those of the case in the main proceedings, that is to say, the video recording of police officers in a police station, while a statement is being made, and the publication of that recorded video on a video website, on which users can send, watch and share videos, may constitute a processing of personal data solely for journalistic purposes, within the meaning of that provision, in so far as it is apparent from that video that the sole object of that recording and publication thereof is the disclosure of information, opinions or ideas to the public, this being a matter which it is for the referring court to determine.

Link

C-272/19 (9 July 2020) - VQ v. Land Hessen

Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that, in so far as a Petitions Committee of the parliament of a Federated State of a Member State determines, alone or with others, the purposes and means of the processing of personal data, that committee must be categorised as a ‘controller’, within the meaning of that provision, and consequently the processing of personal data carried out by that committee falls within the scope of that regulation and, in particular, of Article 15 thereof.

Judgment of the court

C-61/19 (11 November 2020) - Orange Romania SA

Article 2(h) and Article 7(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that it is for the data controller to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data and that he or she has obtained, beforehand, information relating to all the circumstances surrounding that processing, in an intelligible and easily accessible form, using clear and plain language, allowing that person easily to understand the consequences of that consent, so that it is given with full knowledge of the facts. A contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent, as provided for in those provisions, to that collection and storage, where

  • the box referring to that clause has been ticked by the data controller before the contract was signed, or where;
  • the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where;
  • the freedom to choose to object to that collection and storage is unduly affected by that controller, in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal.

Judgment of the court

Retour au sommaire

Austria

Concerning § 4 No 1 DSG 2000 (!), definition of personal data:

A disease of the son (in this case Costello-Syndrom, a seldom, genetically determined deformity) can not be seen as personal datum of the father, because no inferences can be drawn.

OGH 29.11.2016, 6 Ob148/ 16g (Austrian Supreme Court)

Concerning Article 4 No 7 GDPR/ § 4 No 4 DSG 2000 (!), definition of a controller:

The author of a posting in an online platform shall be the controller according to § 4 No 4 DSG 2000 (!) instead of the operator of the platform.

OLG Linz 16.07.2009, 3 R 101/ 09g (Higher Regional Court in Linz)

Due to their professional independence it might reasonably be assumed that lawyers, when dealing with their clients'  legal business, are acting on their one's authority and therefore can be considered controllers within the meaning of § 4 No 4 DSG 2000 (!).

DSB 27.10.2014, DSB-D122.215/ 0004-DSB/ 2014 (Austrian Data Protection Authority)

Retour au sommaire
arrow_back Previous Article Article 4 Next Article arrow_forward
Regulation
1e 2e

Art. 4

For the purposes of this Regulation:

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(9) ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

(16) ‘main establishment’ means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(17) ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

(18) ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings

(20) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

(21) ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22) ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) a complaint has been lodged with that supervisory authority;

(23) ‘cross-border processing’ means either:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(24) ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

(25) ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

(26)  ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
1st proposal close

Art. 4

For the purposes of this Regulation:

(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2) 'personal data' means any information relating to a data subject;

(3) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction;

(4) 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

(6) 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(7) 'recipient' means a natural or legal person, public authority, agency or any other body to which the personal data are disclosed;

(8) 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

(9) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(10) 'genetic data' means all data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development;

(11) 'biometric data' means any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;

(12) ‘data concerning health’ means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual;

(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, 'main establishment' means the place of its central administration in the Union;

(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and may be addressed by any supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;

(15) ‘enterprise’ means any entity engaged in an economic activity, irrespective of its legal form, thus including, in particular, natural and legal persons, partnerships or associations regularly engaged in an economic activity;

(16) 'group of undertakings' means a controlling undertaking and its controlled undertakings;

(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings;

(18) 'child' means any person below the age of 18 years;

(19) 'supervisory authority' means a public authority which is established by a Member State in accordance with Article 46.

 
2nd proposal close

Art. 4

For the purposes of this Regulation:

(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly (...), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

(2a)

(...)

(3) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination (...) restriction, erasure or destruction ;

(3a) 'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future ;

(3b) 'pseudonymisation' means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non -attribution to an identified or identifiable person (...).

(4) 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes (...) and means of the processing of personal data; where the purposes (...) and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

(6) 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(7) 'recipient' means a natural or legal person, public authority, agency or any other body (...) to which the personal data are disclosed, whether a third party or not ; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients ;

(8) 'the data subject's consent' means any freely -given, specific and informed (...) indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

(9) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(10) 'genetic data' means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, (...) which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question ;

(11) 'biometric data' means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data;

(12) 'data concerning health' means data related to the physical or mental health of an individual, which reveal information about his or her health status ;

(12a) 'profiling' means any form of automated processing of personal data consisting of using those data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements;

(12b) (...)

(13) 'main establishment' means

- as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes (...) and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented , in this case the establishment having taken such decisions shall be considered as the main establishment.

- as regards a  processor with establishments in more than one Member State, the place of its central administration in the Union and, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(14) 'representative' means any natural or legal person established in the Union who, (...) designated by t he controller in writing pursuant to Article 25, represents the controller with regard to the obligations of the controller under this Regulation (...);

(15) 'enterprise' means any natural or legal person engaged in an economic activity, irrespective of its legal form, (...) including (...) partnerships or associations regularly engaged in an economic activity;

 (16) 'group of undertakings' means a controlling undertaking and its controlled undertakings;

(17) 'binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor  in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity ;

(18) (...)

(19) 'supervisory authority' means  an independent public authority which is established by a Member State pursuant to Article 46;

(19a)  'concerned supervisory authority' means 

-   a supervisory authority which is concerned by the processing because:

a) the controller or processor  is established on the territory of the Member State of  that supervisory authority; 

b) data subjects residing in this Member State are  substantially affected or likely to be substantially affected by the processing;

 or

c) the underlying complaint has been lodged to that supervisory authority. 

(19b) 'transnational processing of personal data' means either:

(a) processing which takes place in the context of the activities of establishments in more than one Member State of a controller or a processor in theUnion and the controller or processoris established in more than one Member State; or

(b) processing which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(19c) 'relevant and reasoned objection' means: an objection as to whether there is an infringement of this Regulation or not, or, as the case may be, whether the envisaged action in relation to the controller or processor is in conformity with the Regulation. The objection shall clearly demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and where applicable, the free flow of personal data.

(20) 'Information Society service' means any service as defined by Article 1 (2) of Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services  .

(21) 'international organisation' means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;
Directive close

Art. 2

For the purposes of this Directive:

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(c) 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;

(e) 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(f) 'third party' shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;

(g) 'recipient' shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

(h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

 
Austria
compare_arrows
visibility Old law

In force since May 25, 2018:

Scope of application and implementing provision

§ 4 DSG

(1) The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No L 119 of 4 May 2016, p. 1 (in the following: General Data Protection Regulation) and this federal law shall apply to the processing of personal data of natural persons wholly or partly by automated means and to the processing other than by automated means of personal data of natural persons which form part of a filing system or are intended to form part of a filing system, unless the more specific provisions of Chapter 3 of this federal law prevail.

(2) If personal data processed by automated means cannot be rectified or erased immediately because they can be rectified or erased only at certain times for economic or technical reasons, processing of the personal data concerned shall be restricted until that time, with the effect as stipulated in Article 18 para. 2 of the General Data Protection Regulation.

(3) Processing personal data on acts or omissions punishable by courts or administrative authorities, in particular concerning suspected criminal offences, as well as data on criminal convictions and precautionary measures involving the deprivation of liberty, is permitted if the requirements of the General Data Protection Regulation are met and if

  1. an explicit legal authorisation or obligation to process such data exists; or

  2. the legitimacy of the processing of such data is otherwise based on statutory duties of diligence, or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Article 6 para. 1 (f) of the General Data Protection Regulation, and the manner in which the data are processed safeguards the interests of the data subject according the General Data Protection Regulation and this federal law.

(4) In the case of an offer of information society services directly to a child, consent to the processing of the personal data of a child pursuant to Article 6 para. 1 (a) of the General Data Protection Regulation shall be lawful where the child is at least 14 years old.

(5) Irrespective of other legal restrictions, the right of access of the data subject pursuant to Art. 15 GDPR does not apply vis-à-vis controllers acting with public authority, if granting the information would compromise the execution of a task legally assigned to the controller.

(6) Irrespective of other legal restrictions, the right of access of the data subject pursuant to Art. 15 GDPR generally does not apply vis-à-vis controllers, if granting the information would compromise a company or business secret of the controller or a third party.

