Protection of Personal Data (DSG)-Austria

Federal Act concerning the Protection of Personal Data (DSG)

Table of contents

Article 1
(constitutional provision)
§ 1. Fundamental right to data protection
(Note: § 2 and § 3 repealed by Federal Law Gazette I No 14/2019)

Article 2
Chapter 1
Implementation of the General Data Protection Regulation and supplementary provisions
Part 1
General provisions
§ 4. Scope of application and implementing provision
§ 5. Data protection officer
§ 6. Confidentiality of data
Part 2
Data processing for specific purposes
Section 7. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
§ 8. Providing addresses to inform and interview data subjects
§ 9. Freedom of expression and information
§ 10. Processing of personal data in case of emergency
§ 11. Reprimand by the Data Protection Authority
Part 3
Processing of images
§ 12. Permissibility of recording images
§ 13. Special data security measures and referencing
Chapter 2
Bodies
Part 1
Data Protection Council
§ 14. Establishment and duties
§ 15. Composition
§ 16. Chair and management
§ 17. Meetings and resolutions
Part 2
Data Protection Authority
§ 18. Establishment
§ 19. Independent status
§ 20. The head of the Data Protection Authority
§ 21. Tasks
§ 22. Powers
§ 23. Activity reports and the publication of decisions
Part 3
Remedies, liability and penalties
§ 24. Complaints with the Data Protection Authority
§ 25. Accompanying measures in the complaint procedure
Section 26. Public-sector and private-sector controllers
Section 27. Complaints with the Federal Administrative Court
§ 28. Representation of data subjects
Section 29. Right to compensation and liability
§ 30. General conditions for imposing administrative fines
Part 4
supervisory authority pursuant to Directive (EU) 2016/680
Section 31. Data Protection Authority
Section 32. Tasks of the Data Protection Authority
Section 33 Powers of the Data Protection Authority
§ 34. General provisions
Part 5
Special powers of the Data Protection Authority
§ 35.
Chapter 3
Processing of personal data for purposes of the security police, including the protection of public security by the police, the protection of military facilities by the armed forces, the resolution and prosecution of criminal offenses, the enforcement of sentences and the enforcement of precautionary measures involving the deprivation of liberty
Part 1
General provisions
Section 36. Scope of application, and definitions
Section 37. Principles for processing, classification and data quality
Section 38 Lawfulness of processing
Section 39. Processing of special categories of personal data
Section 40. Processing for other purposes, and transfer
§ 41. Automated individual decision-making
Part 2
Rights of the data subject
§ 42. Principles
§ 43. Information of the data subject
§ 44. Right of access by the data subject
§ 45. Right to rectification or erasure of personal data and to the restriction of processing
Part 3
controller and processor
Section 46. Obligations of the controller
Section 47. Joint controllers
Section 48. Processor and the supervision of processing
Section 49. Records of processing activities
Section 50. Logging
Section 51. Cooperation with the Data Protection Authority
Section 52. Data protection impact assessment
Section 53. Prior consultation of the Data Protection Authority
Section 54. Data security measures
Section 55. Notification of a breach to the Data Protection Authority
Section 56. Communication of personal data breaches to data subjects
Section 57. Designation, position and tasks of the data protection officer
Part 4
Transfers of personal data to third countries or international organizations
Section 58. General principles for transfers of personal data
§ 59. Data transfers to third countries or international organizations
(Note: § 60 became ineffective as of the end of 15 January 2019 (cf. Federal Law Gazette I No 14/2019)
Section 61 repealed by Federal Law Gazette I No 14/2019)
Chapter 4
Special penal provisions
Section 62. Administrative penalties
Section 63. Processing with the intention to make a profit or to cause harm
Chapter 5
Final provisions
Section 64. Execution and implementation of EU legal acts
§ 65. Gender-neutral use of language
§ 66. Enactment of regulations
§ 67. References
Section 68. Execution
§ 69. Transitional provisions
Section 70. Entry into force


Federal Act concerning the Protection of Personal Data (DSG)

Article 1
(Constitutional provision)
Fundamental right to data protection

§ 1.(1) Every person shall have the right to secrecy of the personal data concerning that person, especially with regard to the respect for his or her private and family life, insofar as that person has an interest which deserves such protection. Such an interest is precluded if data cannot be subject to the right to secrecy due to the data’s general availability or because they cannot be traced back to the data subject.
(2) Insofar as personal data are not used in the vital interest of the data subject or with the data subject’s consent, restrictions of the right to secrecy are permitted only to safeguard overriding legitimate interests of another person, namely in the case of interference by a public authority only on the basis of laws which are necessary for the reasons stated in Article 8 para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No 210/1958. Such laws may provide for the use of data that, due to their nature, deserve special protection only in order to safeguard substantial public interests and, at the same time, shall provide for adequate safeguards for the protection of the data subjects’ interests in confidentiality . Even in the case of permitted restrictions,
(3) Insofar as personal data concerning a person are intended for automated processing or processing in files managed manually, ie files managed without automated processing, every person shall, as provided for by law, have
1.the right to obtain information as to who processes what data concerning the person, where the data originated from, for which purpose they are used, and in particular to whom the data are transmitted;
2.the right to rectification of incorrect data and the right to erasure of illegally processed data.
(4) Restrictions of the rights according to para. 3 are only permitted under the conditions laid out in para. 2.

Article 2

Chapter 1
Implementation of the General Data Protection Regulation and supplementary provisions
Part 1
General provisions
Scope of application and implementing provision
§ 4.(1) The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) , OJ No L 119 of 4 May 2016, p. 1 (in the following: General Data Protection Regulation) and this federal law shall apply to the processing of personal data of natural persons wholly or partly by automated means and to the processing other than by automated means of personal data of natural persons which form part of a filing system or are intended to form part of a filing system, unless the more specific provisions of Chapter 3 of this federal law prevail.
(2) If personal data processed by automated means cannot be rectified or erased immediately because they can be rectified or erased only at certain times for economic or technical reasons, processing of the personal data concerned shall be restricted until that time, with the effect as stipulated in Article 18 para. 2 of the General Data Protection Regulation.
(3) Processing personal data on acts or omissions punishable by courts or administrative authorities, in particular concerning suspected criminal offenses, as well as data on criminal convictions and precautionary measures involving the deprivation of liberty, is permitted if the requirements of the General Data Protection Regulation are met and if
1.an explicit legal authorization or obligation to process such data exists; or
2.the legitimacy of the processing of such data is otherwise based on statutory duties of diligence, or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party pursuant to Article 6 para. 1 (f) of the General Data Protection Regulation, and the manner in which the data are processed safeguards the interests of the data subject according to the General Data Protection Regulation and this federal law.
(4) In the case of an offer of information society services directly to a child, consent to the processing of the personal data of a child pursuant to Article 6 para. 1 (a) of the General Data Protection Regulation shall be lawful where the child is at least 14 years old.
(5) Without prejudice to other statutory restrictions, data subjects shall not have a right of access pursuant to Article 15 of the General Data Protection Regulation in relation to a controller acting with public authority and powers if granting access put at risk performance of a task delegated to the controller by law.
(6) Without prejudice to other statutory restrictions, data subjects shall not have a right of access pursuant to Article 15 of the General Data Protection Regulation in relation to a controller if granting access put at risk a trade or business secret of the controller or a third party.

Data protection officer
§ 5.(1) Without prejudice to other obligations of confidentiality, the data protection officer and the persons working for the data protection officer shall be bound by confidentiality when fulfilling their duties. This shall apply in particular in relation to the identity of data subjects who applied to the data protection officer, and to circumstances that allow identification of these persons, unless the data subject has expressly granted a release from confidentiality. The data protection officer and the persons working for the data protection officer may exclusively use information made available to fulfill their duties and shall be bound by confidentiality even after the end of their activities.
(2) If, during his or her activities, a data protection officer obtains knowledge of data in respect of which a person employed with a body subject to the supervision of the data protection officer has a statutory right to refuse to give evidence, the data protection officer and the persons working for the data protection officers shall also have such a right to the extent to which the person who has the right to refuse to give evidence exercised that right. The files and other documents of the data protection officer are subject to a prohibition of seizure and confiscation to the extent of the right of the data protection officer to refuse to give evidence.
(3) Public-sector data protection officers (established in a form provided by public law, in particular also as an officer of a territorial authority) are not bound by any instructions when exercising their duties. The highest governing bodies or officers have the right to obtain information on matters to be dealt with from a public-sector data protection officer. The data protection officer shall provide information only insofar as the independence of the data protection officer as described in Article 38 para. 3 of the General Data Protection Regulation is not impaired by doing so.
(4) Considering the type and scope of data processing activities and depending on the facilities of a federal ministry, one or several data protection officers shall be appointed in the sphere of responsibilities of each federal ministry. These data protection officers shall be employed by the relevant federal ministry or the relevant subordinate office or other entity.
(5) Public-sector data protection officers pursuant to para. 4 shall regularly exchange information, in particular with regard to ensuring uniform data protection standards.

