Checking In: Data Protection Compliance in CEE
For our Checking In feature, we reach out to partners and heads of practice across CEE to learn how specific practice areas are faring in their jurisdictions. This time around we asked Data Protection experts: Overall, how compliant would you say economic agents are with relevant local regulations on data protection, and what are the main gaps that have yet to be addressed?
Austrian case law is evolving rapidly. Many individuals, consumer protection associations, and other stakeholders are testing what can be challenged under the GDPR. Claims and challenges have been put forth, such as whether the right to data access under Art 15 of the GDPR supports the right to receive documentation containing personal data or whether predictions based on probability calculations will be deemed personal data if they refer to individuals. Sometimes lower courts do not decide these questions homogeneously and the Data Protection regulator and Austrian courts make conflicting decisions. In response, the Austrian Supreme Court has recently shown an increased tendency to refer GDPR-related questions to the ECJ.
As to whether economic agents comply with local data protection regulations, it can be said that they are struggling to keep pace with these developments, no matter which industry they belong to. For instance, the question of whether Art 15 of the GDPR requires a controller to demonstrate the recipients or only the categories of recipients of its data (as this question has most recently been referred by the Austrian Supreme Court to the ECJ) impacts nearly every economic agent. So, while most agents have completed their GDPR entry lessons, such as establishing processing registers or data processing agreements, they must now comply with dynamic case law. Last year, the Austrian Data Protection regulator confirmed the protection of personal data of legal entities essentially by referring to Austrian constitutional law and to the GDPR by analogy. While this decision has not been supported by higher instance courts so far, it might advance the lingering discussion about whether Austria's constitution supports the protection of personal data of legal entities. If in similar cases the regulator's decision (which is currently final) leads to upper courts, they might -- and quite likely -- will take a different view. Economic agents who have so far focused their data protection ambitions on the data of individuals might have to broaden their mindset by considering the data of legal entities as well.
Gunther Leissler, Partner, Schoenherr Austria