Austrian Data Protection Authority's Decision On Data Protection Measures

Introduction

As data protection laws around the world continue to mature, precedent decisions concerning the understanding and application of data protection principles have started to emerge from various jurisdictions.

In a recent case, a natural person (the "Complainant") filed complaints against the Austrian Federal Ministry for Europe, Integration and Appeal and the Federal Chancellery of Austria (the "Respondents") before the Austrian data protection authority (the "Austrian DPA") claiming that the storage of her "special category" personal data - information about her sexual life and health - are in breach of her fundamental rights. The Respondents claimed there was overriding public interest in the storage of such data.

The Austrian DPA ruled on the Complaint in September (i.e. AZ: DSB-D123.070 / 0005-DSB /2018), which is one of the first decisions on the boundaries between personal rights to data privacy and public interest and may provide guidance to other data protection authorities which are subject to General Data Protection Regulation numbered 2016/679 (the "GDPR") as well as other personal data protection laws, such as Turkey's Personal Data Protection Law which was modelled on GDPR.

Background

The Complainant first requested that the Respondents the delete/destroy her personal data. However, she was informed that such data must be stored in the Respondents' archives due to public interest.

The Complainant then requested her personal data to be pseudonymised claiming that the existing protection measures taken by the Respondents, notwithstanding how high-level these may be, would not suffice to provide the adequate level of protection against any potential cyber-attacks, data leaks and technological innovation which could potentially render any existing security measures ineffective.

The Complainant also claimed that pseudonymisation of her personal data is also necessary as a protective measure against any potential breach that may be committed by any individuals who have authority to access such data, such as employees of the Respondents.

The Decision of the Austrian DPA

The Austrian DPA overruled the Complainant's claims due to the reasons below:

1. There has been no breach to this date: The Complainant could not demonstrate a potential danger of breach nor any indication of a violation of privacy by the Respondents. Furthermore and perhaps more importantly, the Austrian DPA ruled that the rejection of a request for a protection measure concerning personal data would not create a violation per se.
2. Data subjects cannot select applicable protective measures: Article 32 of the GDPR sets out different protective measures to be selected by the data controller or the data processor in accordance with the nature of the personal data being processed. The Austrian DPA noted that this provision does not allow any data subject to request the application of a protective measure of his/her selection.

Potential Actions under the Turkish Personal Data Protection Law

The Turkish Personal Data Protection Law¹ does not expressly address whether a data subject has the right to request a specific measure² (i.e. the deletion, destruction, anonymisation etc.) on the basis of the danger of a potential breach and the Turkish Personal Data Protection Board (the "Board") has not issued any decisions that would illuminate their position on this issue as yet.

Similar to the GDPR, Article 7/5 of the Regulation on the Deletion, Destruction and Anonymisation of Personal Data³ specifically refers to the data controller's/data processor's discretion to select suitable and appropriate security measures and does not expressly provide data subjects with the right to request special measures on this matter. Therefore, it would not be unreasonable to expect that the Board's position on this matter would be in parallel with the decision of the Austrian DPA.

Conclusion

This decision of the Austrian DPA is expected to serve as a reference point for future complaints in the application of the GDPR and may very well serve a similar function in the application of the Turkish Personal Data Protection Law.

Footnotes

1 Numbered 6098, published in the Official Gazette dated 7 April 2016 and numbered 29677.

2 Note that psuedonymisation (maskeleme) is not clearly set out in any Turkish personal data protection legislation, however, it is nevertheless one of the methods referred to by the Board in its guidelines.

3 Published in the Official Gazette dated 28 October 2017 and numbered 30224.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.