Confidentiality of data
§ 6.(1) The controller, the processor and their employees, ie employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data).
(2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor.
(3) The controller and the processor shall inform the employees affected by these orders about the transmission orders applicable to them and about the consequences of a violation of data confidentiality.
(4) Without prejudice to the right to give instructions under constitutional law, an employee must not incur any disadvantage from refusing to comply with an order for a prohibited transmission of data.
(5) The statutory right of a controller to refuse to give evidence shall not be avoided by questioning a processor working for the controller, and in particular not by seizing or confiscating documents processed by automated means.
Part 2

Data processing for specific purposes
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
§ 7. (1) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes whose goal is not to obtain results in a form relating to specific data subjects, the controller may process all personal data that
1.are publicly accessible,
2.the controller has lawfully collected for other research projects or other purposes, or
3rdare pseudonymized personal data for the controller, and the controller cannot establish the identity of the data subject by legal means.
(2) In the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not fall under para. 1, personal data may be processed only
1.pursuant to specific legal provisions,
2.with the consent of the data subject, or
3rdwith a permit of the Data Protection Authority pursuant to para. 3rd

(3) A permit of the Data Protection Authority for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be granted at the request of the controller ordering the research project, if
1.the consent of the data subject is impossible to obtain because the data subject cannot be reached or the effort would otherwise be unreasonable,
2.there is a public interest in the processing for which a permit is sought, and
3rdthe professional aptitude of the controller has been satisfactorily demonstrated.
If special categories of personal data (Article 9 of the General Data Protection Regulation) are to be collected, an important public interest in the research project must exist; furthermore, it must be ensured that the personal data are processed at the premises of the controller ordering the research project only by persons who are subject to a statutory obligation of confidentiality regarding the subject matter of the research project or whose reliability in this respect is credible . The Data Protection Authority shall issue the permit subject to terms and conditions, insofar as this is necessary to safeguard the data subjects’ interests which deserve protection.
(4) A request according to para. 3 must, however, be accompanied by a statement signed by the person authorized to exercise rights in respect of the data files from which the personal data are to be collected, stating that this person is making the data files available for the research project. Instead of this statement, a writ of enforcement (§ 367 para. 1 of the Enforcement Code, Imperial Law Gazette No 79/1896) replacing this statement may be submitted.
(5) Even in cases where the processing of personal data for scientific research purposes or statistical purposes is permitted in a form which allows the identification of data subjects, the data shall be coded without delay so that the data subjects are no longer identifiable if specific Phases of scientific or statistical work can be performed with personal data pursuant to para. 1 subpara. 3. Unless otherwise expressly provided for by law, data in a form which allows the identification of data subjects shall be rendered unidentifiable as soon as it is no longer necessary for scientific or statistical work to keep them identifiable.
(6) Legal restrictions on the right to use personal data for other reasons, in particular for copyright reasons, shall not be affected.
Providing addresses to inform and interview data subjects

§ 8th. (1) Unless otherwise expressly provided for by law, providing address data of a certain group of data subjects in order to inform or interview them shall require the consent of the data subjects.
(2) If, however, an infringement of the data subject’s interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview, no consent shall be required
1.if data from the same controller are processed, or
2.in the case of an intended transfer of address data to third parties,
a)if there is also a public interest in the information or interview, or
b)if none of the data subjects, after having received appropriate information on the reason and content of the transfer, has objected to the transfer within a reasonable period.
(3) If the requirements of para. 2 are not met and if obtaining the consent of the data subjects pursuant to para. 1 would require a disproportionate effort, the transfer of the address data shall be permissible with a permit of the Data Protection Authority pursuant to para. 4 if the data are to be transferred to third parties
1.for the purpose of information or an interview due to an important interest of the data subject,
2.due to an important public interest in the information or interview, or
3rdfor an interview of the data subjects for scientific or statistical purposes.

(4) At the request of a controller processing address data, the Data Protection Authority shall grant the permit for their transfer if the controller has satisfactorily demonstrated that the requirements stipulated in para. 3 have been met and no overriding interests in confidentiality which deserve protection on the part of the data subjects represent an obstacle to the transfer. The Data Protection Authority shall issue the permit subject to terms and conditions, insofar as this is necessary to safeguard interests of the data subjects which deserve protection.
(5) The transferred address data shall only be processed for the permitted purpose and shall be erased as soon as they are no longer needed for information or interviews.
(6) If it is lawful pursuant to the aforementioned provisions to transfer the names and addresses of persons belonging to a certain group of data subjects, the processing required for selecting the address data to be transferred shall also be permitted.

Freedom of expression and information
§ 9.(1) The provisions of this federal law and Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organizations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) of the General Data Protection Regulation shall not apply to the processing of personal data by media owners, editors, copy editors and employees of a media undertaking or a media service as defined in the Media Act, Federal Law Gazette No 314/1981, for journalistic purposes of the media undertaking or media service. In exercising its powers in relation to the persons referred to in the first sentence,
(2) If it is necessary to reconcile the right to the protection of personal data with the freedom of expression and information, Chapter II (principles), with the exception of Article 5, Chapter III (rights of the data subject), Chapter IV (controller and processor), with the exception of Articles 28, 29 and 32, Chapter V (transfer of personal data to third countries or international organizations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) of the General Data Protection Regulation shall not apply to processing for the purposes of academic, artistic or literary expression. Of the provisions of this federal law, § 6 (confidentiality of data) shall be applied in such cases.

Processing of personal data in case of emergency

§ 10. (1) In case of emergency, public-sector controllers and relief organizations shall be authorized to jointly process data to the extent that this is necessary to assist persons directly affected by a disaster, to locate and identify missing or deceased persons and to provide information to their relatives.
(2) Anybody who lawfully possesses personal data shall be permitted to transfer these data to public-sector controllers and relief organizations if these controllers and organizations need this personal data to manage a disaster for the purposes specified in para. 1.
(3) The transfer abroad of personal data is permitted insofar as this is absolutely necessary to fulfill the purposes mentioned in para. 1. Data that by themselves would make the data subject liable to criminal prosecution shall not be transferred unless they are absolutely necessary for identification in a particular case. The Data Protection Authority shall be informed immediately about the data transfers performed and about the circumstances of the motivating incident. The Data Protection Authority shall prohibit further data transfers if the interference with the fundamental right to data protection resulting from the data transfer is not justified by the special circumstances caused by a disaster.
(4) Based on a specific inquiry of a close relative of a person who has actually or presumably been directly affected by a disaster, controllers are authorized to transfer to the inquiring person personal data regarding the whereabouts of the data subject and on the progress of the search, if the relative satisfactorily demonstrates his or her identity and close relationship to the data subject.
Special categories of personal data (Article 9 of the General Data Protection Regulation) may be transferred to close relatives only if they prove their identity and their capacity as a relative and if the transfer is necessary to safeguard their rights or the rights of the data subject . The social insurance agencies and authorities are obliged to assist the public-sector controllers and relief organizations if this is necessary to verify the information provided by the inquiring person.
(5) Close relatives pursuant to this provision means parents, children, spouses, registered partners and companions in life of the data subjects. Other relatives may receive the aforementioned information under the same conditions as close relatives if they satisfactorily demonstrate a special close relationship to the person actually or presumably directly affected by a disaster.
(6) The personal data processed for the purposes of managing a disaster shall be deleted immediately if they are no longer required to fulfill the specific purpose.

Reprimand by the Data Protection Authority

§ 11. The Data Protection Authority shall apply the catalog of Article ArticleArticle 83 paras. 2 to 6 of the General Data Protection Regulation in a manner so as to observe proportionality. In the case of first-time infringements, in particular, the Data Protection Authority shall use its corrective powers in accordance withArticleArticle Article 58 of the General Data Protection Regulation, in particular by issuing reprimands.

Part 3
Processing of images
Permissibility of recording images

§ 12.(1) For the purposes of this part, recording images means observing occurrences in public or non-public space for private purposes, using technical devices for the processing of images. Recording images also includes acoustic information processed together with the images. This Part shall apply to such recording of images unless other laws provide for more specific provisions.
(2) Considering the requirements pursuant to Section 13, recording images is permitted if
1.it is necessary in the vital interest of a person,
2.the data subject has consented to the processing of the data subject’s personal data,
3rdit is ordered or permitted by special statutory provisions, or
4ththere are overriding legitimate interests of the controller or a third party in a particular case, and proportionality is given.
(3) Recording images pursuant to para. 2 subpara. 4 is permitted, in particular, if
1.it serves the precautionary protection of persons and items on private land exclusively used by the controller and does not reach beyond the boundaries of the piece of land, except when it includes public traffic areas, which may be unavoidable to fulfill the purpose of the image recording .
2.it is required for the precautionary protection of persons or items in publicly accessible places that are subject to the controller’s right to undisturbed possession because that right has already been infringed or because the place, by its nature, has a special risk potential, or
3rdIt serves a private documentary interest and does not aim to record uninvolved persons to identify them or to record, in a targeted manner, items that are appropriate for indirectly identifying such persons.
(4) It is not permitted to:
1.record images in a data subject’s most private sphere without the express consent of the data subject,
2.record images to monitor employees,
3rdalign with other personal data, in an automated manner without express consent and for creating personal profiles, personal data obtained from image recordings, or
4thanalyze personal data obtained from image recordings on the basis of special categories of personal data (Article 9 of the General Data Protection Regulation) as selection criteria.
(5) Data collected by means of permitted image recording may be transferred to the extent required, if one of the requirements of para. 2 subparas. 1 to 4 is met. Para. 4 shall apply accordingly.
Special data security measures and warning sign

§ 13. (1) The controller shall take appropriate measures corresponding to the risk posed by an interference and ensure that unauthorized persons cannot access or subsequently change the image recording.
(2) Except in the case of real-time surveillance, the controller shall keep logs of every processing operation.
(3) The controller shall erase personal data recorded if they are no longer necessary in relation to the purposes for which they were collected and if there is no other statutory obligation to maintain the data. Maintaining data for more than 72 hours must be proportionate; separate logs must kept of these data, and reasons must be stated.
(4) Paras. 1 to 3 shall not be applied to image recordings pursuant to § 12 para. 3 subpara. 3rd
(5) The controller of an image recording must appropriately mark the recording. The warning sign shall clearly specify the controller, unless the controller is already known to the data subjects based on the circumstances of the case.
(6) The obligation to warning sign the data shall not apply in the cases referred to in § 12 para. 3 subpara. 3 and, in particular cases, to processing operations that must be strictly limited in terms of time and whose purpose can exclusively be achieved by means of covert investigation, provided that the controller ensures there are sufficient safeguards for the data subjects’ interests, in particular by subsequent notification of the data subject.
(7) If, in violation of para. 5, sufficient information is not provided, every data subject potentially affected by a processing operation can request information on the identity of the controller from the owner of, or person authorized to use, the piece of land or building or other property from which the processing operation evidently originates. Failure to provide such information without giving reasons shall be deemed a refusal to provide access pursuant to Article 15 of the General Data Protection Regulation.

