Data protection glossary

Personal Data

Personal data is any information relating to a living natural person who can be identified, directly or indirectly. Indirect identifications via combinations of data (e.g. IP address + identification number, zip code + year of birth + gender, laboratory values + clinic + treatment period) are also included.


Examples: name, address, date of birth, social security number, matriculation number, email address, telephone number, IP address, online identifier, location data, physical characteristics (height, gender, eye color), biometric features (video or audio recordings, fingerprint, iris scan), income, contractual relationships, property, communication data.

In order to determine whether a natural person is identifiable, account should be taken of any means that are likely to be used by the controller or another person in a reasonable discretion to directly or indirectly identify the natural person, such as segregation. In determining whether funds are generally likely to be used to identify the natural person, all objective factors, such as the cost of identification and the time required to do so, should be taken into account, taking into account the technology available at the time of processing and technological developments.

Sensitive (special categories) of personal data

Is data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data (DNA/RNA analyses, sequence data), biometric data for the unique identification of a natural person, health data (medical history, diagnoses, medication data) or data relating to a natural person's sex life or sexual orientation.

Legal basis for research

The legal bases for the processing of personal data are:

  • Consent (Article 6 (1) (a) GDPR): This must be explicit, voluntary, informed and revocable at any time (e.g. biomedical or psychological studies, surveys).
  • Contractual performance (Article 6 (1)(b) GDPR): e.g. research contract
  • Legal obligation (Article 6 (1) (c) GDPR): e.g. drug safety
  • Public task (Article 6 (1) (e) GDPR): cf. § 3 UG
  • Legitimate interest (Article 6 (1) (f) GDPR): e.g. market or behavioural research, provided that there is a balancing of interests in favour of the controller.

The processing of special categories of personal data for research purposes is only permissible if one of the general legal bases of Article 6 and an exception under Article 9 (2) GDPR applies.

  • Consent (Art. 9 para. 2 lit. a GDPR): This must be explicit, voluntary, informed and revocable at any time
  • Public health interest (Article 9 (2) (i) GDPR): e.g. drug safety
  • Research (Art 9 para 2 lit j GDPR): e.g. biobank research, data analyses

According to § 7 para. 1 DSG, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not aim at personal results, all personal data may be processed that

  • are publicly accessible,
  • the controller has permissibly identified for other investigations or other purposes, or
  • are pseudonymised personal data for the controller and the controller cannot determine the identity of the data subject by legally permissible means.

In the case of data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not fall under § 7 (1) DSG, personal data may only be processed

  • in accordance with special legal provisions,
  • with the consent of the data subject, or
  • processed with the consent of the Data Protection Authority in accordance with paragraph 3.

Research data processing in Austria is lawful if:

  1.  there is a suitable legal basis in accordance with Art. 6 GDPR,
  2. in the case of sensitive data, there is an additional exception under Art. 9 (2) GDPR,
  3. the FOG measures in accordance with § 2d-2k are complied with,
  4. all protective measures in accordance with Art. 89 GDPR are documented.

Joint responsibility according to Art 26 GDPR

If two or more controllers jointly determine the purposes ("Why?") and means ("How?"), e.g. data types, recipients, systems, of the processing of personal data, they are joint controllers. There must be no relationship of instruction between the actors, equality is not necessary. Joint controllers must enter into a transparent agreement specifying which of them fulfils which obligations and responsibilities under the GDPR, unless and to the extent that the respective tasks are not defined by Union or Member State legislation to which the controllers are subject.

Any form of coordinated decision-making (e.g. on study methodology, data storage, evaluation models) is sufficient. De facto co-decision (e.g. by influencing the definition of purpose or data architecture) can also be sufficient. Mere technical support or the provision of a service without decision-making power as to the purpose or means is not joint responsibility (-> order processing pursuant to Article 28 GDPR).

