Applicability of Data Protection Law in Austria: Filing System Criterion

The Filing System Criterion refers to the applicability of data protection laws to the manual processing of personal data that is organized in a way that allows for easy retrieval or access. In Austria, this factor is explicitly mentioned and used to set the scope of the data protection law's applicability.

Text of Relevant Provisions

Austria DSG. § 4(1):

"The provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ No L 119 of 4 May 2016, p. 1 (in the following: General Data Protection Regulation) and this federal law shall apply to the processing of personal data of natural persons wholly or partly by automated means and to the processing other than by automated means of personal data of natural persons which form part of a filing system or are intended to form part of a filing system, unless the more specific provisions of Chapter 3 of this federal law prevail."

Original (German):

"Die Bestimmungen der Verordnung (EU) 2016/679 zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten und zum freien Datenverkehr sowie zur Aufhebung der Richtlinie 95/46/EG (Datenschutz-Grundverordnung), ABl. Nr. L 119 vom 4. Mai 2016, S. 1 (im Folgenden: Datenschutz-Grundverordnung) und dieses Bundesgesetzes sind auf die ganz oder teilweise automatisierte Verarbeitung personenbezogener Daten natürlicher Personen und auf die nicht automatisierte Verarbeitung personenbezogener Daten natürlicher Personen anzuwenden, die Teil eines Dateisystems sind oder werden sollen, sofern die spezielleren Bestimmungen des 3. Teils dieses Bundesgesetzes nicht vorgehen."

Analysis of Provisions

The Filing System Criterion is clearly utilized in § 4(1) of the Austrian DSG (Datenschutzgesetz), which defines the scope of applicability of data protection laws. This provision ensures that the laws apply not only to automated processing of personal data but also to manual processing, provided the data is part of or intended to be part of a filing system.

1. Automated and Non-Automated Processing:
   • The provision explicitly states that data protection laws cover "the processing of personal data of natural persons wholly or partly by automated means" and extends to "the processing other than by automated means of personal data of natural persons which form part of a filing system or are intended to form part of a filing system."
2. Definition of a Filing System:
   • A filing system refers to any structured set of personal data that can be accessed according to specific criteria. This includes both digital and non-digital formats, provided they allow easy retrieval or access.
3. Scope Extension:
   • By including manual processing within the scope, lawmakers ensure comprehensive protection of personal data. This is crucial in situations where personal data might not be digitized but is still organized in a systematic manner that facilitates retrieval.

Implications

For Business

• Manual Data Processing: Companies must recognize that their obligations under data protection laws extend to manual records. If personal data is organized systematically in physical files or paper records, these are subject to the same regulatory requirements as digital data.
• Compliance Measures: Organizations must implement data protection measures for all forms of personal data processing. This includes secure storage, proper access controls, and procedures for the rectification or erasure of personal data in physical records.
• Records Management: Businesses should establish clear policies for the management of both digital and manual filing systems. Ensuring that personal data in any format is properly handled can help in mitigating risks of non-compliance and potential penalties.

By recognizing and adapting to the requirements set forth in the Austrian DSG regarding the Filing System Criterion, organizations can ensure robust data protection practices that align with regulatory standards.