Global Data and Cyber Handbook

Austria

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last reviewed: 27 December 2024

Yes.

The following are potential legal bases for processing non-sensitive personal data:

  • the data subject has provided consent to the processing for the identified purposes
  • the personal data is necessary to perform a contract with the data subject
  • the personal data is necessary to comply with a legal obligation
  • the personal data is necessary to protect the vital interests of a natural person
  • the personal data is necessary for a public interest
  • the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
  • other.
    • The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of a permit of the Austrian Data Protection Authority (Sec. 7 Austrian Data Protection Act).
    • The provision of addresses to inform and interview data subjects if an infringement of the data subject's interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview (Sec. 8 Austrian Data Protection Act).
    • The joint processing of data by public-sector controllers and relief organizations to the extent that this is necessary to assist persons directly affected by a disaster, to locate and identify missing or deceased persons and to provide information to their relatives (Sec. 10 Austrian Data Protection Act).
Is an identified legal basis required in order to collect or process sensitive personal data?

Last reviewed: 27 December 2024

Yes.

The following are potential legal bases for processing special categories of personal data:

  • the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions
  • processing relates to personal data which are manifestly made public by the data subject
  • processing is necessary for the establishment, exercise or defense of legal claims
  • processing is necessary for reasons of substantial public interest
  • processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
  • processing is necessary for reasons of public interest in the area of public health
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • other

Special categories of personal data may be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if (Sec. 7 para. 3 Austrian Data Protection Act):

  • permitted by the Austrian Data Protection Authority;
  • an important public interest in the research project exists; and
  • it is ensured that the personal data are processed at the premises of the controller ordering the research project only by persons who are subject to a statutory obligation of confidentiality regarding the subject matter of the research project or whose reliability in this respect is credible.

In case of emergency, special categories of personal data may be transferred to close relatives only if they prove their identity and their capacity as a relative and if the transfer is necessary to safeguard their rights or the rights of the data subject (Sec. 10 para. 4 Austrian Data Protection Act).

Are there special requirements that apply to the collection or processing of personal data from minors?

Last reviewed: 27 December 2024

Yes.

A minor within the meaning of data privacy laws is a person below the age of 14.

In what circumstances do these special requirements apply?

Last reviewed: 27 December 2024

In the context of information society services (e.g., a commercial website) only if processing is based on consent

What are the special requirements that apply to collecting or processing personal data from minors?

Last reviewed: 27 December 2024

Consent must be given or authorized by the parent/ guardian of the minor

{{ $store.state.loadingScreen.message }} ...