On Friday 12 May 2017 the first draft of the new Austrian Data Protection Act (the "Draft Act") was published. This constitutes a complete refresh of Austrian data protection laws that is limited to the necessary provisions while still being systematic and easy to understand. The Draft Act also reflects practical issues and does not provide too many local deviations. The Draft Law: (i) changes some relevant Austrian laws in order to comply with the GDPR standards (e.g. special conditions for CCTV); and (ii) uses just a few flexibility clauses to provide minor deviations. The five most relevant changes are as follows:
- Data of legal entities no longer subject to data protection provisions;
- There is no stricter obligation for private companies to appoint a data protection officer beyond the requirements of the GDPR;
- There are no additional provisions for the record of processing activities and the data privacy impact assessment;
- Data protection authorities may impose fines directly against legal entities; and
- Administrative penalties of up to EUR 50.000 for violations of the Austrian-specific provisions.
Overall, the proposed changes appear very well balanced and it is hoped that the Austrian legislator will – despite the breakup of the coalition and upcoming elections – agree on the final version as soon as possible so that companies have enough time for the implementation.
To the extent that organisations process personal data in Austria, they should familiarise itself with the provisions of the Draft Act and continue to monitor its progress.
Submitted by Felix Hörlsberger and Nino Tlapak of DORDA Rechtsanwälte GmbH – Vienna, Austria in partnership with DAC Beachcroft LLP