On 25 May 2018, the Regulation (EU) No 2016/679 (hereinafter, the “EU-Regulation”] on the protection of natural persons with regard to the processing of personal data and on the free movement of such data entered into force in the EU.
The EU Regulation is directly applicable in Austria. Additionally, Austria – with regard to few aspects left for regulation by the EU Member States – adopted supplementary provisions in the Austrian Data Protection Act. Although the EU regulation aims to protect data of natural persons only, some Austrian legal commentaries suggest extending the protection as well to data of legal entities. The Austrian Data Protection Act, however, no longer refers explicitly to data of legal entities.
Transfer of personal data to a third country (USA) is regulated in Art 44 et seq of the EU Regulation. In very short words, transfer of data first of all requires that the personal data was collected lawfully (see e.g. Art 6 of the EU Regulation). If this condition is fulfilled, transfer is permissible if the EU Commission has established that the level of protection of personal data in the third country (USA) is equivalent to EU standards. Formerly, compliance with the EU-USA Privacy Shield was considered as equivalent but this is no longer applicable. On 10 July 2023, the EU Commission announced the adoption of a new decision on the EU – USA Data Privacy Framework, which introduced new binding safeguards to address concerns raised by the European Court of Justice and introduced a Data Protection Review Court (DPRC), to which EU individuals will have access.
If personal data is transferred to the U.S.A. for being disclosed in an arbitration (i.e. not in the course of a commercial activity), Article 49 lit (e) of the EU Regulation will permit such transfer if “the transfer is necessary for the establishment, exercise or defence of legal claims”.