Jusletter IT

Over the lifespan of a company, it collects vast amounts of data on employees, customers, competitors, business partners, stock and more. These can be used for multiple purposes; from marketing and risk analysis to crime prevention or sales performance. The more data you have, the more accurate and useful any analysis of it should be. Many companies invest strongly in data acquisition, buying in more data or having their customers sign wide-reaching data privacy clauses in their general terms of contract. After legally receiving the data, there are still many cases where data has to be erased again, such as on demand from the legal data subject. Whilst the data were part of the company, it had multiple possibilities of making more use of it through various types of analysis. Whether being used by a single financial analyst to set budget forecasts or a whole team of marketing analysts seeking to identify product catchment areas, the value of data should come as no surprise to anyone. Only the technical abilities and the legal framework have changed over time.

Challenges arise when the company has to get rid of data - especially personal data - whilst trying to retain as much value as possible. Removing entire customer histories is rarely desirable and can have a negative impact on the ability of the data to represent the population and thus reduce the accuracy of any analysis undertaken. Some balance must be struck between the customer's desire for anonymity and the usefulness of the database in the future.

The Data Privacy Directive is the legal framework for all data processing in the EU. Data privacy is one of the fundamental rights and freedoms of natural persons in the EU. In Austrian law, the Datenschutzgesetz (Data Protection Code, DSG) is a constitutional right under Article 1. The Charter of Fundamental Rights of the European Union also states in Article 8 a right of protection of personal data.

In the directive, as well as the national law, the data that is protected is only personal data. It is, as defined in the directive, the data that is related to an identified or identifiable natural person, no matter whether directly or indirectly. Reference numbers or descriptions of the data subject, which are specific to this person, are sufficient under the directive to make someone identifiable. Austrian law distinguishes between «personal data» and «indirect personal data» (where an identification can‘t be achieved by legal means). Indirect personal data is therefore less protected. If the data are anonymous and it is impossible to identify the subject behind, they are no longer considered «personal data» and are therefore irrelevant from a data protection law standpoint.

In many practical cases the data subject gives his consent to the processing of his personal data. This could be done for information (e.g. newsletter), membership or loyalty cards, and much more. Especially in the case of loyalty cards, the information collected about the subject is numerous and valuable. A full shopping history of a consumer can give a company many leads to help decide stock purchases, adjust local prices or send out more focused marketing material.

For direct marketing and newsletters particularly, but also with loyalty cards, this consent can often be withdrawn by the data subject. The easiest way for the data manager to comply is to erase all the data in connection with this customer, even though it would mean losing valuable data and findings of the analysis done on the data. Were it technically possible to delete those parts of the collected data that link to the data subject, what remained could be excluded from the scope of the directive, yet still have value for the data users. Without the core information about a customer, a company would still be able to draw conclusions and analyse customer behaviour patterns, even if the direct and personalised marketing value is gone.

Consent is often given by agreeing to general terms of service and the data privacy clauses within them. Within these clauses, a company has to state specifically for which purposes the data are collected. The DSG states specifically that data can only be collected for predefined, clear and legal purposes.

This definition is not completely clear, when the standard terms «accounting», «marketing» or «statistics» can mean little to the end user, who may be unaware what analysis is technically capable of extracting from the data they have provided. Not only do the purposes and fields often have to be registered with the Austrian Data Protection Commission (DSK), any forwarding of the data has to be as legally justifiable. This particularly includes forwarding the data to a different company or legal entity.

The § 46 DSG states a very explicit exemption to the restrictions of data usage for scientific and statistical purposes. This restriction only applies for data that is «indirectly personal» for the entity processing it. Data that was already existent at the controller for other purposes, may also fall under that exemption.

For all personal data, Abs 2 is applicable where for the exemption for scientific use, the processor requires either the consent of the data subject, or processes on legal authority or with approval of the DSK. Both statistics and research have to be scientific, otherwise the qualification would not be justifiable.

The freedom of science is, like data privacy, a fundamental freedom. This regulation tries to balance both fundamental rights, but there has not been a ruling by the Austrian Constitutional Court (VfGH) to specify the border between them.

Many companies now have substantial R&D departments, making use of advanced statistical methodologies and staffed by analysts with qualifications more than sufficient for scientific study, because the entity processing the data needs to be qualified in the specific field. Even if a different entity, like a university institute, conducts the research and analysis, the financing body can also be the one providing the data. Also a definition of the «public interest», which is required for the approval of the DSK, in the specific research has to be stronger than the interest in privacy.

Data held within a commercial environment in a structured database system, whether that be a simple customer management system or a large scale data warehouse, should normally be held in a format that separates customer personal data from operational data. Thus any single customer record may be associated with anywhere from one to thousands of other records in related data tables, whether they be sales transactions, invoice payments, visits to a health club or internet usage logs, all linked by a unique identifier.

Depending on the structure of the data environment, the approach to removing personal data whilst maintaining a useful set of historic operational data should be considered in advance as part of the database design process. In some cases, removing a single data item could have the effect of removing all linked data items (a «cascading delete»), whilst in others it may be perfectly possible to remove an entire customer record without affecting any other data. The former option could certainly clear the system of any remaining personal data, but by removing operational data, this could negatively affect future analysis or even result in the company misreporting financial information.

In order to maintain data integrity whilst erasing personal customer data, a system should have the ability to fully close down a customer identifier. This may be as simple as replacing name, address, e-mail and telephone numbers within the personal data table with some form of «dummy» data, but the data manager should not miss an opportunity to capture additional data, such as the lifespan of the customer account, the reason for the erasure demand (if supplied) and the date of closure. By doing so, the company can not only continue to use the operational data, free from linkage to any personal identifier, but can start to build an analysis of «erased customers», possibly being able to identify patterns that could indicate potential future loss of customers, turning a loss of business into an opportunity to learn more about customer preferences.

Bauer/Reimer, Handbuch Datenschutzrecht (2009) Facultas, Wien.

Dohr/Pollierer/Weiss/Knyrim, DSG2 (2010) Manz, Wien.

Jahnel, Handbuch Datenschutzrecht (2010) Jan Sramek, Wien.

Mayer-Schönberger/Brandl, Datenschutzgesetz2 (2006) Linde, Wien.

---

K. Maimer; Legal Counsel, T-Systems Austria

J. Bisset; Credit Risk Analyst, Erste Group