(7) Insofar as manual filing systems, i.e., filing systems managed without automatic processing, exist for the purposes of matters in which the Federal Government has the power to pass laws, these files are deemed to be data processing operations as referred to in the General Data Protection Regulation and in this federal law.
Old law close

All of the following in force until May 25, 2018:

Definitions

§ 4 DSG 2000

For the subsequent provisions of this federal law the terms listed below shall mean:

1. “data” (”personal data”): information relating to data subjects (sub-para. 3) who are identified or identifiable; data are ”only indirectly personal” for a controller (sub-para. 4), a processor (sub-para. 5) or recipient of a transmission (sub-para. 12) when the data relate to the subject in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means;

2. “sensitive data” (”data deserving special protection”): data relating to natural persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious or philosophical beliefs, and data concerning health or sex life;

3. “data subject”: any natural or legal person or group of natural persons not identical with the controller, whose data are processed (sub-para. 8);

4. “controller”: natural or legal person, group of persons or organ of a territorial corporate body or the offices of these organs, if they decide alone or jointly with others to use data (sub-para.8), without regard whether they use the data themselves (sub-para. 8) or have it done by a service provider (sub-para. 5). They are also deemed to be controllers when the service provider instructed to carry out an order (sub-para. 5) decides to use data for this purpose (sub-para. 8) except if this was expressly prohibited or if the contractor has to decide under his own responsibility, on the basis of rules of law or codes of conduct.

5. “processor”: natural or legal person, group of persons or organ of a federal, state and local authority or the offices of these organs, if they use data only for a commissioned work (sub-para. 8);

6. “filing system ”: structured set of personal data which are accessible according to at least one specific criterion;

7. “data application”: the sum of logically linked stages of data use (sub-para. 8) which are organized in order to reach a defined result (the purpose of the data application) and which are as a whole or partially performed automatically, that is, performed by machines and controlled through programs (automated data processing);

8. “use of data”: all kinds of operations with data, meaning both processing of data (sub-para. 9) and transmission of data (sub-para. 12);

9. “processing of data”: the collection, recording, storing, sorting, comparing, modification, connection, reproduction, consultation, output, utilisation, committing (No. 11), blocking, erasure or destruction or any other kind of operation with data except the transmission of data (sub-para. 12);

10. [...]

11. “committing of data”: the transfer of data from the controller to a processor in the context of a commissioned work (sub-para. 5);

12. “transmission of data”: the transfer of data to recipients other than the data subject, the controller or a processor, in particular publishing of data as well as the use of data for another application purpose of the controller;

13. “joint information system”: joint processing of data in a data application by several controllers and the joint utilisation of the data so that every controller has access even to those data in the system that have been made available to the system by other controllers;

14. “consent”: the valid declaration of intention of the data subject, given without constraint, that he agrees to the use of data relating to him in a given case, after having been informed about the prevalent circumstances;

15. “establishment”: any organisational unit set apart in terms of layout and function by fixed facilities at a specific place, with or without the status of a legal person, which carries out activities at the place where it is set up.

Concerning Art 4 para 7 GDPR - public authority:

§ 5 DSG 2000

(1) Data applications shall be imputed to the public sector according to this federal law if they are undertaken for purposes of a controller of the public sector (para. 2).

(2) Public sector controllers are all those controllers who

1. are established according to public law legal structures, in particular also as an organ of a territorial corporate body, or

2. as far as they execute laws despite having been incorporated according to private law.

(3) Controllers not within the scope of para. 2 are considered controllers of the private sector according to this federal law.

(4) The fundamental right to data protection, except the right to information, shall be asserted before the civil courts against organisations that are established according to private law, as long as they do not act in execution of laws. In all other cases the Data Protection Authority shall be competent to render the decision, unless an act of legislation or a judicial decision is concerned.

Concerning Art 4 para 17 GDPR - representative:

§ 6 DSG 2000

[...]

(3) A controller responsible for a use of data subject to this federal law who does not reside in the European Union has to name a representative residing in Austria who can be held responsible in place of the controller, without prejudice to the possibility of legal measures against the controller himself.
arrow_back Previous ArticleArticle 4 Next Article arrow_forward
close

2016 - www.itiplaw.eu.