DEUTSCH
ENGLISH

NEWS

< Neuheiten der Datenschutz – Grundverordnung (DSGVO)
06.07.2017 13:32 Age: 7 yrs
Category: LEGAL NEWS

Novelties in the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force on May 24, 2016, and as of May 25, 2018, will be immediately applicable in Austria as well. Until then, the current Data Protection Act (DPA 2000) shall continue to be applied.

1. Application & Purpose

The GDPR aims to harmonize the data protection law of the EU Member States. At the same time, in certain respects, it grants Member States exemptions. To this end, the GDPR contains the so-called opening clauses, whereby the national legislators are given the opportunity to specify the provisions of the regulation in more detail, or even to partially provide special provision.

It is therefore to be expected that national laws will support the implementation of the GDPR into Austrian law or will develop in greater detail. Such laws are not yet available. A draft of the “Data Protection Amendment Act” is currently under review. The data protection law that will be observed in the future is, therefore, not yet known to the last detail.

However, after the GDPR has set down minimum standards in the essential points, and as the EU-law basically overrides the national law, no fundamental deviation from the GDPR can be expected so that with the necessary GDPR conversion process can already be commenced or even shall be commenced.

Subject matter of protection of the GDPR continue to be personal data. These are, according to the GDPR, all the information referring to an identified or identifiable natural person.

Several important novelties of GDPR will be shortly described as follows:

2. Higher penalties

One reason why GDPR is currently talked about is certainly because of the sanction regulations. The GDPR provides for financial penalties that can withdraw their amount significantly by those, which, under the current legal situation, can be imposed.

Certain violations can be punished with fines of up to EUR 20 million or, in the case of a company, up to 4% of the total annual turnover achieved worldwide of the previous financial year (Article 83 paragraph 5 of the GDPR). Other violations may be sanctioned with fines of up to EUR 10 million or 2% of the total annual turnover achieved worldwide.

Thereby, the GDPR has a far-reaching importance, in particular, for group companies. Companies, within the meaning of the GDPR are, in principle, all units that carry out an economic activity in the widest sense. A parent company, for example, can form such an economic unit with its subsidiary. The parent company could then be held liable for a breach of data protection by the subsidiary and the (worldwide) annual turnover of the level of penalty could be used as a basis. For group companies, there is therefore a significant risk of having to pay an exorbitantly high fine due to a breach of privacy by the subsidiary.

It is argued that the principle of accumulation applies in the Austrian Administrative Criminal Law. Thereafter, penalties are imposed side by side for each act and thus added. This also applies if several provisions have been violated by one act. In the worst case, therefore, a total penalty which clearly exceeds the abovementioned sentences is threatened.

The GDPR, in principle, standardizes a competent authority for the imposition of these penalties. However, in view of the amount of the penalty, it is questionable whether the Austrian legislature should not provide for jurisdiction in connection with the sanctioning of data protection violations. Constitutional considerations, in any case, speak in favour of this.

3. Extended affected rights

According to the aim of the GDPR, the affected person should be informed about the existence of the processing step and its purpose. Fair and transparent data processing shall be ensured by those responsible. This shall be ensured, in particular, by the following specifications:

  • Information requirements: Those responsible for data processing meet the concerned information requirements, who, in comparison to the current legal situation, have been considerably expanded. These vary depending on whether the personal data are collected directly from the parties concerned or whether they are derived from other sources. This is followed by the point in time at which the information requirements have to be met. Information requirements arise, in particular, with the data collection, but also when receiving or transmitting data.
  • Right to information: The party concerned has the right to ask the responsible person to confirm whether personal data concerning him or her are processed. If this is the case, he has a right to be informed which personal information it is. The request for information shall be answered immediately, but not later than one month. In the event of a refusal, the party concerned has a right of appeal to the data protection authority. Refusal of information is only permissible in certain circumstances.
  • Right of deletion (“right to be forgotten”): Those affected have extended rights, they are entitled to request the deletion (as well as the correction) of their personal data. The persons responsible have to comply immediately with the claim for cancellation. A considerable (administrative) additional cost may be associated with responsible persons, as in the case of deletion, an obligation to inform other persons responsible for the processing of these data about the deletion, may be made.

Violations of the right concerned may be punished with the above-mentioned maximum penalty (fines of up to EUR 20 million or up to 4% of the worldwide annual turnover). Compliance with data protection law should (also) have top priority in these areas!

4. Obligatory data protection representative?

The GDPR does not provide for a general obligation to appoint a data protection representative. Only in certain cases is an obligation to do so: companies must appoint a data protection representative if their core activity is to carry out certain processing operations. The GDPR does not standardize when such a core activity shall be expected. In individual cases, difficult delimitation issues can arise. However, a clarification is essential: in the case of violations of the provisions of the GDPR on the data protection instructions, fines of up to EUR 10 million or up to 2% of the worldwide annual turnover can be imposed.

A data protection representative is not a responsible representative in the sense of the administrative criminal law. Thus, despite the appointment of a data protection representative, it may result in data breaches of the (personal) liability of the bodies authorized to act abroad (for example: managing director, board member).

5. Data protection through technology (“Privacy by design”) / Data security

Appropriate technical and organizational measures shall ensure that only as much data will be processed as the specific processing purpose is required. One could think here of the pseudonyms or encryption of personal data, data protection-friendly program settings, ongoing security updates, but also, in particular, the minimization of data processing in general. The data usage shall be reduced to the necessary extent! An adequate level of data security must also be ensured. These requirements – also from an (IT) perspective – will have to be taken into account when planning a data processing or product development.

Violations of these provisions can be fined with up to 10 million or up to 2% of the total annual turnover achieved worldwide. If technical and organizational measures have been taken in the sense of the above, the fine imposed will be mitigated so that the implementation of privacy by design and data security measures is of crucial importance.  

6. Obligations for data misuse

If a data breach (Data breach) threatens the protection of personal data, this circumstance must be reported immediately and preferably within 72 hours after it became known to the data protection authority. The report shall comply with certain content requirements. It may also be necessary to inform the person concerned.

Errors in the implementation of these notification obligations may be penalized with fines of up to EUR 10 million or up to 2% of the total annual turnover achieved worldwide. Because of this, and especially because of the tight timeframe, a preparation for the emergency of data breach seems necessary. Preparing a sample of the report might be helpful.

7. Data protection – impact assessment

The obligation to make a data protection assessment is completely new. Such is necessary when data processing is likely to entail a high risk of the rights and freedoms of natural persons. Such a risk is intended to cover, in particular, the processing of sensitive or criminal data as well as profiling. Furthermore, the use of new technologies is classified as risky.

The impact assessment must be carried out in advance and may require consultation with the data protection authority. It serves to the assessment of risks and the possible consequences for the personal rights and freedoms of those concerned.

Here also exists a possibility to sanction of up to EUR 20 million or up to 2% of the total annual turnover achieved worldwide.

8. Record-keeping obligation

Furthermore, the obligation of the responsible person (and the data processors) to keep a register of all data processing activities is also new. Up to now data processing had to be reported to the data processing register (DPR). This obligation for external reporting is no longer required. The GDPR requires an internal record keeping obligation (“List of processing activities”). In terms of content, however, the recording obligation is largely based on the DPR-report.  

The DPR-reports, which are submitted to the data protection authority prior to the validity of the GDPR, do not release the persons responsible from the obligation to maintain an internal list of its use of data.

Penalties of up to EUR 10 million or 2% of the annual turnover achieved worldwide are possible in the case of breaches of the record keeping obligation.

9. Contracts with data processors

If a data processor (currently still: the service provider) is commissioned with data processing, a written or electronically signed contract will be necessary in the future. Currently, this is only necessary when commissioning service providers outside of Austria.

The contract must have a certain minimum content and sometimes also provide that the data processor processes the data only on the instructions of the responsible person. The content of the contract can in principle be arranged individually.

The violation is up to EUR 10 million or 2% of the worldwide annual turnover.

It is therefore advisable to ensure that written contracts also exist with the Austrian data processors and that they have the necessary minimum content. Existing service contracts should be reviewed and, if necessary, adapted to the requirements of the GDPR.

10. Admissibility of data processing / extended liability

The starting point of the GDPR is that – as before – the processing of personal data is basically prohibited. A processing shall only be permitted if the consent of the person concerned or any other authorization list mentioned in the regulation has been given. A data processing that is not covered by the GDPR can not only lead to a fine, but also to a civil liability of the responsible person and the data processor. In this context, too, the GDPR is tightening up. Thus, in the event of violation of the regulation, material and non-material damage must be replaced. The previous data protection law provided for such a liability for non-material damage only under certain – very narrow – conditions. There is also a tightening up in terms of the possible compensation level. The current maximum amount of EUR 20,000 will not be retained. Courts under the GDPR can compensate for non-material damages also with (comprehensive) replacement amounts.

11. Outlook

The provisions of the GDPR are extensive. The GDPR also leads to numerous, fundamental changes with respect to the current legal situation. The need for change is therefore serious. In many respects, a fundamental adaptation or reorganization of the company’s internal processes will probably have to be undertaken. It is not recommended to wait until May 25, 2018, not least considering the amount of penalties provided for in the GDPR. In addition, in the case of data breaches, civil claims of the damaged parties as well as massive image losses as a result of the media processing of a data protection violated behaviour, threaten.


BLS Attorneys at Law will be happy to advise you on all matters of data protection law and will assist you during the preparation for the challenges of the GDPR.

 

Contact person:

Philipp Scheuba

Stefan Humer

06.07.2017
<- Back to: Archive

BLS Attorneys at Law | Kärntner Straße 10, 1010 Wien, Austria | T +43 1 512 14 27 | F +43 1 513 86 04 | office@bls4law.com
Imprint | Disclaimer | Sitemap | Terms | Cookie Policy | Privacy statement

Webdesign & Programmierung: köhrer webdesign&support

Cookie settings

Essential cookies are necessary for basic website functions.
Cookies for analytics and marketing help us to improve this website and make our offer more user-friendly.

Get more info about used cookies
Cookie optin by Olli machts