The protection of your personal data is of great importance to us. This document describes why and how we process personal data we collect in connection with our role as an institution administering arbitrations and other alternative dispute resolution proceedings (in the following „proceedings“).
The present privacy statement is designed to be complimentary to the general privacy statement of the Austrian Federal Economic Chamber (AFEC), which is VIAC’s bearer organization. You can find it under the following link: https://www.wko.at/service/datenschutzerklaerung.html (see in particular 1.4 and 1.5).
Information regarding data protection in proceedings administered by VIAC
The data processing of VIAC is subject in particular to the provisions of the General Data Protection Regulation (EU) 2016/679 (in the following “GDPR”), which is as a regulation directly applicable in all Member States of the Union.
The scope and applicability of the GDPR are not determined by the seat of VIAC or the seat of the proceedings, but by whether the person responsible (e.g. party, arbitrator, other neutral third party, party representatives, translators, experts, etc.) is subject to the scope of application of the GDPR. Hence everyone participating in proceedings is obliged to verify if the GDPR is applicable to its data-processing and is to be qualified as a controller according to the rules of the GDPR. Please note that throughout proceedings it may occur that different data protection regimes are applicable. Each party involved no matter if they process data with or without the aid of automated processing, proceedings has to check which data protection regime applies to its data processing. Please note that where you provide any personal data relating to third parties with whom we have no direct relationship in the context of a VIAC proceeding, it is your duty to provide them with adequate notice that their data is being processed by VIAC and other data controllers.
Under the provisions of the GDPR, each individual is responsible for the lawful processing and transmission of data ("data controller“ as defined in the GDPR). Please note that according to the GDPR any data processing must be based on a lawful basis ("prohibition-exception principle"). It is a central element of the GDPR that each party involved (in particular each arbitrator) is responsible for compliance with the applicable data protection regulations.
In any case participants in a proceeding have to comply with the following data protection principles:
- lawfulness, fairness and transparency;
- purpose limitation (processing of data that has been collected for specified, explicit and legitimate purposes and are not processed in a manner that is incompatible with those purposes);
- data minimisation;
- accuracy (data needs to be accurate and where necessary kept up to date);
- storage limitation (data needs to be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed);
- integrity and confidentiality (data needs to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures);
- accountability (the controller shall be responsible for and be able to demonstrate compliance.
Following the applicable data protection regulations, the parties to arbitration proceedings must ensure that the IT-systems and means of communication used comply with customary market security standards.
Administering proceedings / data processing of VIAC
The conduct of proceedings requires the processing of personal data relating to actual or potential arbitrators, mediators, expert determiners and individuals with similar functions, as well as the parties, their legal representatives, witnesses, and all other individuals that may be identified or identifiable in any data that is processed by VIAC in the context of actual or potential VIAC proceedings. VIAC processes data for the purpose of administering proceedings on the basis of Art 6 para. 1 lit e and/or f GDPR. We process all data necessary for the administration of the proceedings; without this data VIAC cannot administer proceedings.
Depending on the nature of the proceedings, the participants may send letters and documents, such as pleadings, witness statements, arbitral awards and other evidence or annexes, to VIAC. Insofar as the processing of the data contained therein is based on Art 6 para 1 lit f GDPR, it is done in order to pursue the legitimate interests of VIAC and the parties to the proceedings in the course of the proper conduct of proceedings.
VIAC is entitled to destroy the entire file of a case, with the exception of the award, at the end of proceedings (Art 12(9) in conjunction with Art 34 and 35 Vienna Rules). VIAC will retain your personal data for the period necessary to fulfill the purposes outlined in any applicable rules. Arbitral awards will be kept for 10 years after the case has ended, - unless longer retention seems appropriate. After that period, arbitral awards are retained only for research and statistical purposes.
Data-transmission in VIAC proceedings
Data will be transferred to other persons as far as it is necessary to perform administration of the proceedings. This includes that data may also be transferred outside the EU or EEA. The legal basis for the transmission is contained in Art 49 GDPR: the transfer is necessary for the establishment, exercise or defence of legal claims (lit e).
We recommend that parties take into account before announcing the arbitrator or other experts that they can be subject to different data protection regulations. If parties want to make specific arrangements about data transfers with the chosen arbitrator, we advise to do so prior to nomination.
Administering proceedings via the VIAC Portal / Information regarding joint controllership
Users of the VIAC Portal have agreed that VIAC and the user may make use of certain collaboration tools throughout the usage of the VIAC Portal. Insofar as VIAC and the user jointly determine the purpose and means of the processing of personal data they qualify as joint controllers. The rights and obligations of VIAC and the users for the joint processing of personal data contained in user content via the collaboration tools provided on the VIAC Portal are defined in the Joint Controllership Agreement (found here). The scope of the Joint Controllership Agreement is limited to data processing on the VIAC Portal. Any data processing outside the VIAC Portal lies within the sole responsibility of the respective joint controller.
Limited to the context of the joint controllership and to the relationship among the joint controllers, VIAC is solely responsible for providing and operating (however, not for the use of) the technical infrastructure of the VIAC Portal. Regarding personal data stored or otherwise processed on the VIAC Portal, VIAC is solely responsible for complying with requests for rectification and erasure, restriction of data processing and data portability as well as objections by data subjects.
Suggestions for arbitrators and other neutral third parties to clarify data protection conditions in proceedings
Arbitrators and other neutrals are required to point out to the parties involved in the proceedings that
- the data processing must be carried out in proceedings in accordance with the applicable data protection regulations (it is useful to specify which party of the proceedings is subject to which data protection regime);
- in principle, anyone who processes and transmits data is responsible for ensuring that the data is collected, processed and transmitted in accordance with the applicable legal provisions and that each party involved is responsible for complying with the obligations imposed on it by the applicable legal provisions (in particular information obligations).
It is recommended that arbitrators and other neutrals clarify the applicability of data protection regulations and the effects on the conduct of the proceedings at the beginning of the proceedings (e.g. in a "data protection protocol").
Events and publications
In connection with events and publications, please see the privacy statement of the AFEC (point 1.1 for members or point 1.4 for non-members). VIAC processes data for the purpose of such events or publications in accordance with the legal provisions mentioned therein as well as in accordance with Art 6 para 1 lit b GDPR to the extent necessary for the performance of a contract. VIAC may store your data for such duration as necessary for the fulfilment of the purpose or for the compliance with statutory retention obligations. Insofar as this is necessary to fulfil a contract in connection with events or publications, your data may also be transferred outside the EU or EEA. This is an exceptional case according to Art 49 para 1 lit b or c GDPR (fulfilment of a contract).