Austria: New EU data protection law: Principles on the processing of personal data

The new European General Data Protection Regulation (GDPR) will apply directly from 25 May 2018 across all EU member states, and will affect companies worldwide who do business on the European market. It ensures a higher level of protection of the personal data of EU citizens. The principles, which must be complied with whenever personal data is processed, are laid down in Subsections 1 and 2 of Article 5 of the GDPR and are as follows:

Lawfulness; fairness; transparency

The processing of personal data must be carried out on a legal basis (consent or other legitimate basis). Data must be processed in a fair and transparent way which is comprehensible for the person involved. Information on the processing shall be provided to the affected person in a clear and plain language and in a precise, transparent, easy to understand and easily accessible format.

Purpose limitation

Data may only be collected for determined, explicit and legitimate purposes. Further, processing of such data is allowed only where the processing is compatible with the purpose for which the data were initially collected. In many cases, the balancing of interests between the controller and the affected person, which relates directly to the principle of purpose limitation, may constitute a legal ground for the processing. Therefore, the specific purpose for processing must be precisely determined for each individual case.

Data minimisation

The collection and processing of personal data shall be limited to what is indeed necessary for the purposes for which they are processed.


In the future, companies must be able to demonstrate that personal data is accurate and kept up-to-date. Consequently, inaccurate data is to be deleted or rectified without delay. Businesses are responsible for maintaining regular ‘update routines’.

Storage limitation

Personal data may be stored for no longer than is necessary in light of the purposes for which the personal data were processed. In addition, time limits for storage set forth by law shall also be complied with. Businesses shall consider whether pseudonymisation or anonymisation may be applied. Personal data which have undergone pseudonymisation cannot be attributed to a natural person without the use of additional information. For this purpose, technical and organisational measures shall be implemented.

Integrity, confidentiality

In order to prevent unauthorised or unlawful processing and accidental loss, destruction or damage of personal data appropriate measures shall be introduced. Such measures are to be taken especially in the fields of IT and organisation (e.g. access and authorisation concepts, encryption). In this respect, especially Article 32 (Security of processing) and Article 35 (data protection impact assessment) need to be observed. In the case of a personal data breach which is likely to result in a risk to the rights and freedom of natural persons, the controller shall notify the competent data protection authority. Where necessary – where the risk is high – the affected persons themselves must also be notified.


In accordance with the principle of accountability (Art. 5 Abs. 2) the companies shall be responsible for and be able to demonstrate compliance with the above mentioned principles by means of documentary evidence.

Should you have any queries, please do not hesitate to contact one of our offices.

Further articles on the topic "General Data Protection Regulation 2018"

  • GDPR – Fines up to EUR 20 Million
  • GDPR – Compliance check
  • GDPR – Sanctions and liability
  • GDPR – Data protection officer
  • GDPR – Data breaches
  • GDPR – Data transfer to third countries