Joint responsibility exists:

  • Cooperation research between universities
  • Common (online) platform for research participants
  • Ministry/Clinic + University Research Contract

No joint responsibility, but -> order processing according to Article 28 GDPR exists:

  • Laboratory analyzes samples on behalf of the university
  • IT service provider hosts research database
  • University provides anonymised data to Statistics Austria

Data Processing Agreement according to Article 28 GDPR

Commissioned processing within the meaning of Art. 28 GDPR occurs when a natural or legal person, public authority, agency or other body (processor) processes personal data on behalf of and on the instructions of another controller (client).

The processor does not itself decide on the purpose and means of data processing, but carries out the processing exclusively in accordance with the documented instructions of the controller. Own use of the data for other purposes, in particular one's own purposes, is not permitted.

The processor is obliged to take appropriate technical and organizational measures (TOMs) within the meaning of Art. 32 GDPR to ensure the security of the processing. The controller, in turn, has a duty of care and control when selecting the processor: he must ensure that the processor offers sufficient guarantees for compliance with the GDPR.

A contract or other legal instrument must be concluded between the controller and the processor in accordance with Art. 28 (3) GDPR.

Commissioned processing according to Art 28 GDPR exists:

  • Commissioning an external service provider to manage the IT infrastructure or store data

Templates:

  • Processors Model Contract 1.0
  • Data protection checklist for order processing
  • Appendix TOMs

Third Parties

Third party means a natural or legal person, public authority, agency or other body, except

  • of the data subject,
  • the controller,
  • the processor and
  • the subjects who, under the direct authority of the controller or the processor, are authorised to process the personal data;

Third parties are therefore all other persons or bodies that are not directly involved in the area of responsibility for data processing (e.g. other companies, private individuals, media, funding bodies, research institutions without agreement).

Permissibility of access by third parties

Any disclosure or access (e.g. through logins, inspection of databases or transmission by e-mail) by third parties is generally prohibited, unless there is a legal basis according to Art. 6 GDPR (and in the case of sensitive data additionally Art. 9 GDPR).

Access by third parties is lawful if at least one of the following bases (Article 6 (1) GDPR) is met:

  • Consent: Data subject has expressly consented to access to certain third parties (e.g. other research institution, doctor, funding body).
  • Performance of contract: Access by third parties is necessary for the performance of a contract with the data subject (e.g. subcontractors for the provision of services).
  • Legal obligation: Access is required by law (e.g. obligation to report to authorities, documentation obligations according to FOG or AMG).
  • Vital interests: Access by medical personnel in case of emergency.
  • Public task: Access by state research centres or universities within the framework of statutory tasks.
  • Legitimate interest: Access by third parties if the interest of the controller or the third party prevails and there are no fundamental rights of the data subjects (e.g. IT security audit, law enforcement).

If sensitive (special categories) of personal data are affected (-> sensitive (special categories) of personal data), there must also be an exception under Article 9 (2) GDPR (-> legal basis in connection with research).

Third-party access according to FOG

Third-party access is only permitted where the FOG (§ 2f, § 2i, § 2j FOG) standardises a special exception for the research area and the material (purpose, group of recipients) and organisational-technical (clarification, seizure, technical measures, protocol, secrecy) requirements specified therein are met. For other third parties (e.g. commercial companies without scientific classification), the FOG usually does not apply – in this case, the usual GDPR legal bases (Art. 6 / Art. 9 GDPR) plus contractual/organizational guarantees apply.

International Data Transfer

An international data transfer occurs when personal data is disclosed or transferred by a controller or processor within the EU/EEA to a recipient in a country outside the EU/EEA (a so-called third country) (e.g. active sending of data via email, upload, API access; Hosting on servers outside the EEA; remote access from a third country, storage in a cloud).

Illustrated examples in the appendix to edpb_guidelines_05-2021_interplay_between_the_application_de.pdf

In accordance with Art. 44 sentence 1 GDPR, the review of a data transfer to third countries is carried out in two stages:

Stage 1: Permissibility of data processing

First of all, it must be examined whether the intended processing of personal data is based on a legal basis in accordance with Art. 6 (1) GDPR (see Legal basis in connection with research) and whether the principles of Art. 5 (1) (a) GDPR (lawfulness, good faith, transparency) are complied with. In the case of special categories of personal data, an additional exception is required under Art. 9 (2) GDPR, as their processing is generally prohibited (Art. 9 (1) GDPR).

