Zum Inhalt Zum Hauptmenü


No simple legal protection for data of legal persons

30. Januar 2018

ÖJZ 2018/3


In contrast to the current data protection regime, the EU General Data Protection Regulation ("GDPR") applicable from 25 May 2018 protects only natural persons against the unauthorised processing of their personal data. However, the Austrian Data Protection Act ("DPA") still provides in Sec 1 for a basic right to data protection for "everyone". Nevertheless, the simple legal provisions of the amended DPA and the GDPR are not - also not analogous - applicable to data of legal persons.


A. Background

The currently still applicable Austrian Data Protection Act ("DPA 2000") protects personal data of natural and legal persons as well as of partnerships (Sec 4 No. 3 DPA 2000). This regulation, already included in the DPA 1978, was legitimately maintained in the course of the implementation of the not fully harmonising EU Data Protection Directive, which only records data of natural persons. The current protection of data of legal persons therefore goes beyond the minimum requirements under European law. In practice, this Austrian peculiarity leads to difficulties because different, i.e. generally stricter, regulations applying to uniform data processing activities throughout Europe, e.g. in groups of companies. However, due to the extensive publication obligations for corporations, the protection of personal data of legal persons hardly plays a role in practice.

The EU General Data Protection Regulation (GDPR) applicable from 25 May 2018 also applies - like the EU Data Protection Directive - only to the processing of personal data of natural persons in accordance with Art 4 para 1. Since the GDPR is directly applicable but at the same time provides for about 70 opening clauses for possible national deviations, the Austrian data protection regime also had to be comprehensively amended with an accompanying law. The government bill of the new Austrian Data Protection Act stipulated that in future only natural persons should be covered by data protection in Austria.

Nevertheless, there has recently been increasing irritation about the scope of the Data Protection Act (DPA) which was actually passed at that time. The main reason for this is the hasty legislative process, in which, in the absence of a constitutional majority instead of the (originally intended) completely revised version, the national accompanying law was put into the shell of the old DPA 2000. The new passages were connected with the unchanged ones - the constitutional Sec 1 to 3 DPA 2000. The broad Sec 1 DPA therefore continues to provide the fundamental right to data protection for everyone.

B. Basic right to data protection

The - unchanged - basic right to data protection in Sec 1 DPA, which in the absence of a contradiction to the GDPR is not superseded by its primacy of application, continues to apply and cover "everyone" and thus not only natural persons but also legal entities. Therefore, they also have a right to confidentiality of personal data "insofar as there is an interest worthy of protection". Furthermore, due to the direct third-party effect of the fundamental right represented by the prevailing opinion - even after the repeal of Sec 1 para 5 DPA 2000 with the Administrative Jurisdiction Amendment 2012 - the processing of data of identifiable legal persons by other natural or legal persons (not only by the state) is only permissible with overriding legitimate interests, on the basis of a legal foundation or with consent. In addition, legal persons also have a (constitutionally guaranteed) right to access, rectification and erasure. This protection of fundamental rights essentially stems from Art 8 of the EU Charter of Fundamental Rights (GRC), which is uniformly applicable in all EU member states and also covers "every person". The GRC must, however, only be observed domestically if national legislation falls within the scope of Union law. Art 8 GRC therefore does not automatically grant domestic (basic) legal protection to (natural and) legal persons.

Sec 1 DPA thus provides - in accordance with Art 8 GRC - for a kind of minimum data protection for legal persons and basically regulates the admissibility requirements for the processing of data as well as the most important rights of data subjects.

C. Single-law provisions and GDPR not applicable

Despite this fundamental protection of rights in principle (also for legal persons), the simple legal provisions of the DPA and also the GDPR - contrary to an informal assessment by the Constitutional Service, which has become widespread in the meantime - cannot and also cannot analogously be applied to data of legal persons. Although the Austrian legislator could have legitimately provided for such an extension of the ordinary legal provisions or the GDPR when the DPA was introduced, it did not do so. Rather, the DPA does not provide for such an explicit extension, nor is it recognizable that the legislator wanted to aim for a further area of protection.

