Art. 49
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
d) the transfer is necessary for important reasons of public interest;
e) the transfer is necessary for the establishment, exercise or defence of legal claims;
f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
|
Art. 44
1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
(a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
(d) the transfer is necessary for important grounds of public interest; or
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(f) the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. Where the processing is based on point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.
4. Points (b), (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.
6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the supervisory authority of the transfer.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
|
Art. 44
1. In the absence of an adequacy decision pursuant to paragraph 3 of Article 41,or of appropriate safeguards pursuant to Article 42, including binding corporate rules (...), a transfer or a category of transfers of personal data to (...) a third country or an international organisation may take place only on condition that:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed that such transfers may involve risks for the data subject due to the absence of an adequacy decision and appropriate safeguards; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or
(d) the transfer is necessary for important reasons of public interest; or
(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or
(f) the transfer is necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or
(h) the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and where the controller (...) has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and (...) based on this assessment adduced suitable safeguards with respect to the protection of personal data.
2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3.(...)
4. Points (a), (b), (c) and (h) of paragraph 1shall not apply to activities carried out by public authorities in the exercise of their public powers.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the national law of the Member State to which the controller is subject. (...)
5a. In the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
6. The controller or processor shall document the assessment as well as the suitable safeguards (...) referred to in point (h) of paragraph 1 in the records referred to in Article 28 (...).
6a. (...)
7. (...)
|
Art. 26
1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.
If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).
Member States shall take the necessary measures to comply with the Commission's decision.
4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.
|
Processing of personal data in case of emergency
§ 10 DSG
(1) In case of emergency, public-sector controllers and relief organisations shall be authorised to jointly process data to the extent that this is necessary to assist persons directly affected by a disaster, to locate and identify missing or deceased persons and to provide information to their relatives.
(2) Anybody who lawfully possesses personal data shall be permitted to transfer these data to public-sector controllers and relief organisations if these controllers and organisations need this personal data to manage a disaster for the purposes specified in para. 1.
(3) The transfer abroad of personal data is permitted insofar as this is absolutely necessary to fulfil the purposes mentioned in para. 1. Data that by themselves would make the data subject liable to criminal prosecution shall not be transferred unless they are absolutely necessary for identification in a particular case. The Data Protection Authority shall be informed immediately about the data transfers performed and about the circumstances of the motivating incident. The Data Protection Authority shall prohibit further data transfers if the interference with the fundamental right to data protection resulting from the data transfer is not justified by the special circumstances caused by a disaster.
(4) Based on a specific inquiry of a close relative of a person who has actually or presumably been directly affected by a disaster, controllers are authorised to transfer to the inquiring person personal data regarding the whereabouts of the data subject and on the progress of the search, if the relative satisfactorily demonstrates his or her identity and close relationship to the data subject.
Special categories of personal data (Article 9 of the General Data Protection Regulation) may be transferred to close relatives only if they prove their identity and their capacity as a relative and if the transfer is necessary to safeguard their rights or the rights of the data subject. The social insurance agencies and authorities are obliged to assist the public-sector controllers and relief organisations if this is necessary to verify the information provided by the inquiring person.
(5) Close relatives pursuant to this provision means parents, children, spouses, registered partners and companions in life of the data subjects. Other relatives may receive the aforementioned information under the same conditions as close relatives if they satisfactorily demonstrate a special close relationship to the person actually or presumably directly affected by a disaster.
(6) The personal data processed for the purposes of managing a disaster shall be deleted immediately if they are no longer required to fulfil the specific purpose.
|
In force until May 25, 2018:
Abroad Transmission and Committing of Data Subject to Licensing (Prior Approval)
§ 13 DSG 2000
(1) Insofar as a case of data exchange is not exempted from authorisation according to § 12, the controller has to apply for a permit by the Data Protection Authority (§ 35) before the transmission or committing. The Data Protection Authority can issue the permit subject to conditions and obligations.
(2) The permit shall be given, taking into consideration the promulgations pursuant to § 55 sub-para. 2, if the requirements of § 12 para. 5 are met, and despite the lack of an adequate general level of data protection in the recipient state
1. an adequate level of data protection exists for the transmission or committing outlined in the application for the permit in this specific case; this is then to be judged considering all circumstances relevant to the use of data, such as the type of data used, the purpose and duration of use, the country of origin and final destination as well as the general and sectoral legal provisions, professional rules and security standards applying in the third country; or
2. the controller can satisfactorily demonstrate that the interests in secrecy deserving protection of the data subject of the planned data exchange will be respected outside of Austria. In particular, contractual guarantees by the recipient as well as unilateral declarations by the applicant (§ 19 para 2) in the application for permit about the more detailed circumstances of the use of data abroad are significant for the decision. Unilateral declarations by the applicant become legally binding for him upon registration by the Data Protection Authority.
(3) In the case of data applications subject to notification, the Data Protection Authority shall put a copy of each ruling authorising the transmission or committing of data on the notification file and enter the fact that authorisation has been granted into the Data Processing Register (§ 16).
(4) Deviating from para. 1, a domestic processor can apply for a permit if, in order to fulfil his contractual duties vis-á-vis multiple controllers, he wishes to enlist the service of a specific processor outside of Austria. The actual committing shall only be performed with the consent of the controller. The controller shall report to the Data Protection Authority from which of his data applications subject to notification the authorised committing to the processor shall take place; this is to be entered into the Data Processing Register.
(5) The transmission of data to representations of foreign governments or intergovernmental institutions in Austria shall be treated as data exchange with regard to the requirement for authorisation according to para. 1.
(6) If the Federal Chancellor has decreed by ordinance that, despite the lack of an adequate general level of data protection in the recipient state, the requirements according to para. 2 sub-para. 1 are met for specific categories of data exchange with this recipient state, the obligation to obtain a permit is replaced by an obligation to notify the Data Protection Authority. The Data Protection Authority shall prohibit the notified data exchange within six weeks after receiving the notification if it is not attributed to one of the categories regulated in the ordinance or if it does not fulfil the requirements according to § 12 para. 5; otherwise the transmission or committing is permitted.
|