When introducing the concept of indirectly personal data, the Austrian legislators referred on the face of the bill before Parliament to Article 2 (a) of the Directive and, in particular, to the phrase ‘…an identifiable person is one who can be identified, directly or indirectly…’. This suggests that a deliberate decision was made to distinguish between persons who can be identified directly (and for which the full force of the Austrian Law applies) and those persons who can only be identified indirectly – hence the concept of indirectly personal data. In the eyes of the legislators, indirectly personal data did not require the full range of protection that directly personal data required. There may additionally have been commercial and practical reasons considered by the legislators why to require organisations to treat indirectly personal data in the same way as directly personal data made no sense.
This is how I've been told Austrian Law treats indirectly personal data below:
Use of only indirectly personal data shall not constitute an infringement of the fundamental interest in secrecy that deserves protection under s. 1 (1).
9 (1) (2)
Use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if data are used only in indirectly personal form.
Transborder data exchange shall not require authorisation if data are transferred or committed that are only indirectly personal to the recipient
There is no requirement to notify the Data Protection Commission where the data application only contains indirectly personal data.
There is no duty to provide information to data subjects when collecting data where such data is not subject to notification under s. 17 i.e. this would include the use of indirectly personal data.
The rights granted under s. 26 – 28 cannot be exercised insofar as only indirectly personal data are used.
Section 26: right of access
Section 27: right of rectification/ erasure
Section 28: right to object
For the purpose of scientific or statistical research projects where the goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that are only indirectly personal for the controller.
Where the use of data in a form which permits identification of data subjects is legal for purposes of scientific research or statistics, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistic work can be performed with indirectly personal data only