Austria: New data protection legislation 2018

On 25.05.2018 new data protection regulations will come into force.

The General Data Protection Regulation (GDPR)
The aim of the new EU regulations is to create uniform data protection law throughout the European Union. However, the escape clauses it contains make it possible for the continuation of country-specific regulations within individual national legislation.

The Austrian Data Protection Amendment Act 2018
The Austrian Data Protection Amendment Act 2018 will amend the existing Data Protection Act, which has been in force since the year 2000. Among other provisions it contains detailed stipulations relating to data protection officers, the structure of Austria's data protection authority and the processing of images, together with further regulations relating to data processing security.

What action may be necessary?
In comparison to the currently applicable Data Protection Act from the year 2000, the GDPR imposes significantly more obligations on public authorities and private companies as the controller of the data processing.

In order to meet these obligations in the best possible way it is advisable for companies to implement an internal data protection management system. Such a system should cover a number of requirements:

  • Creation of a list of processing operations
  • A risk analysis for the purpose of identifying risks involved in processing operations – privacy impact assessment
  • Ensuring compliance with data protection principles
  • Implementing appropriate technical and organisational data security measures
  • Protecting the rights of data subjects
  • Introducing a process of consent
  • Complying with duties to provide information
  • Identifying processors and creating contractual framework provisions
  • Ensuring privacy by design / privacy by default
  • Introducing a data breach process
  • Appointing a data protection officer (where legally required)
  • Drawing up an internal privacy policy
  • Carrying out employee training on the subject of data protection
  • Checking on the transmission of data to non-EU countries and obtaining approvals where necessary


Penalties

A breach of the provisions of the GDPR could lead to financial penalties of up to EUR 20 million or 4% of global annual turnover for the previous business year

It remains to be seen how high the financial penalties will actually be. However, it can at all events be expected that the data protection authorities will carry out more frequent and stringent checks.

Accordingly, because of their accountability public authorities and companies will in future need to pay increased attention to personal data in order to fulfil their responsibilities towards the data protection authorities and to protect the rights of the data subjects.

As partners with great experience and extensive expertise in this field we will be glad to support you on all questions relating to the subject of data protection, as well as in establishing a data protection management system.


Authors:
Michael M. Pachinger & Julia Spitzbart