Stage 2: Admissibility of the transfer under Chapter V GDPR

If the processing is permissible at level 1, the second step must be to examine whether the planned transfer can be based on one of the transfer bases provided for in Chapter V (Art. 44 et seq. GDPR). The provisions of Chapter V are intended to ensure that the level of protection for natural persons guaranteed by the GDPR is not undermined. Before the transfer, the controller must therefore also check which basis for transmission is possible for this.

1. Adequacy decision pursuant to Art. 45 GDPR

A transfer can take place without further authorisation if the European Commission has adopted an adequacy decision for the third country concerned. The data exporter must verify that:

  • a current adequacy decision exists,
  • the planned transfer falls within its material and territorial scope, and
  • the decision is still valid (e.g. has not been rescinded or suspended).

Example: For transfers to the USA, it must be checked whether the recipient is certified according to the EU-U.S. Data Privacy Framework (DPF). The list of adequacy decisions is continuously updated on the European Commission's website.

2. Appropriate safeguards in accordance with Art. 46 GDPR

In the absence of an adequacy decision, the transfer may be based on appropriate safeguards. These include, in particular:

  • Standard Contractual Clauses (SCC) of the European Commission (Art. 46 para. 2 lit. c GDPR),
  • Binding Corporate Rules (BCR) in accordance with Art. 47 GDPR,
  • Approved codes of conduct or certification mechanisms (Art. 46 para. 2 lit. e and f GDPR),
  • Individually negotiated contractual clauses (Art. 46 para. 3 lit. a GDPR),
  • Administrative agreements between authorities (Art. 46 para. 3 lit. b GDPR).

In all cases, it should be noted that appropriate safeguards are only effective if they guarantee a substantively equivalent level of protection in practice. According to the ECJ Schrems II ruling  , data exporters must therefore carry out a Transfer Impact Assessment (TIA), in which they examine in particular:

  • whether authorities in the recipient country can access data to an unauthorised extent,
  • whether data subjects have effective remedies there, and
  • whether supplementary technical or organisational measures are necessary.

3. Exceptions for certain cases pursuant to Art. 49 GDPR

In the absence of both an adequacy decision and a suitable guarantee, a transfer may only take place within the narrow limits of Art. 49 GDPR. The exceptional character must be maintained (cf. EDPB Guidelines 2/2018).

Important exceptions are:

  • Explicit consent (Art. 49 para. 1 lit. a GDPR): The data subject must be comprehensively informed about the level of data protection in the recipient country. A revocation requires the deletion or return of the data.
  • Important reasons of public interest (Art. 49 (1) (d) GDPR): These must be recognised under EU law or national law and relate to a particularly important protected interest (e.g. public health, pandemic control). In addition, the transfer must be necessary and proportionate.
  • Transfers from public registers (Art. 49 para. 1 lit. g GDPR): only to the extent provided for by law and publicly accessible.

The persons concerned must be informed about the intended transfer to third countries and the basis for the transfer in each case.

Principle of storage limitation

Personal data may only be stored for as long as is necessary for the purposes for which it was collected and processed (Article 5 (1) (e) GDPR).

Exception: The GDPR provides for specific exceptions to the principle of storage limitation in Article 89 when personal data is processed for scientific or historical research purposes, statistical purposes or archival purposes in the public interest. Data may be stored for a longer period of time if this is necessary for the purposes mentioned. There must  be appropriate safeguards for the rights and freedoms of data subjects, e.g. through pseudonymisation or anonymisation, where possible (i.e. not jeopardising the purpose of research).

The exceptions only apply if:

  • the rights make it impossible or seriously impair the realisation of the research purposes.
  • the exceptions  are necessary.
  • technical and organizational measures have been taken, e.g. pseudonymization, access restrictions, data protection concepts.

To ensure good scientific practice, research data may be stored for at least 10 years.

The GDPR allows personal data to be stored for a longer period of time if it is carried out solely for scientific research purposes – provided that:

  • appropriate safeguards such as pseudonymisation or anonymisation are provided (Art. 89 GDPR),
  • the storage is proportionate to the research purpose,
  • and no other purposes are pursued

Data Protection Principles

The data protection principles of Art. 5 GDPR also form the foundation of all data processing in the research sector. They are intended to ensure that research is made possible, but at the same time the protection of the fundamental rights of the persons concerned is preserved. Article 89 (1) GDPR allows deviations from the principles (e.g. purpose limitation or storage limitation), provided that suitable guarantees (pseudonymisation, technical and organisational measures) exist.

1. Lawfulness, fair processing, transparency (Art. 5 para. 1 lit. a GDPR)

Research institutions may only process personal data on a valid legal basis (e.g. Art. 6 para. 1 lit. e GDPR in conjunction with Art. 89 para. 1 GDPR for public research, or Art. 6 para. 1 lit. f GDPR for private research, see Legal bases in connection with research). The processing must be fair and comprehensible for participants. Participants in a study must be informed in understandable language about the purpose, data types, recipients and storage period (Art. 13 GDPR).

2. Purpose limitation (Art. 5 para. 1 lit. b GDPR)

Research data may only be collected for clearly defined and legitimate research purposes. Further processing for new, compatible research purposes is permissible under Art. 5 (1) (b) and (2) GDPR, provided that Art. 89 (1) GDPR is complied with (e.g. by pseudonymisation). Data from a cardiovascular study may be used for a follow-up study on high blood pressure if the new purpose is compatible with the original research goal and the rights of the data subject are respected.

3. Data minimization (Art. 5 para. 1 lit. c GDPR)

Only the data that is necessary for the respective research purpose may be processed. Research institutions must regularly review the scope of the data collected and, if necessary, reduce it. In an epidemiological study, it is permissible to collect health and demographic data, but not the names of the treating physicians if these are not relevant for the analysis.

4. Accuracy (Art. 5 para. 1 lit. d GDPR)

Research data must be factually correct and up-to-date. In the case of pseudonymised data sets, it must be ensured that errors in the source data can be corrected. If an incorrect sample code is assigned in the laboratory, it must remain possible to correct it using the assignment table (under controlled access) so that results are not falsified.

5. Storage limitation (Art. 5 para. 1 lit. e GDPR)

Personal data may only be stored for as long as it is necessary for the research purpose. However, Art. 5 (1) (e) and (2) in conjunction with Art. 89 (1) GDPR allows longer storage if suitable safeguards exist (e.g. pseudonymization, access restrictions). Biobank samples may be archived on a long-term basis if they are pseudonymised and organisational protective measures (access control, purpose limitation) are implemented. If the research purpose is abandoned or an assignment is no longer necessary, the data must be anonymized or deleted.

6. Integrity and confidentiality (Art. 5 para. 1 lit. f GDPR)

Data must be protected against unauthorized access, loss or alteration. Research institutions are obliged to implement technical and organisational measures (Art. 32 GDPR). Health data in research databases is stored in encrypted form, and access is only granted to authorized researchers via a role-based access system.

7.  Accountability (Art. 5 para. 2 GDPR)

The person responsible for the research (e.g. university, institute, sponsor of a study) must be able to prove that all the aforementioned principles are adhered to. This includes in particular:

  • Record of processing activities (Art. 30 GDPR),
  • Data protection concept with deletion and access regulations,
  • Proof of consent or ethics votes.


In the event of a data protection audit by the supervisory authority, the institution must be able to document that data minimization, purpose limitation and storage limitation are systematically implemented.

