Zum Inhalt Zum Hauptmenü

Search form


Unnecessary excitement about company data

Publication

Unnecessary excitement about company data

publiziert: 
Die Presse
Datum: 
2018, January 29

Abstract

General Data Protection Regulation. The Red-Black coalition no longer succeeded in restricting the basic right to data protection for natural persons. Nevertheless, the new EU data protection does not apply indiscriminately to company data.

Text

Just as companies are going into the hot phase of preparing the implementation of the basic EU data protection regulation applicable from 25 May 2018, there is currently excitement about the question of what data is protected at all: While the old Austrian data protection regime contains the data of natural and legal persons indiscriminately until the DSGVO enters into force, the DSGVO only treats data of natural persons.

This would eliminate the Austrian specificity that data from companies is also subject to strict data protection. The relief was very great in Austria, as in international comparison the stricter regulations were often an obstacle without additional benefits: In view of the numerous disclosure requirements for corporate key figures, it was questionable in what data there may be any interest in secrecy for, worthy of protection at all. Where companies regularly have an interest in protection - namely know-how - there is usually no personal date within the meaning of the Data Protection Act. The justified confidentiality interest in this information will be satisfied in the future by a separate directive: the secrecy protection directive to be implemented by 9 June 2018. As a result, there is virtually no need for strict data protection for legal entities.

However, the new structure of data and secrecy protection is being torn apart by a posse surrounding the enactment of the Austrian Data Protection Act, which was intended to implement various opening clauses in the General Data Protection Regulation and to adapt the national legal framework to the new European requirements: The original draft of the DPA provided for a completely new version in which Sec 1 DPA 2000 - the basic right to data protection - was to be restricted to natural persons. Because of the abrupt end of the old coalition, this law could not be implemented due to the lack of a constitutional majority. Instead, only the provisions of the old DPA, which can be amended by simple law, were amended. The basic right to data protection was not touched and remained in its previous formulation as a right for everyone - and thus also legal persons.

Expansion not intended

In an informal assessment by the constitutional service, which is spreading like wildfire, the latter now argues that the simple data protection regime should continue to be fully applicable to the data of legal persons in the future. Of course, this is incorrect: The DPA does not reorganise the application of the DPA or the simple legal provisions of the DPA to the data of legal persons in any provision. However, this would have been necessary to extend protection. On the contrary: the legislator has expressed its intention to set purely the necessary implementing measures for the GDPR with its limited scope. Finally, the historical will of the legislature to restrict protection by the original attempt to restrict even the fundamental right to data protection to natural persons, which failed purely because of actual political circumstances, has been demonstrated.

From the purely factual maintenance of the broader fundamental right to data protection due to the real political situation, it therefore cannot be derived to a - analogous - application of the stricter provisions of the GDPR to data of legal persons also. With regard to penal provisions, such an extension would even be constitutionally impossible.

Rights of the data subjects safeguarded

Of course, the protection of fundamental rights still contained in the law has a limited effect in the form of a "data protection light" for data of legal persons: If there is an actual interest in secrecy worthy of protection, its processing is only permissible under the admissibility requirements specified in Sec 1 DPA, such as the existence of an overriding legitimate interest, a legal basis or the consent of the legal person. Legal persons are also entitled to the fundamental rights of those concerned.

However, the much more far-reaching provisions of the GDPR, such as the obligation to keep a record of processing activities, the data protection impact assessment or recording and notification obligations, do not apply to the data of legal persons. Similarly, legal persons cannot exercise the rights of data subjects that go further under the GDPR. This means that, despite the actual political breakdown, the processing of legal entities' data will still be considerably easier and will not have to be taken into account in the extensive GDPR projects. In view of the complexity of the interrelationships and the resulting uncertainty, it remains to hope, however, that the legislator will now intervene quickly and reorganize this issue in a legally clean manner.

There is now a clarification on another, equally hotly debated issue, namely the question of the admissibility of the imposition by the data protection authority of potential penalties in the millions provided for in the GDPR: the Constitutional Court has surprisingly declared a six-digit penalty imposed by the Financial Market Authority to be constitutional (G 408/2016-31). Since the underlying Sec 99d of the Banking Act (Bankwesengesetz) was the basis for the criminal provision in the DPA in terms of penal framework, jurisdiction and instance procedure, this punishment regime is also permissible on the merits.

There is now a clarification on another, equally hotly debated issue, namely the question of the admissibility of the imposition by the data protection authority of potential penalties in the millions provided for in the GDPR: the Constitutional Court has surprisingly declared a six-digit penalty imposed by the Financial Market Authority to be constitutional (G 408/2016-31). Since the underlying Sec 99d of the Banking Act (Bankwesengesetz) was the basis for the criminal provision in the DPA in terms of penal framework, jurisdiction and instance procedure, this punishment regime is also permissible on the merits.

Disclaimer

Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.



© 2018 · DORDA

we deliver clartity