Find the German version of the text here
National Room for Manoeuvre Despite the GDPR
About a year before the General Data Protection Regulation (GDPR) comes into full effect, the Austrian legislator officially started a six-week consultation process for the national Data Protection Amendment Act 2018 (Datenschutz-Anpassungsgesetz 2018). The GDPR will harmonise the EU's data protection laws, but numerous so-called "opening clauses" allow national leeway. Besides, EU Directive 2016/680 requires implementation into national law and provides specific regulations on data processing by security authorities for the purpose of law enforcement. The published draft implements the Directive's provisions in a separate chapter (Hauptstück).
If and how the legislator made use of its competency provided by the opening clauses is of core relevance for companies. This question was answered with the release of the Draft Data Protection Amendment Act 2018 in appraisal. Apart from implementing the Directive and necessary adjustments of the Data Protection Authority's structure, the Draft Data Protection Amendment Act 2018 contains the following interesting provisions:
Liability of "associations" instead of management
It is well known that possible sanctions under the GDPR will rise significantly to EUR 20 million or 4 % of annual turnover. According to the concept of the Austrian administrative penal provisions (Verwaltungsstrafrecht), such sanctions would be imposed on the management of a company unless a responsible representative (Verantwortlichen Beauftragten) is appointed. The concept of an association's direct responsibility is rather uncommon under Austrian administrative law (implemented eg in Para 99d Banking Act, Bankwesengesetz). The published draft provides that GDPR fines can be imposed on legal entities if the underlying offence was caused by its management or responsible representative.
According to the GDPR, the sanctions shall be imposed by the national competent authority. The Draft Data Protection Amendment Act 2018 preserves this concept and confirms the competency of the Austrian Data Protection Authority. However, a case pending before the Austrian Constitutional Court is challenging the competency of the Financial Market Authority to impose such high fines on constitutional grounds. There may be a need for adjustment even before the draft comes into effect.
The GDPR is silent as regards video surveillance. The legislator intends to retain while also modernising the specific Austrian provisions which came into force with the amendment of the Data Protection Act in 2010. But the new draft Data Protection Amendment Act 2018 will go further. Section six will apply to "images" in general, meaning that in future pure pictures will also be subject to the relevant provisions of the Data Protection Amendment Act 2018. As a counterweight to this far-reaching scope, a rather broad private use exception will apply. Images will be permitted if made for private documentation purposes not intended to identify any "uninvolved" people. In other words, the holiday snapshot will still be allowed.
Complaints and compensation for damages
The GRPR gives data subjects several options to take action against data protection violations, in addition to any imposed administrative fines under the GDPR. On the one hand any affected data subject may file a complaint with the Data Protection Authority. Obviously, this option needs to be embedded in the national administrative structure, and the current draft provides for such provisions. Appeals against decisions of the Data Protection Authority can be brought to the Federal Administrative Court (Bundesverwaltungsgericht). Also, if the Data Protection Authority does not comply with its obligations to handle a filed complaint in a timely manner, the Federal Administrative Court (Bundesverwaltungsgericht) can be approached. The legislator will adhere to the "staffing" requirements of the Federal Administrative Court's senate. In other words, lay judges will be involved made up of both employers' and employees' representatives.
On the other hand, an affected data subject may address civil courts in order to receive compensation for any material or non-material damage suffered as a result of a GDPR infringement. Non-material damages are compensated only in exceptional cases under Austrian civil law. The GDPR adds one. The draft also provides for a choice between the domicile of the data subject and the seat of the defendant (ie the controller or the processor).
A core principle of the GDPR is the "accountability" of the controller. Among the strengthened obligations which a controller must fulfil is to maintain an internal record of processing activities. Consequently, the current obligation to notify all data processing activities to the Austrian Data Processing Register (Datenverarbeitungsregister) will be dropped. For archiving purposes, the Austrian Data Processing Register will remain until the end of 2019. Any still pending notification procedures will be terminated upon the full effectiveness of the GDPR in May 2018.
The Standard- und Musterverordnung 2004 will also cease to be in force. However, the Austrian Data Protection Authority will have to issue different ordinances in order to list those data applications triggering Privacy Impact Assessments (PIAs) and those that do not.
Legally binding acts of the Data Protection Authority, such as granted approvals for international data transfers, will generally remain valid. However, it will still be necessary to check their compliance under the provisions of the GDPR.
Nevertheless, the fundamental right to data protection remains constitutionally enshrined and retains third-party effects (ie is also valid between private parties). However, the current extension of the data protection law to legal entities in Austria will be dropped. In future the GDPR and the Data Protection Amendment Act 2018 will only cover natural persons.