Forming a New Standard for Data Protection in Austria

Austria’s Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) or DSG for short is a data privacy law that was recently amended in 2019. As Austria is a member state of the European Union, the DSG was amended for the purposes of implementing the provisions of the General Data Protection Regulation or GDPR into Austrian law. As such, while many of the provisions of the DSG are identical to those of the EU’s GDPR law, there are some differences between the two pieces of legislation as it pertains to data controllers and processors who conduct operations within the country of Austra.

What are the variations between the DSG and the EU’s GDPR law?

One of the primary variations between the EU’s GDPR law and Austria’s DSG are the organizations and individuals who are exempt from the requirements and obligations both laws place on data controllers and processors. As stated in the DSG, “pursuant to Section 9 of the DSG for the processing of personal data by media owners, publishers, and employees of a media company or service, for journalistic purposes of such companies or services, Article 85(2) of the GDPR, as well as the DSG, shall not apply. When exercising its powers vis-à-vis such persons and entities, the DSB shall observe the protection of editorial secrecy.” Additionally, the provisions of the DSG “shall not apply to processing activities carried out for scientific, artistic or literary purposes.”

Alternatively, as it pertains to data protection impact assessments or DPIA’s, DPIA’s must be conducted in instances where the collection or processing of personal data stands to pose a risk to the rights and freedoms of the data subjects involved. To this end, the DSG mandates that data controllers and processors carry out DPIA’s under various circumstances. These circumstances include but are not limited to:

• Processing operations involving an assessment or a classification of natural persons, including the creation of profiles and forecasts, for purposes concerning work performance, economic situation, health, personal preferences and interests, reliability, behaviour, whereabouts or movement of the person, solely being based on automated processing and potentially having negative legal, physical or financial consequences;
• Processing of data for the purpose of evaluating the conduct and other personal aspects of natural persons and which may be used by third parties to make automated decisions having legal effects on the persons evaluated or which similarly significantly affect them;
• Processing operations aimed at the observation, supervision or control of data subjects, in particular, by means of image and related acoustic data processing, and concerning data collected through networks or aiming at systematic and extensive monitoring of publicly accessible areas, and public places, which can be entered by unspecified groups of persons, among others.

What are the rights of Austrian citizens under the DSG?

The rights of Austrian citizens remain unchanged to the rights that are offered to all citizens of EU member states under the General Data Protection Regulation. Such rights include the right to be informed, the right to access, the right to erasure, and the right rectifaciton, among a host of others. However, the DSG does vary from the EU’s GDPR law in regards to the exceptions that can be made to these various rights. For example, as stated in the DSG, “Attorneys at law and public notaries are not required to answer data subject access requests as per Article 15 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client or third parties, or to ensure the enforcement of civil claims.”

As it relates to penalties concerning non-compliance with the provisions of the law, the DSG is enforced nationally by the Austrian data protection authority or DSB for short. To this point, the DSG has the authority to impose a variety of punishments against data controllers and processors within Austria who fail to comply with the DSG, including an administrative fine of up to €50,000 ($56,787) depending on the scope and severity of the particular offense. Such offense include refusing an inespection at the request of the DSB, collecting or processing personal data in an unlawful manner, or deliberately transmitting personal data that violates the provisions of the DSG, among others. Moreover, data controllers and processors who violate the DSG are subject to criminal liabilities.

As Austria is one of numerous countries within both Europe and the entire world to have ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, or the modernized Convention 108 for short, the protection of personal data is clearly a priority for the country. Through the passing of the DSG in accordance with the principles of the EU’s GDPR law, this priority was strengthened ever further, as these forms of legislation work in conjunction with one another to ensure the the personal data of Austrian citizens may only be collected or processed under a strict and regulated legal framework.