Chapter 2
Bodies
Part 1
Data Protection Council
Establishment and duties

§ 14.(1) A Data Protection Council has been established at the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice. The Data Protection Council shall comment on questions of fundamental importance for data protection, promote the uniform further development of data protection, and advise the Federal Government on legal policy in the case of projects relevant to data protection.
(2) To fulfill its duties pursuant to para. 1,
1.the Data Protection Council can make recommendations relating to data protection to the Federal Government and the federal ministers;
2.the Data Protection Council can prepare opinions or commission such opinions;
3rdthe Data Protection Council shall be given the opportunity to comment on draft bills of federal ministries, insofar as these are significant for data protection law, and on regulations to be implemented by the Federal Government concerning essential issues of data protection;
4ththe Data Protection Council shall have the right to request information and reports from public-sector controllers insofar as this is necessary to evaluate, from the viewpoint of data protection law, projects of significant impact on data protection in Austria;
5.the Data Protection Council can publish its observations, concerns and suggestions and submit them to the public-sector controllers.
(3) Para. 2 subparas. 3 and 4 shall not apply insofar as internal affairs of recognized churches and religious communities are concerned.
Composition

§ 15. (1) The Data Protection Council shall have the following members:
1.representatives of the political parties: The political parties shall delegate twelve members according to the d’Hondt method in proportion to the seats they have in the Main Committee of the National Council. Every political party represented in the Main Committee of the National Council has the right to be represented in the Data Protection Council. A party represented in the Main Committee of the National Council that cannot delegate a member according to the above calculation method can name a member;
2.one representative each of the Federal Chamber of Labor and the Austrian Federal Economic Chamber;
3rdtwo representatives of the provinces;
4thone representative each of the Association of Austrian Municipalities and the Association of Austrian Cities and Towns;
5.one representative of the Federal Government to be delegated by the Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice;
6thone representative to be delegated by the Federal Government from among the data protection officers of the federal ministries;
7thtwo national or international experts in data protection to be named by the Data Protection Council after its constitution.
(2) The representatives mentioned in para. 1 should have knowledge of and experience in data protection law, Union law, and fundamental rights.
(3) For each member pursuant to para. 1 subparas. 1 to 6, a substitute member shall be delegated who shall replace the member if the member is incapacitated or unavailable. The Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice shall be notified in writing of the delegation of the members and substitute members.
(4) Members of the Federal Government or of a provincial government and state secretaries as well as persons who may not be elected to the National Council cannot be members of the Data Protection Council.
(5) The term of office of the members and substitute members pursuant to para. 1 subparas. 1 to 6 starts when they are delegated to the Data Protection Council and ends
1.when they are dismissed by the entity or body delegating them (para. 1) by means of a written notification to the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice, with a new member or substitute member being named at the same time,
2.when the member or substitute member announces his or her resignation by means of a written notification to the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice, or
3rdno later than when a new Main Committee of the National Council is elected pursuant to Section 29 and Section 30 of the Rules of Procedure Law of 1975 , Federal Law Gazette No 410/1975.
Subpara. 3 shall not apply to members of the Data Protection Council named pursuant to para. 1 subpara. 7th
(6) After the election of the new Main Committee of the National Council (para. 5 subpara. 3), the previous Executive Board pursuant to Section 17 para. 4 shall continue to manage the business of the Council until the constitutive meeting of the newly appointed members and substitute members. The entities or bodies delegating the members and substitute members shall notify the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice in writing within a period of two weeks of the election of the new Main Committee of the National Council of the members and substitute members , the number of whom must correspond to para. 1. Reappointment of the members and substitute members is permitted.
(7) The constitutive meeting of the Data Protection Council shall take place no later than six weeks after the election of the Main Committee of the National Council and shall be convened by the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice.
(8) The members and substitute members of the Data Protection Council shall serve in an honorary capacity. Members and substitute members of the Data Protection Council living outside of Vienna shall be entitled to receive compensation for reasonable travel expenses according to the federal regulations on traveling fees if they attend meetings of the Data Protection Council. The Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice shall order reimbursements and refunds of the travel expenses to be paid every quarter in arrears.

Chair and management
§ 16. (1) The Data Protection Council shall adopt its rules of procedure by a resolution.
(2) In the constitutive meeting, the Data Protection Council shall elect, by a simple majority, one chair and two deputy chairs from among its members on the basis of the list of candidates proposed for election. Run-off elections are permitted. The list of candidates proposed for election shall be made known to the members and substitute members together with the invitation to the constitutive meeting. Re-election is permitted.
(3) The term of office of the chair and the deputy chairs ends
1.when the requirements of § 15 para. 5 subparas. 1 to 3 are met,
2.when the chair or one of the deputy chairs announces his or her resignation from his or her function by means of a declaration in the meeting of the Data Protection Council or a written notification to the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice, or
3rdafter the chair or one of the deputy chairs has been voted out of office by the Data Protection Council by a simple majority of the votes cast, with more than two thirds of its members or substitute members having to be present at the vote.
After the end of the term of the office of the chair or one of the deputy chairs, a new chair or a new deputy chair shall be elected without delay.
(4) The chair elected pursuant to para. 2 shall represent the Data Protection Council vis-à-vis third parties.
(5) The Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice shall be responsible for the management of the Data Protection Council. The Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice shall supply the necessary personnel for that purpose. While working for the Data Protection Council, the employees of the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice shall be bound by the instructions of the chair of the Data Protection Council with regard to their work.

Meetings and resolutions
§ 17.(1) The meetings of the Data Protection Council shall be convened by the chair whenever the need arises. Every member of the Data Protection Council can request in writing that the Data Protection Council be convened, stating the requested topic of discussion. If such a request has been made, the chair shall schedule a meeting that must take place no later than four weeks after receipt of the request.
(2) Every member of the Data Protection Council must attend the meetings of the Data Protection Council unless the member is incapacitated or unavailable for justifiable reasons. A substitute member shall attend a meeting only if a member is incapacitated or unavailable.
(3) Deliberations and resolutions of the Data Protection Council shall require the presence of more than half of its members or substitute members. Resolutions shall be passed by a simple majority of votes cast. In the case of a parity of votes, the chair shall have a casting vote. An abstention from the vote is not permitted. Dissenting opinions are permitted.
(4) In urgent matters, the chair can invite the deputy chairs and one representative of each political party (§ 15 para. 1 subpara. 1) to attend an extraordinary meeting (Executive Board).
(5) The Data Protection Council may establish permanent or non-permanent working groups from among its members which it may entrust with the preparation, appraisal and handling of specific issues. The Data Protection Council may also delegate the management, pre-appraisal and handling of specific issues to an individual member (rapporteur).
(6) The head of the Data Protection Authority shall have the right to attend the meetings of the Data Protection Council or its working groups. The head of the Data Protection Authority shall not have a voting right.
(7) If required, the chair can ask experts to attend the meetings of the Data Protection Council or the working groups. The chair of the Data Protection Council can also ask experts in the relevant field to assist in preparing meetings of the Data Protection Council or of working groups if this is required to clarify issues of special significance for data protection.
(8) The deliberations of the Data Protection Council shall not be public unless the Data Protection Council itself decides otherwise. The members and substitute members of the Data Protection Council, the head and deputy head of the Data Protection Authority, and the experts asked to attend meetings are obliged to keep confidential all facts that have become known to them exclusively on the basis of their activities in the Data Protection Council.

Part 2
Data Protection Authority
Establishment

§ 18. (1) The Data Protection Authority is established as a national supervisory authority pursuant to Article 51 of the General Data Protection Regulation.
(2) The Data Protection Authority is managed by its head. If the head is absent, his or her deputy shall manage the Data Protection Authority. The rules regarding the head of the Data Protection Authority shall also apply to the deputy.

Independent status
§ 19. (1) The Data Protection Authority acts as an authority supervising staff and as a human resource department.
(2) During his or her term of office, the head must not exercise any function that
1.could cast doubt on the independent exercise of his or her office or impartiality,
2.prevents him or her from performing their professional duties, or
3rdputs essential official interests at risk.
The head is required to report functions that he or she exercises alongside his or her office as the head of the Data Protection Authority to the Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice without delay.
(3) The Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice can request information from the head of the Data Protection Authority on matters to be dealt with by the Authority. The head of the Data Protection Authority has to meet this request only insofar as it does not impair the complete independence of the supervisory authority as described in Article 52 of the General Data Protection Regulation.

The head of the Data Protection Authority
§ 20.(1) The head of the Data Protection Authority is appointed for a term of five years by the Federal President on the basis of a proposal by the Federal Government; re-appointment is permitted. The proposal is to be preceded by an advertisement for the position permitting general applications.
(2) The head of the Data Protection Authority must
1.have completed a law degree,
2.have the necessary personal and professional aptitude through prior education and appropriate professional experience in the matters to be handled by the Data Protection Authority,
3rdpossess an excellent knowledge of Austrian data protection law, Union law and fundamental rights, and
4thhave at least five years of professional experience in the legal field.
(3) The following persons may not be appointed head of the Data Protection Authority:
1.members of the Federal Government, state secretaries, members of a provincial government, members of the National Council, the Federal Council or any other general representative body or of the European Parliament, as well as members of the Ombudsman Board, and the president of the Court of Audit;
2.persons who have held one of the positions listed in subpara. 1 in the last two years;
3rdPersons who may not be elected to the National Council.
(4) The head of the Data Protection Authority shall be dismissed by the Federal President on the basis of a proposal by the Federal Government.
(5) The deputy head of the Data Protection Authority is appointed for a term of five years by the Federal President on the basis of a proposal by the Federal Government in accordance with paras. 1 to 3. Para. 4 applies to the dismissal of the deputy.

Tasks
§ 21.(1) At their request, the Data Protection Authority advises the committees of the National Council and the Federal Council, the Federal Government and the provincial governments on legislative and administrative measures. Before federal laws as well as regulations to be implemented by the Federal Government that directly concern issues of data protection law are adopted, the Federal Data Protection Authority shall be consulted.
(2) The Data Protection Authority shall make public, by way of a regulation in the Federal Law Gazette, the lists pursuant to Article 35 paras. 4 and 5 of the General Data Protection Regulation.
(3) The Data Protection Authority shall make public, by way of a regulation, the criteria to be specified pursuant to Article 57 para. 1 (p) of the General Data Protection Regulation. At the same time, the Data Protection Authority shall serve as the only national accreditation body pursuant to Article 43 para. 1 (a) of the General Data Protection Regulation.

