Authors: Birgit Vogt Majarek and Karoline Saak 

Firm: Schima Mayer Starlinger

The GDPR has now been in force for a year. This article looks back at legislative developments, fines and investigations by the Data Protection Authority and trends in the treatment of data protection issues by the courts in Austria.

In Austria, first breaches of the GDPR can basically only be sanctioned by a warning; the Austrian Data Protection Authority (DPA) imposes fines from the second breach onwards.

So far three fines have been imposed by the Austrian DPA, all of which involved illegal video surveillance. The fines ranged from EUR 300 to 4800.

The Austrian Data Protection Act (Datenschutzgesetz 2000, ‘DSG’) has made use of the scope for making separate rules in Article 88 of the GDPR. Section 11 DSG (based on which the penalty provisions of Article 83 (2) to (6) GDPR are applied) was amended in such a way to ensure proportionality is maintained. Hence, particularly in the case of first-time infringements, the DPA will make use of its remedial powers in accordance with Article 58 of the GDPR, that is, by issuing a warning.

During the past year Austria has imposed very few fines. The DPA judgments issued since the new GDPR legislation came into effect have mainly concerned first findings of infringements and associated warnings. As far as can be anticipated, the DPA seems to stick to the approach described above, issuing a warning for first-time infringements. So far, the DPA seems not to have judged a breach of data protection to be severe enough to oblige it to impose fines right away.

One of the most recent DPA decisions from December 2018 shows an interesting trend regarding the definition of ‘the data subject’s right to deletion of data’ and whether anonymising by removing individual personal references to a person already satisfies the data subject’s righto deletion of data.

The Austrian DPA ruled that the data controllers (and not data subjects) have the right to choose the appropriate technical and/or organisational security measures for the retention of data and that the removal of individual references is, in principle, a legitimate way to comply with a request for deletion, since the GDPR does not apply to data without personal references (i.e. to anonymised information).