Austria

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Bundesgesetz, mit dem das Datenschutzgesetz 2000 geändert wird (Datenschutz-Anpassungsgesetz 2018)

Status: Adopted

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING PROVISION:

For information society services offered directly to children, consent within the meaning of Art 6(1)(a) GDPR is valid if the child has reached 14 years of age (§ 4(4) DSG 2018).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

SPECIFYING PROVISIONS:

Processing of personal data relating to acts or omissions that are punishable under criminal or administrative provisions—especially regarding the suspicion of commission of a crime—as well as data relating to criminal convictions or preventive measures is permitted if:

  1. An express statutory authorization or duty to process such data exists.
  2. The permissibility of processing such data otherwise results from statutory duties of care or is necessary to pursue the legitimate interests of the controller of a third party under Art 6(1)(f) GDPR—and the manner in which such data are processed protects the interests of the data subject according to the GDPR. (See § 4(3) DSG 2018).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

RESTRICTING PROVISIONS:

  1. Right of Correction (Art. 16 GDPR): If the correction of data processed in an automated manner cannot occur immediately because—for technical or economic reasons—correction can only occur at a particular point in time, processing of the data must be restricted under Art 18(2) GDPR until they can be corrected (§ 4(2) DSG 2018).
  2. Right of Erasure (Art. 17 GDPR): If the deletion of data processed in an automated manner cannot occur immediately because—for technical or economic reasons—deletion can only occur at a particular point in time, processing of the data must be restricted under Art 18(2) GDPR until they can be deleted (§ 4(2) DSG 2018).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

ADDITIONAL PROVISIONS:

  1. Ad hoc authorization request for scientific or statistical processing – If no statutory grounds supporting scientific research or statistical processing are present, controllers must apply to the Austrian DPA for authorization. (§ 7(3) DSG 2018).
  2. Authorization request for transfers of address data – If statutory grounds supporting the “transfer of the address data of a large group of persons” are not present, the controller wishing to conduct the transfer must apply to the Austria DPA for authorization. (§ 8(3) DSG 2018).

SECURITY OF PROCESSING (ART 32)

ADDITIONAL REQUIREMENT:

In the CCTV monitoring context:

  1. Controllers must implement “suitable information security measures” that are tailored to the risk and must ensure that no unauthorized access to CCTV recordings and unauthorized alteration of CCTV recordings occur.
  2. When not using CCTV for live real-time monitoring, controllers must log every processing performed on CCTV data.
  3. Recordings must be deleted within 72 hours, unless the controller can document and justify a longer retention period.

(See § 13 DSG 2018).

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

ADDITIONAL PROVISIONS:

  1. Duty of Confidentiality: DPOs and all persons working for them are bound to maintain confidentiality regarding the fulfillment of their tasks. This duty exists in addition to any other duties of confidentiality they may be subject to, and survives the termination of the DPO’s service as DPO.

  2. Evidentiary Privilege: If the DPO learns of any matter that is subject to a statutory evidentiary privilege, the privilege can also be exercised by the DPO and his/her staff to the extent that the privilege holder has elected to exercise it.

(See § 5(1), (2) DSG 2018).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING PROVISIONS:

The Austrian DPA is expressly authorized to:

(a) Request information, require production of documents, and require descriptions of data processing.

(b) Conduct on-site inspections, operate data processing systems, and make copies of data storage media.

(c) Impose interim emergency measures to protect duties or obligations of confidentiality, such as suspending processing in whole or in part.

(d) Impose monetary fines on natural and legal persons.

(See § 22 DSG 2018).

Decisions by the Austrian DPA may be appealed to the Austrian Supreme Federal Administrative Court (Bundesverwaltungsgericht) (§ 27 DSG 2018).

CLASS ACTIONS (ART 80 (2))

SPECIFYING PROVISIONS:

Nonprofit organizations active in the field of data protection may represent individual consumers in:

(a) Proceedings before the Austrian DPA.

(b) Challenges of Austrian DPA rulings before the Austrian administrative courts.

(c) Civil suits against data controllers in the Austrian civil courts, including suits for damages.

(See § 28 DSG 2018).

Suits for damages are subject to “the general provisions of civil law” (§ 29 DSG 2018).

ADMINISTRATIVE SANCTIONS (ART 83)

RESTRICTING PROVISIONS:

1.  The Austrian DPA can impose monetary sanctions against legal persons if a violation of the GDPR and either § 1 DSG 2018 or Chapter 1 DSG 2018 has occurred, and either:

(a) The violation was committed by a person who had a “leadership position” in the legal person; or

(b) The violation was made possible by negligent supervision of other employees by a person in a “leadership position.”

2. No fines are permitted against governmental entities or other public controllers.

See § 30 DSG 2018.

PENALTIES (ART 84)

No Deviation

HR PROCESSING (ART 88)

SPECIFYING PROVISION:

The Austrian GDPR implementation statute states that the Austrian Works Constitution Act (Arbeitsverfassungsgesetz) constitutes a law implementing Art 88 GDPR, to the extent that it regulates the processing of personal data (§ 11 DSG 2018).

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING PROVISIONS:

1. Conditions for Scientific Research or Statistical Processing: Personal data may be processed for scientific research or statistical purposes if:

(a) It is publicly accessible;

(b) The controller obtained the data through other investigations or for other purposes via permissible means; or

(c) The data are pseudonymized for the controller and it cannot identify the data subjects via legally permitted means.

Personal data that do not fall into the above categories may only be processed for scientific research or statistical purposes:

(a) In accordance with specific statutory provisions;

(b) With the consent of the data subject(s); or

(c) With the authorization of the Austrian DPA.

2. Anonymization Requirement: Personal data must be anonymized as soon as the scientific research or statistical purposes no longer require identifiable data.

(See § 7 DSG 2018).

OBLIGATIONS OF SECRECY (ART 90)

SPECIFYING PROVISIONS:
Austria maintains the doctrine of “data secrecy”: In addition to any other obligations of secrecy/confidentiality imposed by law, controllers, processors, and their personnel must keep confidential all personal data that they obtain during their professional activity, except to the extent that the law permits the disclosure and/or transfer of such data. (See § 6 DSG 2018).

LOCAL DPA GUIDANCE & LEGAL SOURCES