Powers
§ 22.(1) The Data Protection Authority can request from the controller or the processor of the examined processing all necessary clarifications and inspect data processing activities and relevant documents. The controller or processor shall render the necessary assistance. Supervisory activities are to be exercised in a way that least interferes with the rights of the controller or processor and third parties.
(2) For purposes of the inspection, the Data Protection Authority shall have the right, after having informed the owner of the premises and the controller or processor, to enter rooms where data processing operations are carried out, put data processing equipment into operation, carry out the processing operations to be examined and make copies of the storage media to the extent strictly necessary to exercise its supervisory powers.
(3) Information acquired by the Data Protection Authority or persons authorized by it during any examination shall be used only for supervisory purposes in the context of the execution of data protection regulations. Incidentally, the obligation of confidentiality also exists before courts and administrative authorities, in particular fiscal authorities, with the reservation that, if the inspection leads to the suspicion that a crime pursuant to § 63 of this federal law or pursuant to § 118a, § 119 , § 119a, § 126a to § 126c, § 148a or § 278a of the Criminal Code, Federal Law Gazette No 60/1974, or any crime punishable with more than five years of imprisonment has been committed, this shall be reported to the police , and requests pursuant to Section 76 of the Code of Criminal Procedure, Federal Law Gazette No 631/1975,
(4) In case a data processing operation causes serious immediate danger to the interests of confidentiality of the data subject which deserve protection (imminent danger), the Data Protection Authority may prohibit the continuation of the data processing operation by an administrative decision pursuant to § 57 para. 1 of the General Administrative Procedure Act 1991, Federal Law Gazette No 51/1991. The continuation may also be prohibited only partially if this seems technically possible, meaningful with regard to the purpose of the data processing operation and sufficient to eliminate the danger. At the request of a data subject, the Data Protection Authority can also order, by an administrative decision pursuant to § 57 para. 1 of the General Administrative Procedure Act, the restriction of processing pursuant to Article 18 of the General Data Protection Regulation if the controller does not comply with an obligation to that effect within the period specified. If prohibition is not complied with immediately, the Data Protection Authority shall proceed pursuant to Article 83 para. 5 of the General Data Protection Regulation.
(5) As part of its responsibilities, the Data Protection Authority is responsible for imposing administrative fines on natural and legal persons.
(6) If, with regard to a claim based on § 29 by a data subject represented by a body, organization or association as referred to in Article 80 para. 1 of the General Data Protection Regulation, there are doubts whether the relevant criteria have been met, the Data Protection Authority shall, at the request of the court where the claim is filed, make appropriate findings in an administrative decision. Such body, organization or association shall have the position of a party in the proceedings. It has the right to lodge a complaint against a negative declaratory decision with the Federal Administrative Court.

Activity reports and the publication of decisions
§ 23.(1) The Data Protection Authority shall prepare an activity report complying with Article 59 of the General Data Protection Regulation by 31 March of every year and submit it to the Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice. The Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice shall submit the report to the Federal Government, the National Council and the Federal Council. The Data Protection Authority shall make the report accessible to the public, the European Commission, the European Data Protection Board (Article 68 of the General Data Protection Regulation) and the Data Protection Council.
(2) Decisions made by the Data Protection Authority which are of fundamental importance to the general public shall be published by the Data Protection Authority in an appropriate manner while respecting official secrecy rules.

Part 3
Remedies, liability and penalties
Complaints with the Data Protection Authority

§ 24. (1) Every data subject has the right to lodge a complaint with the Data Protection Authority if the data subject is of the opinion that the processing of the personal data concerning the data subject infringes the General Data Protection Regulation or § 1 or Chapter 1, Article 2.
(2) The complaint must contain:
1.the description of the right considered to have been infringed,
2.to the extent reasonable, the description of the legal entity or the executive body or officer that is deemed to be responsible for the alleged infringement (respondent to the complaint),
3rdthe facts from which the infringement is derived,
4ththe reasons for which the unlawfulness is alleged,
5.the request to find that the alleged infringement has been committed, and
6ththe details which are necessary in order to decide whether the complaint has been lodged in due time.
(3) A complaint must be accompanied by the request on which it is based and the answer of the respondent to the complaint, if any. In the case of a complaint, the Data Protection Authority shall provide further assistance on request of the data subject.
(4) The right to have a complaint dealt with expires if the intervening party does not lodge the complaint within a year after having gained knowledge of the incident that gave rise to the complaint, but no later than within three years after the incident allegedly occurred . Late complaints shall be rejected.
(5) To the extent of the complaint is shown to be justified, it is to be granted. If an infringement can be attributed to a private-sector controller, the controller shall be instructed to comply with the complainant’s requests for information, rectification, erasure, restriction or data communication to the extent required to eliminate the infringement that has been found to exist. To the extent that the complaint is not found to be justified, it shall be rejected.
(6) A respondent to the complaint can subsequently eliminate the alleged infringement until the end of the proceedings before the Data Protection Authority by complying with the complainant’s requests. If the Data Protection Authority deems the complaint to be settled thereby, it shall hear the complainant on this. Simultaneously, the complainant is to be informed that the Data Protection Authority will informally end the proceedings unless the complainant states reasons, within a reasonable period, why the complainant still considers the originally alleged infringement or at least parts of it as not having been eliminated. If such a statement by the complainant modifies the merits of the case (§ 13 para. 8 of the General Administrative Procedure Act), the original complaint is to be deemed withdrawn and simultaneously a new complaint to be deemed lodged. In this case the original complaint procedure is also to be ended informally and the complainant is to be informed thereof. Late statements are to be ignored.
(7) The data subject shall be informed by the Data Protection Authority of the progress and the outcome of the investigation within three months of filing the complaint.
(8) Each data subject can apply to the Federal Administrative Court if the Data Protection Authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.
(9) To the extent required, the Data Protection Authority can engage official experts to assist in the proceedings.
(10) The term allowed for the decision pursuant to Section 73 of the General Administrative Procedure Act shall not include:
1.the time during which proceedings are suspended until a final decision on a preliminary issue has been made;
2.the duration of proceedings pursuant to Articles 56, 60 and 63 of the General Data Protection Regulation.

Accompanying measures in the complaint procedure
§ 25.(1) If, in the context of a complaint, the complainant satisfactorily demonstrates a serious infringement of his or her interests in confidentiality which deserve protection due to the processing of the complainant’s personal data, the Data Protection Authority may proceed according to § 22 para . 4th
(2) If the correctness of personal data is disputed in proceedings, the respondent to the complaint shall submit, by the end of the proceedings, a note stating that the correctness is disputed. If required, the Data Protection Authority shall order, by an administrative decision pursuant to § 57 para. 1 of the General Administrative Procedure Act, such note to be submitted at the request of the complainant.
(3) If a controller invokes a restriction pursuant to Article 23 of the General Data Protection Regulation in relation to the Data Protection Authority, the Data Protection Authority shall examine the lawfulness of the application of the restrictions. If the Data Protection Authority comes to the conclusion that it was not justified in keeping the processed personal data secret from the data subject, the disclosure of the data shall be ordered by an administrative decision. If the administrative decision by the Data Protection Authority is not complied with within eight weeks, the Data Protection Authority shall disclose the personal data to the data subject and shall communicate to the data subject the desired information or inform the data subject of the personal data that have already been rectified or erased.
(4) Administrative decisions that permit the transfer of data abroad shall be revoked once the legal or factual prerequisites for the issue of the permit no longer apply.

Public-sector and private-sector controllers
§ 26.(1) Without prejudice to § 5 para. 3, public-sector controllers are all controllers
1.that are established in legal structures of public law, in particular also as an executive officer of a territorial authority, or
2.as far as they execute laws despite having been incorporated according to private law.
(2) Public-sector controllers have the status of a party in proceedings before the Data Protection Authority.
(3) Public-sector controllers can lodge complaints with the Federal Administrative Court and final complaints with the Supreme Administrative Court.
(4) Controllers which are not within the scope of para. 1 are considered to be private-sector controllers according to this federal law.

Complaints with the Federal Administrative Court
§ 27.(1) The Federal Administrative Court shall decide through a panel of judges on complaints against administrative decisions on the ground of a breach of the duty to provide information pursuant to § 24 para. 7 and the duty to reach a decision of the Data Protection Authority.
(2) The panel of judges shall consist of a chair and one expert lay judge each from among employers and from among employees. The expert lay judges shall be appointed on the basis of a proposal by the Austrian Federal Economic Chamber and the Federal Chamber of Labor. Appropriate arrangements shall be made so that a sufficient number of expert lay judges is available in due time.
(3) The expert lay judges must have at least five years of relevant professional experience and special knowledge of data protection law.
(4) The chair shall provide all documents relevant to the decision to the expert lay judges without delay, or, if this is impractical or strictly necessary to safeguard the confidentiality of the documents, make them available in some other way.
(5) Where proceedings are brought against an administrative decision of the Data Protection Authority which was preceded by an opinion or a decision of the European Data Protection Board in the consistency mechanism, the Data Protection Authority shall forward that opinion or decision to the Federal Administrative Court.

Representation of data subjects
§ 28. The data subject shall have the right to mandate a not-for-profit body, organization or association which has been properly constituted, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf and to exercise the rights referred to in § 24 to § 27 on his or her behalf.

Right to compensation and liability
§ 29.(1) Pursuant to Article 82 of the General Data Protection Regulation, any person who has suffered material or non-material damage as a result of an infringement of the General Data Protection Regulation or § 1 or Chapter 1 Article 2 shall have the right to Receive compensation from the controller or processor for the damage suffered. In detail, the general provisions of civil law shall apply to this right to compensation.
(2) The regional court entrusted with exercising jurisdiction in civil matters in whose judicial district the plaintiff (applicant) has his usual place of residence or registered office shall have first-instance jurisdiction over actions for compensation. Actions (requests) may, however, also be brought before the regional court in whose judicial district the defendant has his usual place of residence or registered office or a branch office.

General conditions for imposing administrative fines
§ 30. (1) The Data Protection Authority can impose administrative fines on a legal person if infringements of provisions of the General Data Protection Regulation and of § 1 or Chapter 1 Article 2 were committed by persons who acted either individually or as part of an executive body of the legal person and have a leading position within the legal person on the basis of:
1.a power of representation of the legal person,
2.the authority to take decisions on behalf of the legal person, or
3rdthe authority to exercise control within the legal person.

