The Automated Means Criterion is a key factor in determining the applicability of data protection law in Austria. It extends the law's scope to personal data processing that is carried out wholly or partly by automated means.

Text of Relevant Provisions

Austria DSG. § 4(1):

"The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No L 119 of 4 May 2016, p. 1 (in the following: General Data Protection Regulation) and this federal law shall apply to the processing of personal data of natural persons wholly or partly by automated means and to the processing other than by automated means of personal data of natural persons which form part of a filing system or are intended to form part of a filing system, unless the more specific provisions of Chapter 3 of this federal law prevail."

Analysis of Provisions

The Austrian Data Protection Act (DSG) explicitly incorporates the Automated Means Criterion in § 4(1). This provision establishes that the law applies to the processing of personal data "wholly or partly by automated means". This criterion ensures that the law covers a wide range of data processing activities that involve any degree of automation.

The provision also extends the law's applicability to non-automated processing of personal data that forms part of a filing system or is intended to form part of a filing system. This extension ensures comprehensive coverage of personal data processing, regardless of the specific methods used.

It's important to note that the Austrian law directly references and incorporates the General Data Protection Regulation (GDPR), aligning its scope with EU-wide data protection standards. This alignment ensures consistency in the application of data protection principles across the European Union.

Implications

The inclusion of the Automated Means Criterion in Austrian data protection law has significant implications for businesses and organizations:

1. Broad applicability: Any entity processing personal data using digital or electronic systems, even partially, falls under the law's scope. This includes the use of computers, smartphones, cloud services, and other digital technologies for data processing.
2. Manual processing coverage: Even manual processing of personal data is covered if it's part of a structured filing system. This could include paper-based records that are organized in a systematic manner.
3. Technological neutrality: The law remains applicable regardless of the specific technology used, ensuring its relevance as new data processing technologies emerge.
4. Compliance requirements: Organizations must ensure compliance with Austrian data protection law for all automated processing activities, including data collection, storage, analysis, and transmission.
5. Data protection measures: Entities must implement appropriate technical and organizational measures to protect personal data processed through automated means.
6. Rights of data subjects: Individuals have the right to know about, access, and control their personal data processed through automated means, as guaranteed by the law.