By Birgit Vogt Majarek and Stefan Burische.Firm: Schima Mayer Starlinger
The Austrian Federal Administrative Court has recently annulled the first administrative penalty imposed by the Austrian Data Protection Authority based on the new provisions of the GDPR due to procedural irregularities.
In September 2018, the Austrian Data Protection Authority imposed one of the first penalties for unlawfully operating video surveillance based on the GDPR in Europe. In its decision, the Data Protection Authority concluded that a betting shop that used video surveillance was not only filming the direct entrance to the business premises of the shop but also the public parking and traffic areas in front of it, thus going far beyond the area where filming was necessary to achieve the video’s purpose (i.e. protection of property). In addition, the Data Protection Authority claimed that the video surveillance was not suitably disclosed, the statutory maximum storage period of 72 hours for video recordings was not observed and no protocols were kept of the processing operations, leading to a total fine of EUR 4,800 imposed by the Data Protection Authority on the company.
The company appealed against the decision and in its current ruling (dated 19 August 2019) the Austrian Federal Administrative Court annulled the administrative penalty imposed by the Austrian Data Protection Authority due to procedural irregularities.
According to Austrian jurisdiction, the Data Protection Authority can impose administrative fines on a legal entity for violations of the GDPR and the Austrian Data Privacy Act respectively, if the violations are committed by individuals who hold a leading position in the legal entity concerned or if the violations are caused by lack of supervision or control by a person in a leadership role. However, neither the decision nor any other procedural act of the Data Protection Authority indicated what behaviour by which individual had led to the infringements and was therefore attributable to the legal entity and could therefore be used as a basis for the administrative fine imposed. As the leading individual required was never named and thus never specified by the Data Protection Authority within the statutory time limits for prosecution, the Federal Administrative Court had to annul the administrative penalty imposed on the company.
Austrian Federal Administrative Court decision which was published recently is of interest since it has the effect of annulling one of the first penalties imposed for unlawfully operating a video surveillance based on the GDPR in Europe. Apart from continued understaffing of the Data Protection authorities given the additional duties created by the entry into force of the GDPR and its implementation into national law, this is probably also due to DPAs’ uncertainties in dealing with the new provisions of the GDPR in the first months after its implementation. Based on the list of decisions issued by the Austrian Data Protection Authority to date, and based on our practice, we believe the Austrian authorities have taken on board the provisions of the GDPR in the meantime.