(2) Legal persons may also be held responsible for infringements of provisions of the General Data Protection Regulation and of § 1 or Chapter 1 Article 2 if such infringements by a person acting for the legal person were made possible by a lack of supervision or control by one of the persons referred to in para. 1 unless the act constitutes a criminal offense within the jurisdiction of the courts.
(3) The Data Protection Authority shall refrain from imposing a fine on a responsible party pursuant to Section 9 of the Administrative Penal Act 1991 , Federal Law Gazette 52/1991, if an administrative penalty has already been imposed on the legal person for the same infringement.
(4) Administrative fines imposed pursuant to § 22 para. 5 shall be received by the Federal Government and shall be collected pursuant to the provisions on the collection of judicial fines. Final administrative decisions by the Data Protection Authority are writs of enforcement. Approval and implementation of enforcement is to be requested on the basis of the writ of enforcement by the Data Protection Authority from the district court in whose judicial district the obligated party has his or her general place of jurisdiction (§ 66 and § 75 of the Court Jurisdiction Act, Imperial Law Gazette No 111/1895) or from the enforcing court referred to in § 18 and § 19 of the Enforcement Code.
(5) Administrative fines cannot be imposed on authorities and public entities, such as, in particular, entities established in a form provided by public law as well as private law, which act on the basis of a statutory mandate, and on corporations under public law.

Part 4
Supervisory authority pursuant to Directive (EU) 2016/680
Data Protection Authority

§ 31.(1) The Data Protection Authority is established as a national supervisory authority for the scope referred to in § 36 para. 1. The Data Protection Authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.
(2) In respect of independence, general provisions and the establishment of the supervisory authority, Articles 52, 53 and 54 of the General Data Protection Regulation and § 18 para. 2, § 19 and § 20 shall apply accordingly.
Tasks of the Data Protection Authority

§ 32.(1) In the scope of § 36 para. 1, the Data Protection Authority shall
1.monitor and enforce the application of § 1 and of the provisions adopted pursuant to Chapter 3 and the implementing measures regarding Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977 / JHA, OJ No L 119 of 4 May 2016, p. 89;
2.promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing;
3rdperform the tasks specified in Article 57 para. 1 (c) to (e), (g), (h) and (t) of the General Data Protection Regulation with regard to Chapter 3;
4thdeal with complaints lodged by a data subject, or by a body, organization or association in accordance with § 28, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a period of three months, in particular if further investigation or coordination with another supervisory authority is necessary;
5.check the lawfulness of processing pursuant to § 42 para. 8, and inform the data subject within a reasonable period of the outcome of the check pursuant to § 42 para. 9 or of the reasons why the check has not been carried out;
6thmonitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies;
7thprovide advice on the processing operations referred to in § 53; other
8th.exercise the rights of data subjects in the cases referred to in § 43 para. 4, § 44 para. 3 and § 45 para. 4th
(2) The Data Protection Authority shall facilitate the submission of complaints referred to in para. 1 subpara. 4 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
(3) Article 57 paras. 3 and 4 of the General Data Protection Regulation shall apply accordingly.
Powers of the Data Protection Authority
Section 33.(1) In the scope of § 36 para. 1, the Data Protection Authority shall have the effective investigative powers required to perform its tasks. Such powers include, in particular, the powers referred to in § 22 para. 2.
(2) In the scope of § 36 para. 1, the Data Protection Authority shall have the effective corrective powers required to perform its tasks. These include the powers to enable the Data Protection Authority
1.to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions adopted in the scope of Directive (EU) 2016/680;
2.to order the controller or processor to bring processing operations into compliance with the provisions adopted in the scope of Directive (EU) 2016/680 in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data or the restriction of processing pursuant to § 45;
3rdto impose a temporary or definitive limitation including a ban on processing.
(3) In the scope of § 36 para. 1, the Data Protection Authority has effective advisory powers required for implementation which allow it to advise the controller in accordance with the prior consultation procedure referred to in § 53 and to issue, on its own initiative or on request, opinions to the National Council or the Federal Council, the Federal Government or a provincial government or to other institutions and bodies as well as to the public on any issue related to the protection of personal data.
(4) In the scope of § 36 para. 1, the exercise of the powers conferred on the supervisory authority is based on Article 58 para. 4 of the General Data Protection Regulation.
(5) § 22 para. 3 sentence 2 shall apply accordingly to infringements in the scope of § 36 para. 1

General provisions
§ 34.(1) In the scope of § 36 para. 1, controllers shall put in place effective mechanisms to encourage confidential reporting of infringements. For this purpose, controllers shall, in particular, establish adequate procedures that enable reports of infringements of the provisions of Chapter 3 to an appropriate entity.
(2) The mechanisms referred to in para. 1 shall at least include
1.specific procedures for the receipt of reports on infringements and their follow-up;
2.protection of personal data concerning both the person who reports the infringements and the natural person who is presumably responsible for an infringement;
3rdclear rules to guarantee that the identity of the person who reported the infringement is not disclosed, unless such disclosure of identity is obligatory in relation to public prosecution, court or administrative proceedings.
(3) In its activity report pursuant to Section 23, the Data Protection Authority shall report on its activities pursuant to Parts 4 and 5. The requirements of Article 59 of the General Data Protection Regulation and Section 23 for the activity report and the publication of decisions shall apply accordingly.
(4) Article 61 paras. 1 to 7 of the General Data Protection Regulation shall apply accordingly to mutual assistance in the scope of § 36 para. 1.
(5) In the scope of § 36 para. 1, the provisions of Chapter 2 Part 3, with the exception of Section 30, shall apply accordingly.

Part 5
Special powers of the Data Protection Authority

§ 35. (1) The Data Protection Authority shall safeguard data protection in accordance with the detailed provisions of the General Data Protection Regulation and this federal law.
(2) (Constitutional provision) The Data Protection Authority shall exercise its powers also in relation to the highest governing bodies or officers referred to in Article 19 of the Federal Constitutional Law entrusted with implementing the laws as well as in relation to the highest governing bodies or officers referred to in Article 30 paras. 3 to 6, Article 125, Article 134 para. 8 and Article 148h paras. 1 and 2 of the Federal Constitutional Act in the administrative matters for which they are responsible.

Chapter 3
Processing of personal data for purposes of the security police, including the protection of public security by the police, the protection of military facilities by the armed forces, the resolution and prosecution of criminal offenses, the enforcement of sentences and the enforcement of precautionary measures involving the deprivation of liberty

Part 1
General provisions
Scope of application, and definitions

§ 36. (1) The provisions of this chapter apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, and for the purposes of national security, intelligence, and the protection of military facilities by the armed forces.
(2) For the purposes of this Chapter:
1.“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3rd”Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
4th“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
5.“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6th“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
7th“Competent authority” means
a)any public authority competent for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, national security, intelligence, or the protection of military facilities by the armed forces; or
b)any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, national security, intelligence, or the protection of military facilities by the armed forces;
8th.“Controller” means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data;
9.“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
10.“Recipient” means a natural or legal person, public authority, agency or other body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with laws shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
11.“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
12th“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
13.“Biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
14th”Data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
15th“Supervisory authority” means the data protection authority;
16.“International organization” means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Principles for processing, classification and data quality
§ 37. (1) Personal data shall be:
1.processed lawfully and fairly;
2.collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
3rdadequate, relevant and not excessive in relation to the purposes for which they are processed;
4thaccurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5.kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
6thProcessed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
(2) Section 38 shall apply to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in the scope of Section 36 para. 1.
(3) The controller shall be responsible for, and be able to demonstrate compliance with, paras. 1 and 2.
(4) As far as possible and reasonable, a clear distinction between personal data of different categories of data subjects, such as the following, shall be made:
1.Persons who, on the basis of certain facts, are specifically suspected of having committed a criminal offense,
2.persons with regard to whom, on the basis of certain facts, there are serious grounds for believing that they are about to commit a criminal offense,
3rdpersons convicted of a criminal offense;
4thvictims of a criminal offense or persons with regard to whom certain facts give rise to reasons for believing that they are the victims of a criminal offense, and
5.other persons connected to a criminal offense, such as persons who might be called on to testify, persons who can provide information on criminal offenses, or contacts or associates of one of the persons referred to in subparas. 1 to 3.
(5) Personal data based on facts are to be distinguished, as far as possible, from personal data based on personal assessments. Personal data based on personal assessments must be marked accordingly, and reasons can be added to facilitate the understanding of an assessment.
(6) Incorrect or incomplete personal data, personal data that are no longer current or are to be erased must neither be transferred nor made available for automated retrieval from filing systems. For that purpose, the authority shall check the data quality accordingly as far as possible before a transmission. Personal data kept ready for automated retrieval must be kept complete and up to date at all times.
(7) As far as possible, the information required for the recipient to assess the up-to-dateness, correctness, completeness and reliability of the personal data shall be added in any transmission of personal data.
(8) If it is found ex officio or following notification by a data subject that personal data that do not comply with the requirements of para. 6 have been transmitted, the transmitting administrative office and authority, or the administrative office and authority keeping the filing system shall notify the receiving office or authority thereof without delay. The receiving office or authority shall immediately erase data which have been unlawfully transmitted, rectify incorrect data, complete incomplete data or restrict processing without delay.
(9) If the receiving administrative office or authority has reason to believe that the personal data transmitted are incorrect or not up to date or would have to be erased, or that their processing would have to be restricted, the receiving administrative office or authority shall notify the transmitting administrative office or authority thereof without delay. The latter shall take the required measures without delay.
Lawfulness of processing
§ 38.Unless it is required to protect the vital interests of a person, processing is lawful only to the extent it is provided for by laws or by directly applicable legal provisions that have the status of laws in Austria and is required and proportionate to fulfill a task performed by the competent authority for the purposes referred to in § 36 para. 1.
Processing of special categories of personal data
§ 39.Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation for the purposes referred to in § 36 para. 1 shall be allowed only where strictly necessary and if effective measures to protect the rights and freedoms of the data subjects are taken and
1.where authorized pursuant to § 38, or
2.where such processing relates to data which are manifestly made public by the data subject.
Processing for other purposes, and transfer
§ 40.(1) Processing of personal data pursuant to the provisions of this Chapter by the same or another controller for a purpose other than the one for which the data were collected shall be allowed only if this other purpose is covered by the scope of § 36 para . 1 and the requirements of Section 38 and Section 39 are met.
(2) Transferring personal data processed pursuant to the provisions of this Chapter for a purpose not referred to in § 36 para. 1 shall be allowed only if this is expressly provided for by laws or by directly applicable legal provisions that have the status of laws in Austria, and the recipient is authorized to process these personal data for such other purposes.
(3) If the processing of personal data is subject to special conditions, the transmitting competent authority shall inform the recipient of the personal data that such conditions apply and must be complied with. Transfers to recipients in other Member States or to bodies, offices and agencies established pursuant to Title V Chapters 4 and 5 of the TFEU must not be subject to conditions that do not apply to domestic data transmissions as well.
Automated individual decision-making
§ 41. (1) Decisions based solely on automated processing, including profiling, which have negative legal consequences for the data subject or can significantly affect the data subject, shall be allowed only to the extent they are expressly provided for by laws or by directly applicable legal provisions that have the status of laws in Austria.
(2) Decisions referred to in para. 1 shall not be based on special categories of personal data referred to in § 39 unless effective measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
(3) Decisions pursuant to para. 1 that have the consequence that natural persons are discriminated against on the basis of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person , data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Part 2
Rights of the data subject
Principles

