Austria is the second EU country after Germany that has adopted a new national Data Protection Act (the “New Act”) implementing the GDPR. The New Act, which was officially published on July 31, 2017, will amend the current Data Protection Act and become applicable at the same time as the GDPR. Companies that fall within the New Act’s scope will therefore not only have to comply with the GDPR but also with the New Act.

The General Data Protection Regulation (GDPR), which overhauls data protection laws in all 28 EU Member States, will become applicable in 248 days. It will be the primary framework for processing of personal data directly applicable in all EU Member States – still, the GDPR but it is not all-encompassing. There are a number of areas in the GDPR where Member States will have to add their own rules to make it operational or add provisions to introduce local variations on the law (e.g., rules for data processing in the employment context and processing of sensitive personal information).

Highlights of the New Act

Unlike the GDPR implementation act in Germany, the New Act is relatively reserved in adding national variations. The main points under the New Act specific to Austria are:

  • Application to legal persons. As is currently also the case under Austrian privacy law, the fundamental right to data privacy will still apply in Austria not only to natural persons, but also to legal persons. By contrast, the GDPR and most EU national privacy laws only apply to personal information pertaining to natural persons.
  • Consent of children. The New Act sets fourteen as the age at which a child can express a valid consent to processing their data, thereby using the flexibility offered by the GDPR to set a lower age. The GDPR establishes sixteen as the default age for children.
  • Processing of criminal convictions and offenses by private entities. Article 10 of the GDPR states that information regarding criminal convictions and offenses may only be processed if authorized by Member State law. Paragraph 4, Section 3 of the New Act provides for this possibility in Austria. Apart from a general reference to processing such information pursuant to a legal authorization or obligation, the New Act also indicates that such information may be processed if necessary for the purposes of legitimate interests (in the sense of Art. 6 (1)(f) GDPR). This is a distinct possibility that we have not yet seen in other (draft) implementation acts, and which would significantly change the restriction introduced by Article 10 of the GDPR.
  • Processing of photographic or video materials. The New Act contains specific regulations on the permissibility of processing personal information contained in photographic or video materials. It regulates the use of CCTV on public and private property, as well as the use of video recording for the purpose of monitoring employees.
  • Processing of employee information. Paragraph 11 of the New Act specifically mentions that the current privacy-related provisions of the Labor Relations Act will remain applicable to the processing of employee information. The GDPR provides for this possibility in Article 88 of the GDPR, where Member States may determine specific rules for employment-related data processing.
  • Fines imposed on legal entities. Paragraph 30 of the New Act provides specific rules to levy administrative fines on legal entities.

The New Act is available here (in German).