Information obligations

The information obligations under Art. 13 and 14 GDPR regulate what information controllers must provide to data subjects about the processing of their personal data. Both articles serve transparency and fair processing (Art. 5 para. 1 lit. a GDPR). The difference lies in the time and source of the data collection:

Art. 13 GDPR – Obligation to provide information when data is collected from the data subject

1. Information pursuant to Art. 13 (1) GDPR:

In particular, the controller must inform the data subject at the time of collection:

  1. Name and contact details of the controller and, if applicable, its representative
  2. Contact details of the data protection officer
  3. Purposes of the processing and the legal basis
  4. If applicable, the legitimate interest (in the case of Art. 6 para. 1 lit. f GDPR)
  5. Recipients or categories of recipients of the personal data
  6. If applicable, intention to transfer data to a third country or to an international organisation, including reference to appropriate safeguards (Art. 46 et seq. GDPR)

2. Additional information pursuant to Art. 13 (2) GDPR:

Additional information is provided here to ensure the transparency and fairness of processing:

  1. Duration of storage or criteria for determining it
  2. Existence of the data subject's rights (access, rectification, deletion, restriction, objection, data portability)
  3. Existence of a right of revocation in the event of consent
  4. Right to lodge a complaint with a supervisory authority
  5. Whether the provision of the data is required or required by law or contract, and the consequences of not providing it
  6. Existence of automated decision-making, including profiling, with meaningful information on the logic involved and the implications

3. Supplementary obligations:

  1. Changes or changes of purpose (Art. 13 para. 3 GDPR) oblige the data subjects to be informed again.
  2. According to Art. 13 (4) GDPR, an exception to the obligation to provide information only exists if the data subject already has all the information – which rarely happens in practice.

Art. 14 GDPR – Obligation to provide information when data is collected from third parties

If the data is not collected directly from the data subject (e.g. by third parties or public sources), Art. 14 GDPR applies.

1. In terms of content, Article 14(1) and (2) of the GDPR contains the same information as Article 13, supplemented by:

  • Origin of the data and, if applicable, whether it comes from publicly available sources.

2. Timelines (Art. 14 para. 3 GDPR):

  • information within one month of receipt of the data,
  • at the latest at the first contact,
  • or prior to initial disclosure to third parties.

3. Exceptions (Art. 14 para. 5 GDPR):

The obligation to provide information does not apply if, for example:

  • the data subject already has the information,
  • the provision of the information is impossible or requires a disproportionate effort,
  • the provision of information would seriously impair the achievement of the purpose of processing (e.g. for official purposes or whistleblower protection),
  • or it is required by law.

The wealth of information can be limited in practice, e.g. by a "link solution", in which essential points are communicated directly and further details are made available via a website. The obligations also apply to further processing for other purposes (Art. 13 para. 3; Art. 14 para. 4 GDPR).

Rights of data subjects

The rights of data subjects ensure that natural persons have control over their personal data.

Right of access (Art. 15 GDPR)The
 data subject can request information about the personal data that is processed about him.

Those affected can demand to know:

  • whether and which personal data is processed,
  • for what purposes,
  • who is the recipient,
  • how long the data will be stored,
  • as well as the right to a copy of the data processed.

Right to rectification (Art. 16 GDPR)
Right to correction of incorrect data or completion of incomplete data.

Right to erasure / "right to be forgotten" (Art. 17 GDPR)
Data must be deleted if:

  • they are no longer necessary for the purpose of
  • the consent has been revoked,
  • have been unlawfully processed, or
  • the person concerned has lodged an objection.

This only applies if there are no legal obligations to the contrary, such as the legal retention of contract data of 7 years or health data of 30 years.

Right to restriction of processing (Art. 18 GDPR)
Processing may be temporarily suspended, for example during a check of the accuracy of the data.

Right to data portability (Art. 20 GDPR)
Data subjects can request to receive their data in a structured, commonly used and machine-readable format or to have it transmitted to another controller.

Right to object (Art. 21 GDPR)
The data subject has the right, under certain circumstances, to object to the processing of personal data concerning him or her

Data protection incidents

Data protection incidents = Data Breach = Data protection violation

A data protection incident occurs when personal data has been lost, destroyed, altered or disclosed without authorisation.

Examples:

Loss or theft of a USB stick/notebook/mobile phone with personal data

  • Hacker attack on a database
  • Incorrect sending of e-mails with personal data to the wrong recipients
  • Deletion of data as a result of a server error without backup
  • Unsolicited publication of personal data on the Internet

Information on how to deal with data protection incidents at the university can be found here.

Nach oben scrollen