§ 42.(1) The controller shall provide any information and make any communication with regard to § 43 to § 45 relating to processing to the data subject in as concise, intelligible and easily accessible a form as possible, using clear and plain language. The information shall be transmitted in an appropriate manner, in the case of a request in the same form as the request, if possible.
(2) The controller shall facilitate the exercise of the rights of the data subject pursuant to § 43 to 45.
(3) The controller shall inform the data subject in writing about the follow-up to his or her request without undue delay.
(4) The controller shall provide the data subject with information on measures taken because of a request pursuant to § 44 to

§ 45 without delay, but in any event within one month after receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
(5) If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(6) Information provided under Section 43 and any communication and any action taken under Section 44 and 45 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
1.Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or
2.refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(7) The controller may request the provision of additional information necessary to confirm the identity of the person who submitted a request pursuant to Section 44 or Section 45.
(8) In the cases referred to in § 43 para. 4, § 44 para. 3 and § 45 para. 4, the data subject is entitled to request verification of the lawfulness of the relevant restriction of the data subject’s rights by the Data Protection Authority. The controller shall inform the data subject of this right.
(9) Where the right referred to in para. 8 is exercised, the Data Protection Authority shall inform the data subject at least that all necessary verifications or a review by the Data Protection Authority have taken place. In addition, the Data Protection Authority shall inform the data subject of the data subject’s right to lodge complaints with the Federal Administrative Court.

Information of the data subject
§ 43. (1) The controller shall make available to the data subject at least the following information:
1.the identity and the contact details of the controller;
2.the contact details of the data protection officer, where applicable;
3rdthe purposes of the processing for which the personal data are intended;
4ththe right to lodge a complaint with a supervisory authority and the contact details of the supervisory authority;
5.the existence of the right to request from the controller access to and rectification or erasure of personal data and restriction of processing of the personal data concerning the data subject.
(2) In addition to the information referred to in para. 1, the controller shall give to the data subject, in specific cases, the following further information to enable the exercise of his or her rights:
1.the legal basis for the processing;
2.the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
3rdwhere applicable, the categories of recipients of the personal data, including in third countries or international organizations;
4thwhere necessary, further information, in particular where the personal data are collected without the knowledge of the data subject.
(3) Where personal data are collected from the data subject, the data subject must be in possession of the information pursuant to the requirements of paras. 1 and 2 at the time of the collection of the personal data. In all other cases, Article 14 para. 3 of the General Data Protection Regulation shall apply. The information according to paras. 1 and 2 may be omitted where data have not been collected by asking the data subject, but through transmission from another application purpose of the same controller or from a data application of another controller, and where the processing is provided for by law.
(4) The provision of the information to the data subject pursuant to para. 2 can be delayed, restricted or omitted to the extent this is strictly necessary and proportionate in a particular case to
1.avoid prejudicing the prevention, detection, investigation or prosecution of criminal offenses or the execution of criminal penalties, in particular by obstructing inquiries, investigations or proceedings of authorities or courts,
2.protect public security,
3rdprotect national security,
4thprotect the constitutional institutions of the Republic of Austria,
5.enable the protection of military facilities by the armed forces, or
6thprotect the rights and freedoms of others.

Right of access to the data subject
§ 44. (1) Every data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
1.the purposes of and legal basis for the processing,
2.the categories of personal data concerned,
3rdthe recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organizations,
4thif possible, the period for which the personal data are planned to be stored, or if that is not possible, the criteria used to determine that period,
5.the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject,
6ththe right to lodge a complaint with the Data Protection Authority and the contact details of the Data Protection Authority, and
7thcommunication of the personal data undergoing processing and of any available information as to their origin.
(2) Restrictions of the right of access are permitted only on the conditions referred to in § 43 para. 4th
(3) In case access is not granted pursuant to para. 2, the controller shall inform the data subject, without undue delay, in writing of any refusal or restriction of access and of the reasons for the refusal or the restriction. Such information may be omitted where the provision thereof would undermine a purpose under § 43 para. 4. The controller shall inform the data subject of the possibility to lodge a complaint with the Data Protection Authority.
(4) The controller shall document the reasons for the decision not to grant access pursuant to para. 2. That information shall be made available to the Data Protection Authority.
(5) To the extent that a data processing operation is, by law, open to inspection by a data subject with regard to data processed on the data subject, the data subject shall have a right of access in accordance with the provisions granting the right of inspection. The detailed provisions of the law granting the right of inspection shall apply to the procedure of inspection (and its refusal). Parts of information according to para. 1 that are not covered by the right of inspection may, however, be asserted according to this federal law.

Right to rectification or erasure of personal data and to the restriction of processing
§ 45.(1) Every data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and the completion of incomplete personal data. Where necessary, the personal data can be rectified or completed by means of a supplementary statement if later changes are incompatible with the documentation purpose. It shall be the obligation of the controller to prove that the data are correct unless the personal data have been collected exclusively based on statements made by the data subject.
(2) The controller shall erase the personal data on the controller’s own initiative or at the request of the data subject if
1.the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
2.the personal data have been unlawfully processed,
3rderasure is necessary for compliance with a legal obligation to which the controller is subject.
(3) Instead of erasure, the controller shall restrict processing where:
1.the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained, or
2.the personal data must be maintained for the purposes of evidence to perform a task delegated to the controller by law.
In the case of a restriction pursuant to subpara. 1, the controller shall inform the data subject before the restriction is lifted.
(4) The controller shall inform the data subject in writing of any refusal of rectification or erasure of personal data or restriction of processing and of the reasons for the refusal. The controller shall inform the data subject of the possibility to lodge a complaint with the Data Protection Authority.
(5) The controller shall communicate the rectification of inaccurate personal data to the competent authority from which the inaccurate personal data originate.
(6) Where personal data has been rectified or erased or processing has been restricted pursuant to paras. 1 to 3, the controller shall notify all recipients of the personal data concerned. The recipients shall rectify or erase the personal data or restrict processing of the personal data under their responsibility without undue delay.

Part 3
Controller and processor
Obligations of the controller

Section 46.The controller shall comply with the obligations referred to in Article 24 paras. 1 and 2 and Article 25 paras. 1 and 2 of the General Data Protection Regulation with regard to the compliance of processing with the provisions of this chapter.
Joint controllers
Section 47.Two or more controllers who jointly determine the purposes and means of processing shall be joint controllers. They shall, in a transparent manner, determine their respective responsibilities under this federal law, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in § 43, by means of an arrangement between them if, and insofar as, the respective responsibilities of the controllers are not determined by law. The arrangement shall designate a contact point for data subjects.
Processor and the supervision of processing

§ 48. (1) Where processing is carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this federal law and ensure the protection of the rights of the data subject.
(2) The processor shall not engage another processor without prior specific written authorization of the controller.
(3) Processing by a processor shall be governed by a contract or other legal act under Union law or on the grounds of an explicit legal authorization that is binding on the processor with regard to the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. This contract or other legal act shall stipulate, in particular, that the processor:
1.processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union law or by laws to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2.ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3rdtakes all measures necessary pursuant to § 54;
4threspects the conditions referred to in paras. 2 and 4 for engaging another processor;
5.taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Chapter;
6thassists the controller in ensuring compliance with the obligations pursuant to § 52 to § 56, taking into account the nature of processing and the information available to the processor;
7that the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union law or laws require (s) storage of the personal data;
8th.makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in paras. 1 to 6 and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to subpara. 8, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Chapter or other data protection provisions of Union law or statutory data protection provisions.
(4) Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in para. 3 shall be imposed on that other processor by way of a contract or other legal act under Union law or in accordance with laws, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Chapter. Where that other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
(5) The contract or the other legal act referred to in paras. 3 and 4 shall be in writing, including in electronic form.
(6) The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union law or in accordance with laws.
(7) If a processor determines, in infringement of this chapter, the purposes and means of processing, that processor shall be considered to be a controller in respect of that processing.
Records of processing activities
Section 49.(1) Each controller shall maintain a record of processing activities, applying Article 30 paras. 1 to 4 of the General Data Protection Regulation accordingly; the references in Article 30 para. 1 (g) and para. 2 (d) of the General Data Protection Regulation refer to Section 54, and the reference to the representative of the controller or the processor shall not apply.
(2) The record referred to in para. 1 shall also contain information on
1.the use of profiling, if profiling is used, and
2.the legal basis for the processing operation, including transfers, for which the personal data are intended.
(3) Each processor shall maintain a record for all categories of processing activities performed on behalf of a controller, containing the following:
1.name and contact details of the processor or processors, each controller on whose behalf the processor is acting, as well as any data protection officer,
2.the categories of processing activities performed on behalf of each controller,
3rdwhere applicable, transfers of personal data to a third country or an international organization, if ordered accordingly by the controller, including the identification of the third country or the international organization,
4thif possible, a general description of the technical and organizational measures pursuant to § 54 para. 1.
Logging
Section 50. (1) Every processing operation shall be logged in an appropriate manner so that the legitimacy of processing can be traced and verified.
(2) In automated processing systems, all processing operations shall be logged in an automated manner. These log data shall at least reveal the purpose, the processed data, the date and time of processing, the identification of the person who processed the personal data, and the identity of any recipient of such personal data.
(3) In non-automated processing systems, at least consultations and disclosures, including transmissions, changes and erasures, shall be logged. Para. 2 sentence 2 shall apply to these log data.
(4) The logs shall exclusively be used to verify the lawfulness of the data processing, including self-monitoring and ensuring the integrity and security of the personal data, and in criminal proceedings in court.
(5) The controller and the processor shall provide the logs to the Data Protection Authority at its request.

