The internet have become more involved in our lives in recent years. Education, business, and entertainment are carried out via computers or smartphones, and tablets. In doing so, we acquire many services and applications. Meanwhile, we share our data with companies and institutions. The main purpose of data protection is to prevent the use of this data without the consent of the data owner. Otherwise, the fundamental rights of individuals, especially privacy, will be violated. Data protection tries to ensure that data processors are kept under control by introducing legal regulations in both the European Union and Austria, and in case of violation, it is prevented with sanctions. Regarding the subject, the following term explanations will be more useful for understanding data protection.
Personal Data: Any information belonging to a specific person, an identifiable person, or information that has a connection with a person.
Processing of Data: All kinds of activities after the personal data is obtained, until the deletion or destruction of this data or until the identifiability feature of the data disappears (until the data becomes anonymous).
Data Controller: It is the person or company who determines the purpose for the processing of the data and the means to be used for this and is responsible for the establishment and management of the system necessary for recording the data.
Data Protection Officer: A person who works for the protection of data digitally and has a certificate in the field with the education he/she is involved in.
A data protection officer is required under article 37 DSGVO for companies that systematically process personal data. Not only that but also if 20 employees process data in a company, that company must also have a data protection officer. Data protection officers supervise the activities regarding the processing of data and conduct a compliance review. Data protection officers can be employees working in the company, or this task can be performed externally. External data protection officers are people who are not permanent employees of the company, often serving as data protection officers for many companies. External data protection officers can be hired by companies that provide services in this field, or there are individuals who provide this service individually.
The services that external data protection officers will provide to a company can be listed as follows:
Supervision and control of compliance with legal regulations on data protection,
Consulting on data protection improvements that may affect the operation and activities of the company,
Ensuring that measures are taken that will cause the least harm to commercial activity while providing data protection,
Prevention of fines for violations,
Calculation of possible risks before starting data processing activity,
Implementation and conduct of data protection impact assessment under article 35 DSGVO,
Assistance in the preparation of data protection documents in accordance with article 5 paragraph 2 DSGVO and ensuring the legality of the actions of the data controller,
Drafting or adapting contracts, statutes or other legal documents,
Planning how to manage operational data protection and defining the organization.
Bu sayılanların yanı sıra birçok farklı detay olmakla birlikte bir harici veri koruma görevlisinin yerine getireceği görevler genel olarak bu şekilde açıklanabilir.
The title of data protection officer has become popular in recent years. However, many people still do not know what this profession is about or how to become a data protection officer. Data protection officers are essential for a successful and sustainable corporate operation. One of the conditions that must be met in order to become a data protection officer is to obtain a certificate. Candidates who have passed a certain period of education can start working as data protection officers after proving the knowledge they have acquired in the exam. Candidates who are successful in the exams get the Datenschutzbeauftragter qualification. With the certificate, it is possible to work in a company or to serve many companies externally. However, the certificate issued has an expiry date and is valid for 3 years.
There are basically two legal regulations regarding data protection in Austria. These are the Data Protection Law (DSG) and the General Data Protection Regulation (DSGVO) published by the European Union. When the articles of the Data Protection Law are examined, it is seen that the expressions are complementary. This means that the rules envisaged in the Data Protection Law are essentially references to the General Data Protection Regulation. The General Data Protection Regulation establishes a general framework in this context and defines the rules and duties to be applied. Within the scope of the harmonization process with the European Union, Austria envisaged the legal regulation in this way. In other words, it can be said that the law applied in Austria on data protection follows the general regulations encountered in the European Union circles.
We mentioned that people share their data with a company or institution while using services and applications. The fact that these companies and organizations collect data, store, or use them may lead to violation of rights for the person giving the data, and some risks also arise. These risks can be listed as revealing data that is desired to be kept confidential, using the data for different purposes together with theft, or using the data for a purpose other than what is permitted by the data processor. This is where data protection impact estimation comes into play. Data protection impact assessment is the process created to identify the risks that may arise due to the processing of data and to reduce these identified risks as quickly and effectively as possible. Data protection impact assessment is of great importance in terms of provability in the fields of risk management and compliance. It is even possible for the authorized institutions to impose fines on those who do not comply with the data protection impact assessment requirements. If the data processors who are required to carry out the data protection impact assessment do not do this, make mistakes, or fail to do so in cases where they need to apply to the competent authority, fines are imposed up to 10,000 € or 2% of the previous year’s turnover (both domestic and international). Fine is given according to whichever of these two possibilities is higher. When this is the case, data protection impact assessment is a matter of importance and meticulous action by companies.
It is possible to store personal data in two ways as seen in the table below. One of them is electronic storage methods. The other is in the form of concrete documents, which is a more traditional method. One of the methods permitted by the laws regarding the storage of personal data should be preferred and the storage should be carried out in accordance with the law. In this context, the maintenance of data protection comes to the fore.
The data processor must fulfill the necessary care and obligations to store the data and must perform maintenance protection. However, data that does not need to be stored for the purpose of use will be destroyed. Destruction of data may vary depending on the storage method used. For example, when the period stipulated by the law for the use of the data on the server expires, the access of the data processor to this data should be prevented and the data should be deleted.