No protection for data of legal persons according to the GDPR


No protection for data of legal persons according to the GDPR

2018, January 30

Just as companies are in the hot phase of preparing the implementation of the GDPR applicable from 25.5.2018, there is currently excitement about the question of what data is actually protected: While the old Austrian data protection regime records the data of natural and legal persons indiscriminately until the GDPR enters into force, the GDPR purely treats data of natural persons as reported. This would eliminate the Austrian specificity that data from companies is also subject to strict data protection. The relief over this circumstance was very great in Austria, since in international comparison the stricter regulations were often an obstacle without additional benefits: In view of the numerous publication obligations of corporate key figures, it was entirely questionable regarding what data there may be an interest in secrecy worthy of protection. Where companies regularly have an interest in protection - namely know-how - there is usually no personal date within the meaning of the Data Protection Act. A separate directive tailored to this purpose, i.e. the secrecy protection directive to be implemented by 9 June 2018, will in future meet the justified confidentiality interest in this information. As a result, there is virtually no need for strict data protection for legal entities.

However, the new structure of data and secrecy protection is being torn apart by a posse surrounding the enactment of the Austrian Data Protection Act 2018, which was intended to implement various opening clauses of the GDPR and to adapt the national legal framework to the new European requirements: The original draft of the new DPA provided for a complete revision of the law in which Sec 1 DPA 2000 - the basic right to data protection - was to be restricted to natural persons. Because of the abrupt end of the old coalition, this law could not be implemented due to the lack of a constitutional majority (see here). Instead, the amendment only changed the provisions of the old DPA 2000, which can be changed by simple law. The basic right to data protection was not touched and remained in its previous formulation as a right for everyone - and thus also legal persons. In an informal assessment by the Constitutional Service, which spread like wildfire, the latter now derives from the fact that the data protection regime under the simple law should continue to be fully applicable to the data of legal persons in the future. That is, of course, incorrect:

The DPA does not reorder the application of the GDPR or the simple legal provisions of the DPA 2018 to the data of legal persons in any provision. However, this would have been necessary for the extension of protection. On the contrary, the legislator has expressed its intention to purely set the necessary implementing measures for the GDPR with its limited scope. Finally, the historical will of the legislature to restrict protection by the original attempt to restrict even the fundamental right to data protection to natural persons, which only failed because of actual political circumstances, has been demonstrated. From the purely factual maintenance of the further fundamental right to data protection due to the actual political situation therefore cannot be derived to a - analogous - application of the stricter provisions of the GDPR to the data of legal persons. With regard to penal provisions, such an extension would even be constitutionally impossible.

Of course, the protection of fundamental rights still contained in the law has a limited effect in the form of data protection "light" for data of legal persons: If there is actually an interest in secrecy worthy of protection, its processing is only permissible under the admissibility requirements specified in Sec 1 DPA, such as the existence of an overriding legitimate interest, a legal basis or the consent of the legal person. Legal persons are also entitled to the fundamental rights of data subjects. The substantially more far-reaching provisions of the GDPR, such as the obligation to keep a record of processing activities, the data protection impact assessment or recording and information obligations, are not applicable to the data of legal persons, on the other hand, just as legal persons cannot exercise further-reaching rights of data subjects under the GDPR. This means that, despite the real political glitch, the processing of legal entities' data will remain considerably easier and will not even have to be taken into account in the extensive GDPR projects. In view of the complexity of the interrelationships and the resulting uncertainty, it remains to hope, however, that the legislator will now intervene quickly and reorganize this issue in a legally clean manner. 


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.