Cooperation with the Data Protection Authority
§ 51. The controller and the processor shall cooperate, on request, with the Data Protection Authority in the performance of its tasks.
Data protection impact assessment
Section 52.To protect the rights and legitimate interests of data subjects affected by data processing activities and other persons concerned, the controller shall carry out a data protection impact assessment pursuant to Article 35 paras. 1, 2, 3, 7 and 11 of the General Data Protection Regulation, with demonstration pursuant to Article 35 para. 7 (d) of the General Data Protection Regulation referring to compliance with the requirements of this chapter.
Prior consultation of the Data Protection Authority
Section 53.In accordance with Article 36 of the General Data Protection Regulation, the controller shall consult the Data Protection Authority prior to processing which will form part of a new filing system to be created; references in Article 36 paras. 1 and 3 (e) of the General Data Protection Regulation refer to § 52, and the reference to the provisions regarding the powers of the Data Protection Authority in Article 36 para. 2 of the General Data Protection Regulation refers to § 33, and the measures referred to in Article 36 para. 2 of the General Data Protection Regulation shall be taken within six weeks, with the possibility to extend that period by an additional month.

Data security measures
Section 54. (1) The controller and the processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures, taking into account the different categories pursuant to § 37, to ensure a level of security appropriate to the risk, in particular as regards the processing of special categories of personal data referred to in § 39 .
(2) In respect of automated processing, the controller or processor, following an evaluation of the risks, shall implement measures designed to:
1.deny unauthorized persons access to processing equipment used for processing (‘equipment access control’);
2.prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’);
3rdprevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data (‘storage control’);
4thprevent the use of automated processing systems by unauthorized persons using data communication equipment (‘user control’);
5.ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorization (‘data access control’);
6thensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’);
7thensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’);
8th.prevent the unauthorized reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’);
9.ensure that installed systems may, in the case of interruption, be restored (‘recovery’);
10.ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).
Notification of a breach to the Data Protection Authority

§ 55. (1) In accordance with Article 33 of the General Data Protection Regulation, the controller shall notify personal data breaches to the Data Protection Authority.
(2) Where the personal data breach involves personal data that have been transmitted by or to the controller of another Member State of the European Union, the information referred to in Article 33 para. 3 of the General Data Protection Regulation shall be communicated to the controller of that Member State of the European Union without undue delay.
Communication of personal data breaches to data subjects
Section 56. (1) In accordance with Article 34 of the General Data Protection Regulation, the controller shall communicate breaches concerning their personal data to data subjects.
(2) Communication pursuant to para. 1 can be delayed, restricted or omitted under the conditions laid out in § 43 para. 4th
Designation, position and tasks of the data protection officer
Section 57.(1) Every controller shall designate a data protection officer in accordance with Article 37 paras. 5 and 7 of the General Data Protection Regulation. Courts are exempted from the obligation to designate a data protection officer in the context of their judicial activities. § 5 shall apply accordingly with regard to the provisions of this Chapter.
(2) Article 38 of the General Data Protection Regulation shall apply to the position of the data protection officer.
(3) The data protection officer shall have the tasks referred to in Article 39 of the General Data Protection Regulation with regard to compliance with the provisions of this Chapter.
(4) The controller shall publish the contact details of the data protection officer and communicate them to the Data Protection Authority.

Part 4
Transfers of personal data to third countries or international organizations
General principles for transfers of personal data

§ 58. (1) Any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the conditions laid down in this chapter are complied with and
1.the transfer is necessary for the purposes set out in § 36 para. 1,
2.the personal data are transferred to a controller in a third country or international organization that is an authority competent for the purposes referred to in § 36 para. 1,
3rdwhere personal data are transmitted or made available from another EU Member State, that Member State has given its prior authorization to the transfer,
4ththe European Commission has adopted an adequacy decision pursuant to § 59 paras. 1 and 2 or, in the absence of such a decision, appropriate safeguards as referred to in § 59 paras. 3 to 5 have been provided or exist, or, in the absence of an adequacy decision pursuant to § 59 paras. 1 and 2 and of appropriate safeguards in accordance with § 59 paras. 3 to 5, derogations for specific situations apply pursuant to § 59 paras. 6 and 7; other
5.it is ensured that an onward transfer to another third country or international organization is permitted only subject to prior authorization by the competent authority that carried out the original transfer and after taking into due account all relevant factors, including the seriousness of the criminal offense, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organization to which personal data are onward transferred.
(2) Transfers without prior authorization pursuant to para. 1 subpara. 3 shall be permitted only if the transfer is necessary for the prevention of an immediate and serious threat to public security of a Member State or a third country or to essential interests of a Member State and the prior authorization cannot be obtained in good time. The authority responsible for giving prior authorization shall be informed without delay.
(3) If a competent authority of another EU Member State requests authorization to transfer to a third country or an international organization pursuant to para. 1 subpara. 3 personal data that have originally been transferred from Austria, the authority that originally transferred the personal data shall be the authority competent for giving the authorization, unless otherwise provided for by law.

Data transfers to third countries or international organizations
§ 59.(1) The transfer of personal data to a third country or an international organization shall be permitted where the European Commission has decided pursuant to Article 36 para. 3 of Directive (EU) 2016/680 by way of an implementing act that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization. The authorization obligation pursuant to § 58 para. 1 subpara. 3 shall remain unaffected thereby.
(2) A decision by the European Commission taken pursuant to Article 36 para. 5 of Directive (EU) 2016/680 to revoke, amend or suspend a decision pursuant to Article 36 para. 3 of Directive (EU) 2016/680 shall be without prejudice to transfers of personal data to the third country, the territory or one or more specified sectors within that third country, or the international organization in question pursuant to paras. 3 to 8.
(3) In the absence of a decision pursuant to para. 1, a transfer of personal data to a third country or an international organization may take place where
1.appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or
2.the controller, following an assessment of the circumstances relevant to the transfer of personal data, concludes that appropriate safeguards exist with regard to the protection of personal data.
(4) If appropriate safeguards pursuant to para. 3 subpara. 2 exist for categories of transfers, the controller shall inform the Data Protection Authority of these categories.
(5) Transfers pursuant to para. 3 subpara. 2 shall be documented, and the documentation shall be made available to the Data Protection Authority on request, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.
(6) In the absence of an adequacy decision pursuant to paras. 1 to 2 or of appropriate safeguards pursuant to paras. 3 to 5, a transfer of personal data to a third country or an international organization may take place in accordance with para. 5 only on the condition that the transfer is necessary:
1.to protect the vital interests of a person,
2.to safeguard legitimate interests of the data subject, where the law so provides,
3rdfor the prevention of an immediate and serious threat to the public security of an EU Member State or a third country,
4thin individual cases for the purposes set out in § 36 para. 1, or
5.in an individual case for the establishment, exercise or defense of legal claims relating to the purposes set out in § 36 para. 1.
(7) In the cases referred to in para. 6 subparas. 4 and 5, a transfer is permitted only if no fundamental rights and freedoms of the data subject overriding the public interests in the transfer are an obstacle to the transfer.

Chapter 4
Special penal provisions
Administrative penalties

§ 62. (1) Unless the offense meets the elements of Article 83 of the General Data Protection Regulation or is subject to a more severe punishment according to other administrative penal provisions, an administrative offense punishable by a fine of up to € 50,000 is committed by anyone who
1.intentionally and illegally gains access to data processing or maintains an obviously illegal means of access,
2.transmits data intentionally in violation of the rules on confidentiality (§ 6), in particular intentionally uses data entrusted to him or her according to § 7 or § 8 for other prohibited purposes,
3rdby giving incorrect information intentionally obtains personal data according to § 10,
4thprocesses images contrary to the provisions of Chapter 1, Part 3, or
5.refuses inspection pursuant to § 22 para. 2.
(2) Attempts shall be punishable.
(3) In the case of an administrative offense pursuant to paras. 1 and 2, administrative fines can be imposed on legal persons in accordance with § 30.
(4) Data media and programs as well as apparatus for the transmission and recording of images can be forfeited (§ 10, § 17 and § 18 of the Administrative Penal Act) if they are linked to an administrative offense according to para. 1.
(5) The Data Protection Authority shall be the competent authority for decisions pursuant to paras. 1 to 4.
Processing with the intention to make a profit or to cause harm
Section 63.Whoever, with the intention to enrich himself or a third person unlawfully or to harm someone regarding that person’s entitlement guaranteed according to § 1 para. 1, deliberately uses personal data that have been entrusted to or have become accessible to him solely because of his professional occupation, or that he has acquired illegally, for himself or makes such data available to another person or publishes such data despite the data subject’s interest in confidentiality which deserves protection, shall be punished by a court with imprisonment of up to one year or with a fine of up to € 720, unless the offense is subject to a more severe punishment pursuant to another provision.

Chapter 5
Final provisions
Execution and implementation of EU legal acts

Section 64.(1) This federal law serves to implement Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), OJ No L 119 of 4 May 2016, p. 1.
(2) Furthermore, this federal law serves to implement Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977 / JHA, OJ No L 119 of 4 May 2016, p. 89
Gender-neutral use of language
Section 65.In so far as expressions relating to natural persons in this federal law are given only in the male form, they shall apply to males and females equally. When the expressions are applied to specific natural persons, the form specific to the gender shall be used.
Enactment of regulations
Section 66.Regulations based on this federal law as amended may already be enacted as of the day following the promulgation of the legal provision to be implemented; they shall, however, not enter into force before the statutory provisions which are to be implemented.

References
Section 67. In so far as provisions of this federal law refer to provisions of other federal laws, these shall be applied as amended from time to time.

Execution
Section 68. The Federal Minister of Constitutional Affairs, Reforms, Deregulation and Justice and the other federal ministers, within their sphere of responsibilities, shall execute this federal law insofar as the execution has not been entrusted to the Federal Government.