On the contrary, the legislature wanted to limit the scope of the fundamental right to data protection in the legislative procedure to natural persons: By amending Sec 1 DPA 2000 according to the government bill for the DPA, its restriction to natural persons was intended to exclude legal persons from the scope of application of the fundamental right to data protection. This amendment to the constitutional provision could not be implemented solely due to the short-term legislative procedure and the "real-political situation". The protection of fundamental rights for legal persons has therefore not ceased with the DPA's government bill, which was surprisingly circulated during the open evaluation period for the ministerial draft and was finally accepted. In view of these facts, however, it is clearly proven that the historical legislator did not intend to extend the applicability of the GDPR or the DPA to data of legal persons. Rather, the maintenance of the constitutional provision is a "legal accident" - albeit deliberately accepted due to the factual circumstances. This is also evident from Sec 64 DPA: Accordingly, the new law is to explicitly implement the GDPR - where necessary - and does not in fact extend the scope of application of the GDPR and the DPA.

This can also not be changed for the fact that Sec 1 DPA - see Sec 1 para 3 leg cit - is subject to design reservation. Sec 1 para 3 DPA expressly instructs the simple legislator to design the rights to access, rectification and erasure in simple laws. This makes it apparent that certain guarantees of Sec 1 DSG under the single law only apply if explicitly ordered by the legislature. This does not appear to have happened in the present case, which is also why analogous application or extension of the scope of the new data protection regime to legal persons is out of the question. There is also no gap contrary to plan, because the legislator apparently wanted to restrict the basic right to natural persons and this (also for legal persons) as explained above is not an Austrian peculiarity and also results from the GRC and the ECHR.

Due to the required uniform interpretation of the GDPR and the intended harmonisation of European data protection, the almost identical (historically grown) fundamental right provision of Sec 1 DPA therefore cannot lead to an (Austrian) extension of the scope of the new data protection regime on its own, without action by the Austrian legislator if the EU legislator intends the contrary in the GDPR.

In fact, an analogous application of the Data Protection Act or the GDPR - without a legal basis and thus unconstitutionally - would also fail at the latest with the penal provisions of the new data protection regime: Due to the prohibition of analogy in (administrative) criminal law, these provisions are in any case not applicable to violations concerning data of legal persons. In fact, Sec 1 DPA was deliberately withdrawn from its simple legal form, which is why the provision was largely reduced to a "shell of fundamental rights" whose enforcement is unclear and in any case cannot be made with the help of the simple legal provisions of the DPA or the GDPR. Sec 1 DPA therefore remains a "memorial" against delayed and then hasty legislative initiatives.

In fact, the additional protection for data of legal persons is also not necessary in view of the confidentiality directive to be implemented into Austrian law by 9 June 2018, as this offers a more suitable protection for this type of data.

D. Practical consequences

The GDPR and the Austrian DPA are fully applicable to natural persons as of 25 May 2018. Only Sec 1, 2 and 3 DPA apply to legal persons, i.e. in particular the basic right to data protection, which according to the prevailing opinion also applies between private individuals (direct third-party effect). An analogous application of the simple legal provisions of the DPA (Sec 4 et seq) to legal persons is out of the question.

Legal entities concerned could therefore "only" directly rely on the fundamental right to data protection but not also on the other provisions of the DPA or the GDPR. Thus, the processing of data of legal persons is only permitted under the admissibility requirements specified in Sec 1 DPA and legal persons are entitled to some central rights of data subjects. However, these rights of the data subjects and obligations of the controller (processor) are not determined by simple law for legal persons.

Thus, data of legal entities, in particular, need not be taken into account in the extensive documentation obligations under the GDPR, the comprehensive information obligations, in the data protection impact assessment as well as in the reporting and notification obligations. The rights of the data subjects must also only be safeguarded as provided for in Sec 1 DPA - i.e. without the express reply deadline, without the intended legal protection, etc. On the basis of historical interpretation, it could only be considered that the simple legal determination in the introduction of Sec 1 DPA (i.e. DPA 2000 as amended by BGBl I 1999/165, last amended by BGBl I 2012/51) is used as an aid to interpretation, but not the more far-reaching, current provisions of GDPR or Sec 4 et seq DPA.

In a nutshell

Due to the history of the DPA it is clear that the Austrian implementation act does not extend the scope of the GDPR to data of legal persons. There is also no room for an analogous extension of the far-reaching obligations under the Regulation. Only the basic right to data protection itself (Sec 1, 2 and 3 DPA) is also applicable to data of legal persons. Nevertheless, it remains to hope that the new National Council will quickly resolve this issue and repeal the constitutional provisions in the DPA before the law enters into force as planned or restrict them to natural persons.