With this year's beginning a substantial revision of the Austrian Data Protection Act (the "DPA") entered into force where the DPA was substantially revised for the first time since it became effective in the year of 2000.
1. Data breach notification duty
The revised DPA introduced a "data breach notification duty" to the Austrian data protection regime which is in by and large similar to the respective obligations under US and UK data privacy laws. With this, Austria is besides Germany one of the first Member States to implement such an information duty. In a nutshell, this obligation requires every data controller in Austria to inform data subjects properly if he becomes aware of a systematic and seriously unlawful misuse of their data. However, this duty for information does not take effect if the data misconduct only has the potential to cause minor harm to the affected data subjects or if the costs of proper information would be disproportionally high. In this context is worth mentioning that the DPA does not require any authority be notified of the breach. In particular, the DPA does not ask for the Data Protection Commission to be informed.
With the revision of the DPA also new provisions about the processing of personal data in the course of videotaping / video monitoring have been amended to the DPA. In particular, the law now defines specific scenarios where the CCTV use is generally prohibited, such as eg employee monitoring or data checks against ethnic characteristics of individuals. The law provides for the taped data to be stored not longer than 72 hours except longer storage periods can be validly argued on a case by case basis. Every CCTV use has to be registered with the Austrian Data Protection Commission in advance and must not be put into operation before it was approved by the authority. However, if the CCTV use is performed in real time, which means it operates without data storage, or if the data is stored on analogue data carriers only no registration with the authority is required.
3. Data access
The revised DPA also provides for new provisions about the data subjects' rights of data access. In short, data subjects are entitled to request comprehensive information about all their data stored with the addressed data controller. As soon as the addressed data controller receives such a request he is not allowed to alter or erase the requested data. Any such unlawful data erasure could result in administrative fines of up to EUR 25,000. However, data subjects are also entitled to ask for their incorrect or outdated data to be rectified or erased which leads to the fact that data subjects sometimes inconsiderately combine their requests by asking for information and data erasure at the same time. In such a case it was unclear whether the addressed data controller has to correspond to the information request which prevents him from erasing the requested data or whether he has to comply with the request for data erasure. The revision now put it straight that in such cases the addressed data controller primarily has to satisfy the request for data erasure, if justified. Moreover, the revised DPA now clarifies how to deal with information requests that are mistakenly addressed to a data processor. In that case the data processor immediately has to submit the request to the affected data controller whereby the statutory response period (which is eight weeks) starts nevertheless with the data processor (not the data controller) having received the request. With this it became crucial for the data controller to take care for a respective clause in the data processing agreement which obliges the data processor to immediately forward information requests to the data controller.
4. Administrative fines
With the beginning of this year also the administrative fines for breaches of the DPA were raised leading to a maximum penalty of EUR 25,000 for deliberate violation of those provisions of the DPA dealing with the protection of the data secrecy and EUR 10,000 for violation of the notification and information obligations of the DPA.
5. New registration scheme
The revised DPA also brought some substantial changes to the currently existing system of registering personal data processing with the Austrian data protection authority which, however, will not become effective before 2012. In a nutshell, these upcoming changes will lead to a new approach of self registration through the data controller combined with a massive extension of the authority's competencies.
Big Brother Award 2010
Talking about complying with data protection laws means talking about reputation. When it comes to privacy incompliance in Austria one of the most sensitive topics is certainly the annual granting of the "Big Brother Award". In essence and like in many other countries, the "Big Brother Award" is annually granted by Privacy International to Austrian companies, agencies and authorities that, in the view of Privacy International, have to take the responsibility for the most severe harms of privacy interests in the previous year. This years' "Big Brother Award" granting took place in October in Vienna where it was inter alia awarded to an Austrian telecommunications operator, to the Austrian minister of justice and to the Austrian vice chancellor. The "Big Brother Award" impressively shows that a data controller being in breach with applicable privacy laws does not only face potential legal action but also takes a high risk of more than bad media coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.