1.
Introduction ^
2.
Data Privacy Law ^
3.
Protected Data ^
In the directive, as well as the national law, the data that is protected is only personal data. It is, as defined in the directive, the data that is related to an identified or identifiable natural person, no matter whether directly or indirectly. Reference numbers or descriptions of the data subject, which are specific to this person, are sufficient under the directive to make someone identifiable. Austrian law distinguishes between «personal data» and «indirect personal data» (where an identification can‘t be achieved by legal means). Indirect personal data is therefore less protected. If the data are anonymous and it is impossible to identify the subject behind, they are no longer considered «personal data» and are therefore irrelevant from a data protection law standpoint.
4.
Consent ^
This definition is not completely clear, when the standard terms «accounting», «marketing» or «statistics» can mean little to the end user, who may be unaware what analysis is technically capable of extracting from the data they have provided. Not only do the purposes and fields often have to be registered with the Austrian Data Protection Commission (DSK), any forwarding of the data has to be as legally justifiable. This particularly includes forwarding the data to a different company or legal entity.
5.
Statistics and indirect personal data ^
The § 46 DSG states a very explicit exemption to the restrictions of data usage for scientific and statistical purposes. This restriction only applies for data that is «indirectly personal» for the entity processing it. Data that was already existent at the controller for other purposes, may also fall under that exemption.
Many companies now have substantial R&D departments, making use of advanced statistical methodologies and staffed by analysts with qualifications more than sufficient for scientific study, because the entity processing the data needs to be qualified in the specific field. Even if a different entity, like a university institute, conducts the research and analysis, the financing body can also be the one providing the data. Also a definition of the «public interest», which is required for the approval of the DSK, in the specific research has to be stronger than the interest in privacy.
6.
Disconnecting Data ^
7.
Database implications ^
Depending on the structure of the data environment, the approach to removing personal data whilst maintaining a useful set of historic operational data should be considered in advance as part of the database design process. In some cases, removing a single data item could have the effect of removing all linked data items (a «cascading delete»), whilst in others it may be perfectly possible to remove an entire customer record without affecting any other data. The former option could certainly clear the system of any remaining personal data, but by removing operational data, this could negatively affect future analysis or even result in the company misreporting financial information.
8.
The importance of expired data ^
In order to maintain data integrity whilst erasing personal customer data, a system should have the ability to fully close down a customer identifier. This may be as simple as replacing name, address, e-mail and telephone numbers within the personal data table with some form of «dummy» data, but the data manager should not miss an opportunity to capture additional data, such as the lifespan of the customer account, the reason for the erasure demand (if supplied) and the date of closure. By doing so, the company can not only continue to use the operational data, free from linkage to any personal identifier, but can start to build an analysis of «erased customers», possibly being able to identify patterns that could indicate potential future loss of customers, turning a loss of business into an opportunity to learn more about customer preferences.
9.
References ^
Bauer/Reimer, Handbuch Datenschutzrecht (2009) Facultas, Wien.
Dohr/Pollierer/Weiss/Knyrim, DSG2 (2010) Manz, Wien.
Jahnel, Handbuch Datenschutzrecht (2010) Jan Sramek, Wien.
Mayer-Schönberger/Brandl, Datenschutzgesetz2 (2006) Linde, Wien.
K. Maimer; Legal Counsel, T-Systems Austria
J. Bisset; Credit Risk Analyst, Erste Group