Art. 77

1. Sans préjudice de tout autre recours administratif ou juridictionnel, toute personne concernée a le droit d'introduire une réclamation auprès d'une autorité de contrôle, en particulier dans l'État membre dans lequel se trouve sa résidence habituelle, son lieu de travail ou le lieu où la violation aurait été commise, si elle considère que le traitement de données à caractère personnel la concernant constitue une violation du présent règlement.

2. L'autorité de contrôle auprès de laquelle la réclamation a été introduite informe l'auteur de la réclamation de l'état d'avancement et de l'issue de la réclamation, y compris de la possibilité d'un recours juridictionnel en vertu de l'article 78.

Art. 28

(…)

4. Chaque autorité de contrôle peut être saisie par toute personne, ou par une association la représentant, d'une demande relative à la protection de ses droits et libertés à l'égard du traitement de données à caractère personnel. La personne concernée est informée des suites données à sa demande.

Chaque autorité de contrôle peut, en particulier, être saisie par toute personne d'une demande de vérification de la licéité d'un traitement lorsque les dispositions nationales prises en vertu de l'article 13 de la présente directive sont d'application. La personne est à tout le moins informée de ce qu'une vérification a eu lieu.

Aucune disposition spécifique

All of the following in force until May 25, 2018:

Legal Remedies

Duties of Supervision of the Data Protection Authority

§ 30 DSG 2000

(1) Anyone shall have the right to lodge an application with the Data Protection Authority because of an alleged infringement of his rights or obligations concerning him pursuant to this federal law by a controller or processor.

(2) The Data Protection Authority shall have the right to examine data applications in case of reasonable suspicion of an infringement of the rights and obligations mentioned in para. 1. It can order the controller or processor of the examined data application to give all necessary clarifications and to grant access to data applications and relevant documents.

(2a) In case an application admissible according to para 1 or a reasonable suspicion according to para 2 refers to a data application (filing system) subject to the obligation of notification, the Data Protection Authority may examine whether the notification obligation has been fulfilled and eventually proceed according to §§ 22 and 22a.

(3) Data applications subject to prior checking pursuant to § 18 para. 2 may be examined without a suspicion of illegal data use. The same applies to those fields of the government where a public sector controller claims that § 26 para. 5 and § 27 para. 5 are to be applied.

(4) For purposes of the inspection, the Data Protection Authority shall have the right, after having informed the owner of said rooms and the controller (processor), to enter rooms where data applications are carried out, operate data processing equipment, run the processing to be examined and to make copies of the storage media to the extent absolutely required for the exercise of the right to examination. The controller (processor) shall render the assistance necessary for the examination. The supervisory rights are to be exercised in a way that least interferes with the rights of the controller (processor) and third parties.

(5) Information acquired by the Data Protection Authority or its representatives during any examination shall be used only for supervisory purposes in the context of the execution of data protection regulations. This includes the use for purposes of litigation at courts by the person involved or the Data Protection Authority according to § 22. Incidentally, the obligation to confidentiality also exists before courts and administrative authorities, in particular fiscal authorities, with the reservation that, if the examination leads to probable cause to believe that a crime according to §§ 51 and 52 of this federal law or a criminal act according to §§ 118a, 119, 119a, 126a to 126c, 148a or §278a of the Criminal Code, Federal Law Gazette No. 60/1974, or any crime punishable with more than five years of imprisonment has been committed, a report shall be made and requests for assistance according to § 76 Code of Criminal Procedure, Federal Law Gazette No. 631/1974 regarding such crimes and offences shall be complied with.

(6) To establish the rightful state, the Data Protection Authority can issue recommendations, unless measures according to §§ 22 and 22a or para 6a are to be taken an appropriate period for compliance shall be set if required. If a recommendation is not obeyed within the set period, the Data Protection Authority shall, depending on the kind of transgression and ex officio,

1. press criminal charge pursuant to §§ 51 or 52, or

2. in case of severe transgressions by a private sector controller file a lawsuit before the competent court of law pursuant to § 32 para. 5, or

3. in case of a transgression by an organ of a territorial corporate body, involve the competent highest authority. This authority shall within an appropriate period, not exceeding twelve weeks, takes measures to ensure that the recommendation of the Data Protection Authority is complied with or inform the Data Protection Authority why the recommendation is not complied with. The reason may be publicised by the Data Protection Commission in an appropriate manner as far as not contrary to official secrecy.

(6a) In case the operation of a data application causes an serious and immediate danger to interests of secrecy of the data subject deserving protection (imminent danger) the Data Protection Authority may prohibit the continuation of the data application by ruling in accordance with § 57 para. 1 of the General Administrative Procedure Act 1991 – AVG, Federal Law Gazette No. 51/1991. The continuation may also be prohibited only partially if this technically possible, gives a meaningful result with regard to the purpose of the data application and is sufficient to eliminate the risk. If the ban is not complied with the offence is to be reported according to § 52 para 1 sub-para 3. If a ban under this para has become final, any running procedure for correction according to § 22a para 2 is to be discontinued informally. According to the extent of the ban the data application is to be deleted from the register.

(7) The intervening party shall be informed as to how his intervention was dealt with.

Complaint before the Data Protection Authority

§ 31 DSG 2000

(1) The Data Protection Authority shall decide on complaints of persons or group of persons who allege to have been infringed in their right for information according to § 26 or § 50 para 1 third phrase or in their right to be informed about an automatically processed individual decision according to § 49 para 3 insofar as the request for information (the application for information or disclosure) does not concern the use of data for acts in the service of legislation or jurisdiction.