Transitional provisions
Section 69.(1) The current term of office of the head of the Data Protection Authority at the time of the entry into force of this federal law shall continue until the end of the term of office. This shall also apply to the deputy.
(2) The Data Protection Authority shall continue to have the Data Processing Register kept by the Data Protection Authority for archiving purposes until 31 December 2019. No entries and changes to the contents of the Data Processing Register may be made. Registrations in the Data Processing Register shall become void. Any person may inspect the register. Inspection of the registration file including any authorizations contained therein shall be granted if the person applying for inspection can satisfactorily demonstrate that he or she is a data subject, and as far as no overriding interests in confidentiality which deserve protection on the part of the controller or another person are an obstacle to access.
(3) Any registration procedures pursuant to § 17 and § 18 para. 2 of the Data Protection Act 2000 pending at the time of entry into force of this federal law shall be deemed discontinued. Any registration procedures pursuant to § 13, § 46 and § 47 of the Data Protection Act 2000 pending at the time of entry into force of this federal law shall be continued if authorization is required pursuant to this federal law or the General Data Protection Regulation. If no authorization is required, they shall be deemed discontinued.
(4) Proceedings regarding the Data Protection Act 2000 pending before the Data Protection Authority or before courts of law at the time of entry into force of this federal law shall be continued in accordance with the provisions of this federal law and the General Data Protection Regulation with the reservation that courts of law continue to have jurisdiction.
(5) Infringements of the Data Protection Act 2000 that are not yet pending at the time of entry into force of this federal law shall be judged in accordance with the legal situation after entry into force of this federal law. A punishable offense committed before this federal law enters into force shall be judged in accordance with the legal situation that is more favorable for the offender with regard to its overall effects; this shall also apply to appellate proceedings.
(6) Submissions by a data subject pursuant to Section 24 shall be exempt from federal administrative fees.
(7) The entities or bodies delegating the members and substitute members shall notify the Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice in writing within a period of two weeks from 25 May 2018 of the members and substitute members of the Data Protection Council , the number of whom must correspond to § 15 para. 1 subparas. 1 to 6. The constitutive meeting of the Data Protection Council shall take place within six weeks after 25 May 2018. The previous head and the two previous deputy heads shall continue to exercise their functions until the election of the new head and the two deputy heads .
(8) Special provisions on the processing of personal data in other federal or provincial laws shall remain unaffected.
(9) Authorizations pursuant to Section 13, Section 46 and Section 47 of the Data Protection Act 2000 granted by the Data Protection Authority in a final manner shall remain unaffected. Consent given pursuant to the Data Protection Act 2000 shall continue to be valid if it meets the requirements of the General Data Protection Regulation.

Entry into force

Section 70. (1) The other provisions of this federal law shall also enter into force on 1 January 2000.
(2) Section 26 para. 6 and § 52 paras. 1 and 2 as amended by the federal law promulgated in Federal Law Gazette I No 136/2001 shall enter into force on 1 January 2002.
(3) Section 48a para. 5 as amended by the federal law promulgated in Federal Law Gazette I No 135/2009 shall enter into force on 1 January 2010.
(4) The table of contents, § 4 para. 1 subparas. 4, 5, 7 to 9, 11 and 12, § 8 paras. 1, 2 and 4, § 12 para. 1, the re-numbering of the paragraphs in § 13, § 16 paras. 1 and 3, § 17 paras. 1, 1a and 4, § 19 para. 1 subpara. 3a and para. 2, the re-numbering of the paragraphs in § 19, § 20 to § 22a including captions, § 24 para. 2a, § 24 para. 4, § 26 paras. 1 to 8 and 10, § 28 para. 3, § 30 para. 2a, 5 to 6a, § 31 and § 31a including captions, § 32 paras. 1, 4, 6 and 7, § 34 paras. 1, 3 and 4, § 36 paras. 3, 3a and 9, § 39 para. 5, § 40 paras. 1 and 2, § 41 para. 2 subpara. 4a, § 42 para. 1 subpara. 1, § 42 para. 5, § 46 para. 1 subparas. 2 and 3, paras. 2 to 3a, § 47 para. 4, § 49 para. 3, § 50 paras. 1 to 2a, Part 9a, § 51, § 52 paras. 2 and 4, § 55, § 61 paras. 6 to 9 as well as § 64 as amended by the federal law promulgated in Federal Law Gazette I No 133/2009 shall enter into force on 1 January 2010. Simultaneously, § 4 para. 1 subpara. 10, § 13 para. 3 as well as § 51 para. 2 shall become ineffective.
(5) Section 36 para. 6 as amended by the federal law promulgated in Federal Law Gazette I No 133/2009 shall enter into force on 1 July 2010.
(6) Section 37 para. 2, § 38 para. 2 and § 61 para. 9 as amended by the federal law promulgated in Federal Law Gazette I No 57/2013 shall enter into force on 1 May 2013.
(7) The table of contents, § 5 para. 4, § 10 para. 2, § 12 para. 4, § 13 paras. 1 and 2 subpara. 2, paras. 3, 4 and 6, § 16 para. 1, § 17 para. 1, § 18 para. 2, § 19 para. 1 subpara. 6 and para. 2, § 20 paras. 2 and 5 subpara. 2, § 21 para. 1 subpara. 3, § 22 paras. 2 to 4, § 22a paras. 1, 3 to 5, § 23 para. 2, § 26 paras. 2, 5 and 7, § 27 paras. 5 and 7, the caption of § 30, § 30 paras. 1, 2, 2a, 4 to 6a, the caption of § 31, § 31 paras. 1, 2, 5, 6 and 8, § 31a, § 32 paras. 5 to 7, § 34 para. 3 and 4, the caption of § 35, § 35 para. 1, § 36 to § 40 including the captions, § 41 para. 2 subpara. 1, § 44 paras. 6 and 8, § 46 para. 2 subpara. 3 and para. 3, § 47 paras. 3 and 4, § 48a para. 2, § 50 paras. 1 and 2, § 50b para. 2, § 50c para. 1, § 52 para. 2 subparas. 2 and 3 as well as para. 5, § 54 para. 2 and § 61 paras. 8 to 10 as amended by the federal law promulgated in Federal Law Gazette I No 83/2013 shall enter into force on 1 January 2014. Simultaneously, § 41 para. 2 subpara. 4a and the Data Protection Commission Remuneration Regulation, Federal Law Gazette II No 145/2006, shall become ineffective. All organizational and human resource measures needed to appoint the head of the Data Protection Authority and the deputy may be implemented before the federal law promulgated in Federal Law Gazette I No 83/2013 enters into force.
(8) (Constitutional provision) § 2 para. 2 and § 35 para. 2 as amended by the federal law promulgated in Federal Law Gazette I No 83/2013 shall enter into force on 1 January 2014.
(9) The title, the table of contents, Chapter 1, the name and caption of Chapter 2, Parts 1, 2, 3, and 4, the caption and name of Part 5, § 35 para. 1, the name and caption of Chapter 3, Parts 1, 2, and 3, the caption and name of Part 4, § 58 and § 59, including the captions, as well as Chapters 4 and 5 as amended by the federal law promulgated in Federal Law Gazette I No 120/2017 shall enter into force on 25 May 2018. In Article 2, Parts 1, 2, 3, 4, 5 and 6, the name and caption of Part 7, the caption of § 35, § 36 to § 44 including the captions, Parts 8, 9, 9a and 10, the name and the caption of Part 11, § 53 to § 59 including the captions, § 61 paras. 1 to 3 and 5 to 10 as well as § 62 to § 64 including the captions in the version before the amendment by Federal Law Gazette I No 120/2017 shall become ineffective as of the end of 24 May 2018.
(10) The Standards and Models Regulation 2004, Federal Law Gazette II No 312/2004, the Data Processing Register Regulation 2012, Federal Law Gazette II No 257/2012, and the Data Protection Adequacy Regulation, Federal Law Gazette II No 521/1999 , shall become ineffective as of the end of 24 May 2018.
(11) (Constitutional provision) § 35 para. 2 as amended by the federal law promulgated in Federal Law Gazette I No 23/2018 shall enter into force on 25 May 2018.
(12) The table of contents, § 4 paras. 1, 5 to 7, § 5 para. 3 sentence 1 and para. 5, § 9 including the caption, § 11 including the caption, § 12 para. 3 subpara. 2 and para. 4 subpara. 3, § 14 para. 1, § 15 para. 1 subpara. 5, para. 3, para. 5 subparas. 1 and 2, paras. 6, 7 and 8, § 16 para. 3 subpara. 2 and para. 5, § 19 paras. 2 and 3, § 23 para. 1, § 26 para. 1, § 28, § 30 paras. 3 and 5, § 32 para. 1 subpara. 1, § 36 para. 1 and para. 2 subpara. 7, § 44 para. 2, § 49 paras. 1 and 3, § 56 para. 1, § 64 para. 2, § 68 as well as § 69 para. 5 and 7 as amended by the federal law promulgated in Federal Law Gazette I No 24/2018 shall enter into force on 25 May 2018. Simultaneously, § 45 para. 7 in the version before the amendment by Federal Law Gazette I No 24/2018 shall become ineffective. Section 70 paras. 1 to 8 as amended by the federal law promulgated in Federal Law Gazette I No 24/2018 shall enter into force on the day following promulgation. To the extent that the instructions given in the federal law promulgated in Federal Law Gazette I No 24/2018 refer to provisions created by the Data Protection Amendment Act 2018, Federal Law Gazette I No 120/2017, the provisions of the federal law promulgated in Federal Law Gazette I No 24/2018 shall prevail over the provisions of the Data Protection Amendment Act 2018, Federal Law Gazette I No 120/2017.
(13) § 16 para. 5 and § 70 paras. 6, 7, 9, 10 and 12 as amended by the federal law promulgated in Federal Law Gazette I No 14/2019 shall enter into force as of the end of the day of promulgation of this federal law; simultaneously, the entries made with regard to § 60 and § 61 in the table of contents shall become ineffective. The entries regarding § 2 and § 3 in the table of contents and § 4 para. 7 shall become ineffective on 1 January 2020.
(14) (Constitutional provision) § 2 and § 3 including the captions shall become ineffective as of the end of 31 December 2019. § 70 paras. 8 and 11 as amended by the federal law promulgated in Federal Law Gazette I No 14/2019 shall enter into force as of the end of the day of promulgation of this federal law; simultaneously, § 61 including the caption shall become ineffective.


%d bloggers like this: