Big changes to Austria's data protection laws
31 August 2017
There will be significant change for companies and individuals following the EU's General Data Protection Regulation (DSGVO) and subsequent changes to Austria's laws.
"The potential imposition of fines of up to Euros 20 million or, in the case of a company, up to 4% of worldwide annual turnover, is probably the biggest threat posed to companies by GDPR."
Juergen Brandstaetter, Partner, BMA
The European Union General Data Protection Regulation (referred to as 'GDPR' or 'DSGVO - Datenschutz-Grundverordnung' in Austria), came into force as of May 25th 2016 and will be directly applicable in all EU Member States after the transitional implementation period of two years (May 25th 2018). Until then, all data applications must comply with the new legal terms. In this article, Juergen Brandstaetter of Austria law member BMA explains the new legal situation in Austria.
Due to changes in European law, Austria’s parliament has recently adopted the amended 2018 Data Protection Act, which will also apply as of May 25th 2018.
The specific legal position as of May 25th 2018 will then be determined by both the directly applicable GDPR and the amended Austrian Data Protection Act. Brandstaetter comments: "There will be significant changes for companies as well as for individual persons due to the GDPR."
What companies need to know
For companies, the obligation to report to the data protection authority is replaced by extensive duties. These will include the need to compile a list of data processing activities, extensive reporting obligations in the case of data breaches, the obligation to privacy-friendly layouts for automated data processing and the technical pre-setting of web pages known as 'privacy by design' and 'privacy by default'. For some companies an impact assessment of data protection and the assignment of a data protection officer will become obligatory. But there are several other possible obligations for companies.
More rights for individual consumers
The rights of those individuals whose data is used will be strengthened. Thus, the person concerned has an extended right of information, the right to rectify the data, delete the data and restrict the use thereof, as well as the right to data portability and the right of objection to the use of the data.
Greater powers to fine business and individuals
Moreover, the powers and tasks of the supervisory authorities are being expanded. Above all, the potential imposition of fines of up to Euros 20 million or, in the case of a company, up to 4% of its worldwide annual turnover, is probably the greatest threat posed to companies by GDPR.
Brandstaetter adds: "Even though there is still time before the new data protection law is applicable, companies must use the time to prepare for the new data protection law."
For advice on data protection laws in Austria
In order to help you or your company to prepare for the new data protection laws in Austria, please contact Juergen Brandstaetter at BMA in Vienna.