(2) Furthermore, the Data Protection Authority shall decide on complaints of persons or groups of persons who allege to have been infringed in their right to secrecy (§ 1 para 1) or in their right to correction or deletion (§§ 27 and 28), to the extent the right is not to be asserted under § 32 para 1 before a court or is not directed against an organ in the service of legislation or jurisdiction.

(3) The complaint must contain:

1. the description of the right considered to be infringed,

2. to the extent reasonable, the description of the legal entity or the organ, which is deemed to be responsible for the alleged infringement (opponent of the complaint),

3. the facts from which the infringement is derived,

4. the reasons for which the unlawfulness is alleged,

5. the request to determine the alleged infringement and

6. the details which are necessary in order to decide whether the complaint has been filed in due time.

(4) A complaint according to para 1 must be accompanied by the pertinent request for information (the application for information or presentation) and a reply by the opponent to the complaint, if any. A complaint according to para 2 must be accompanied by the pertinent request for correction or deletion and an answer of the opponent to the complaint, if any.

(5) The control rights granted to the Data Protection Authority according to § 30 paras 2 to 4 also apply to the complaint procedure according to para 1 and 2 vis-a-vis the opponent to the complaint. Also, the duty of confidentiality according to § 30 para 5 applies to this procedure.

(6) In case of filing of an admissible complaint according to paras 1 or 2 a control procedure instituted on an application based on § 30 para 1 on the same issue is to be discontinued merely by giving information (§ 30 para 7). Nevertheless, the Data Protection Authority may proceed even when the complaint procedure is pending ex officio according to § 30 para 2, if reasonable suspicion exists on an infringement of obligations under the data protection provisions beyond the case of complaint. § 30 para 3 remains unaffected.

(7) To the extent a complaint according to paras 1 or 2 is shown to be justified, it is to be granted and the infringement to be stated. If a stated infringement of the right of information (para 1) falls under the responsibility of a controller in the private sector, he/she, upon request, in addition, is to be instructed to give – again – an answer to the request for information according to § 26 para 4, 5 or 10, in the extent required, to eliminate the infringement having been stated. To the extent the complaint is not found to be justified, it is to be rejected.

(8) An opponent against whom a complaint has been filed for infringement of rights according to §§ 26 to 28, may, till the end of the proceedings before the data protection commission, by communicating with the complaining person according to § 26 para 4 or § 27 para 5, subsequently eliminate the alleged infringement. If the data protection commission deems the complaint to be settled by such reactions of the opponent to the complaint, it shall hear the person complaining on this. Simultaneously he/she is to be informed, that the Data Protection Authority will informally end the procedure, if he/she does not establish within an adequate period, for which reason he/she still does not consider the originally alleged infringement to be eliminated at least partially. If such answer of the person complaining modifies the merits of the case (§ 13 para 8 of the General Administrative Procedure Act 1991 – AVG) the original complaint is to be deemed withdrawn and simultaneously a new complaint to be deemed filed. In this case the original complaint procedure is also to be ended informally and the person complaining to be informed correspondingly. Related answers are to be ignored.

Accompanying measures in the complaint procedure

§ 31a DSG 2000

(1) In so far an admissible complaint according to § 31 para 2 refers to a data application subject to the obligation of notification, the Data Protection Authority may examine whether the obligation for notification has been fulfilled and eventually proceed according to §§ 22 and 22a.

(2) If the person complaining establishes a prima facie case of serious infringement to his/her interests for confidentiality deserving protection within the frame of a complaint according to § 31 para 2 by use of his/her data, the Data Protection Authority may proceed according to § 30 para 6a.

(3) If in a proceeding according to § 31 para 2 the correctness of data is controversial, the opponent to the complaint shall place a note of the dispute till the proceedings are terminated. If necessary, upon request of the person complaining, the Data Protection Authority shall order this done by provisional rulings.

(4) If a public sector controller invokes § 26 para. 5 or § 27 para. 5 before the Data Protection Authority concerning a complaint because of an infringement of the rights to information, rectification and erasure, the Data Protection Authority shall, after having examined the necessity of confidentiality, safeguard the protected public interests during the proceedings. If the Data Protection Authority comes to the conclusion that it was not justified to keep the processed data secret from the data subject, the disclosure of the data shall be ordered by a ruling. If no appeal is made and the ruling of the Data Protection Authority is not complied within eight weeks, the Data Protection Authority itself shall carry out the disclosure to the data subject and shall communicate to him the desired information or inform him which data have been rectified or erased. In proceedings according to § 30 the first two sentences are to be applied accordingly.

Common Rules

§ 34 DSG 2000

(1) The right to lodge an application according to § 30, a complaint according to § 31 or legal action according to § 32 and claims for damages according to § 33 shall apply only if the charge is filed by the intervening party within a year after having gained knowledge of the incident that gave rise to the complaint and no later than three years after the alleged incident. This is to be communicated to the intervening party in the case of a late application according to § 30; late complaints according to § 31 or legal actions according to § 32 shall be rejected.

(2) Applications according to § 30, complaints according to § 31 or legal action according to § 32 and claims for damages according to § 33 can be filed not only because of an alleged infringement of this federal law, but also based on an infringement of data protection provisions of another member state of the European Union, insofar as these provisions are applicable in Austria according to § 3.

(3) If a case to be adjudicated by the Data Protection Authority by applying the national provisions of another member state of the European economic area pursuant to § 3, the Data Protection Authority shall ask the competent foreign supervisory authority for assistance.

(4) The Data Protection Authority shall render inter-authority assistance to the independent supervisory authorities of the signatory states of the European economic area upon request.