29
Fri, Mar
43 New Articles

Data Protection in Austria

Data Protection in Austria

Austria
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
Data Protection - Key Changes and Important Obligations Under the GDPR

Starting in May of 2018, the EU General Data Protection Regulation (GDPR) will apply to all European entities and, because of its extended territorial scope, to many entities outside of Europe. Companies will face a considerable rise in data protection compliance duties, and, in cases of noncompliance, significantly increased fines of up to 4% of the global annual turnover of the whole company group or EUR 20 million (whichever is higher). 

The GDPR is directly applicable law and will amend or replace material parts of the Austrian Data Protection Act as follows: 

Implications of the Accountability Principle for Business

The GDPR focuses on the concept of accountability, and it requires businesses to demonstrate compliance with the principles relating to personal data (set out in Article 5 of the GDPR) through a proactive approach. Companies must be prepared to respond to requests from individuals who want to exercise their rights with respect to the processing of their personal data, as well as to requests and investigations from Supervisory Authorities (SAs). Failure to do so may expose businesses to high fines, damage to their reputation, and/or loss of business opportunities.

Key Changes for Business Under the GDPR

Data Breach Reporting to the Supervisory Authority

Data controllers are required to report a personal data breach to the competent SA without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to put to the rights and freedoms of data subjects at risk. 

Data Protection Impact Assessment

Where a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons, the company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations. Where the assessment indicates that the processing would result in a high risk, the SA shall be consulted.

Transfer of Personal Data to Countries Outside the EU

Similar to existing rules, the Regulation prohibits the transfer of personal data to third countries, unless: (a) the Commission has adopted an adequacy decision regarding the target country; (b) the parties provide sufficient guarantees (e.g., through standard contractual clauses); or (c) there are Binding Corporate Rules in place. 

An approved code of conduct may provide appropriate safeguards by referring to a certification mechanism related to compliance with data protection seals and marks. The framework for the code of conduct must be established by the Commission, the European Data Protection Board, and the SAs. 

New One Stop Shop Mechanism

One crucial element of the GDPR is the new “one stop shop” mechanism, intended to help organizations have a single SA – that in the jurisdiction of their “main establishment” – to take responsibility for EU-wide data processing obligations, even if they operate in more than one Member State, and to facilitate discussions between competent SAs in cases involving more than one regulator. 

Exemption for Employee Data Protection

Through various opening clauses concerning employee data protection laws, the Austrian legislature is authorized to implement more specific provisions regarding the processing of HR data (e.g., the approval of Works Council). However, employee data protection laws must take into account the fundamental rights and freedoms provided for under the Regulation.

Impact of GDPR on Companies

Preparation for the GDPR requires the reorganization of various internal procedures, as well as a review of existing agreements with data controllers, sub-contractors, and data security services.

Businesses should compare their existing data privacy practices against the GDPR’s requirements in order to identify the actions they need to implement to satisfy those requirements by 2018.

Senior management must make data protection concepts a high priority. It should set out the tasks, responsibilities, and reporting lines of individuals involved to ensure continuous compliance with the GDPR. Businesses with an existing Data Protection Officer (DPO) may create a governance structure accountable for the overall data privacy program. Those who do not have a DPO should carefully consider designating one internally or externally, whether or not they are required to do so.

Looking Forward

In Austria, the next few months will reveal how the national legislature will implement the GDPR. A draft bill implementing the GDPR is currently in preparation and is expected to be introduced in the first half of 2017. As a result, in its quarterly newsletter the Austrian Data Protection Authority only refers to various aspects of the GDPR, such as several opening clauses, several missing procedural provisions, and the removal of the Data Processing Register.

By Andreas Schutz, Partner, and Karin Tien, Associate, Taylor Wessing Austria

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue