Home / Insight / DSGVO

DSGVO

Zurück zu Data protection

Sind Sie bereit für die Datenschutz Grundverordnung (DSGVO)? – Ob es sich um Onlinebuchungen für Geschäftsreisen, die Auslagerung der Lohnbuchhaltung an einen externen Dienstleister, die Warenbestellung im Webshop des Lieferanten oder die Bereitstellung von Firmenlaptops und Handys an Mitarbeiter handelt: Geschäftsprozesse werden immer stärker in das Internet verlagert; auch weil sich dadurch das geschäftliche Leben komfortabler und billiger gestalten lässt. Den wenigsten Unternehmen ist jedoch klar, dass diese Verarbeitungsprozesse ein Datenschutzmanagement erforderlich machen.

Unser Ziel ist es, Ihnen und Ihrem Unternehmen eine auf Ihre Bedürfnisse geschneiderte Herangehensweise für Ihr Datenschutzmanagement und das dazu notwendige Know-how zu vermitteln. Denn ein DSGVO-konformes Datenschutzmanagement ist für jedes Unternehmen– von Start-Ups bis zu den großen „Multis“ – ein Thema von kritischer Relevanz.  Die DSGVO sieht hohe Strafen für Verstöße vor, die in Österreich nicht nur das Unternehmen, sondern auch die Geschäftsführung und sonstige Verantwortliche treffen kann. 

Da­ta Law Na­vi­ga­tor | Aus­tria
<< back to Over­viewThe con­tent will be pe­ri­o­di­cal­ly up­dated by our la­wy­ers but, gi­ven the con­stant­ly evol­ving laws in this area, we can­not gua­ran­tee the con­tent is com­ple­te and ac­cu­ra­te.Jump di­rect­ly to Cy­ber Se­cu­ri­ty >> Da­ta Pro­tec­tion Last re­view­ed March 2020Risk sca­leme­di­umLaws and Re­gu­la­ti­onsGe­ne­ral Da­ta Pro­tec­tion Re­gu­la­ti­on (GD­PR)Aus­tri­an Da­ta Pro­tec­tion Act 2018 (DPA 2018)Aus­tri­an Tele­com­mu­ni­ca­ti­ons Act 2003 (TCA 2003)Aus­tri­an Act on Health Te­le­ma­tics (Ge­sund­heits­te­le­ma­tik­ge­setz 2012) – GTelG 2012Re­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on pro­ces­sing ope­ra­ti­ons for which a Da­ta Pro­tec­tion Im­pact As­sess­ment is to be car­ri­ed out (Fe­deral Law Ga­zet­te II No. 278/2018)Re­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on ex­emp­ti­ons of the Da­ta Pro­tec­tion Im­pact As­sess­ment (Fe­deral Law Ga­zet­te II No. 108/2018)Re­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on the re­qui­re­ments for ac­credi­ta­ti­on of a mo­ni­to­ring bo­dy pur­suant to Art 41 (1) GD­PR (Fe­deral Law Ga­zet­te II No. 264/2019)Aut­ho­ri­tyAus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­tyIf ap­p­lica­ble: Sta­ge of le­gis­la­ti­ve im­ple­men­ta­ti­on of GD­PR GD­PR was ful­ly im­ple­men­ted by Aus­tri­an Da­ta Pro­tec­tion Act 2018. If ap­p­lica­ble: lo­cal de­ro­ga­ti­ons as per­mit­ted by GD­PRThe fol­lo­wing de­ro­ga­ti­ons exist:pu­bli­cly avail­able da­ta is on­ly pro­tec­ted un­der the Da­ta Pro­tec­tion Act 2018, if it is not used for his­to­ri­cal re­se­arch pur­po­ses or sta­tis­ti­cal pur­po­ses (Sec­tion 7 DPA);pro­vi­ding ad­dres­ses to in­form and in­ter­view da­ta sub­ject re­qui­res no con­sent of da­ta sub­jects, if an in­frin­ge­ment of the da­ta sub­ject’s in­te­rests in con­fi­den­tia­li­ty is un­li­kely, con­side­ring the selec­tion cri­te­ria for the group of da­ta sub­jects and the sub­ject of the in­for­ma­ti­on or in­ter­view (Sec­tion 8 DPA);spe­ci­fic pro­vi­si­ons re­gar­ding the da­ta pro­tec­tion of­fi­cer ac­cor­ding to Sec­tion 5 DPA, such as the ob­li­ga­ti­on of the Aus­tri­an mi­nis­tries to ap­point at least one Da­ta Pro­tec­tion Of­fi­cer (Art 37 GD­PR);child­ren’s age to la­w­ful­ly con­sent is lo­wer­ed to 14 ye­ars (Sec­tion 4 (4) DPA);spe­ci­fic CCTV re­gu­la­ti­ons laid down in Sec­tion 12 and 13 DPA;if ne­cessa­ry to re­con­ci­le the right to the pro­tec­tion of per­so­nal da­ta with the free­dom of ex­pres­si­on and in­for­ma­ti­on, in par­ti­cu­lar with re­gard to the pro­ces­sing of per­so­nal da­ta for jour­na­lis­tic pur­po­ses as re­fer­red to in the Aus­tri­an Me­dia Act, GD­PR does not ap­p­ly (Sec­tion 9 DPA);Sec­tion 10 DPA al­lows for pro­ces­sing of per­so­nal da­ta in ca­se of emer­gen­cy;Spe­cial ad­mi­nis­tra­ti­ve pe­nal­ty pro­vi­si­ons laid down in Sec­tion 62 DPA;Ad­mi­nis­tra­ti­ve pe­nal­ty on pro­ces­sing da­ta with the in­ten­ti­on to ma­ke a pro­fit or to cau­se harm laid down in Sec­tion 62 DPA;Re­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on pro­ces­sing ope­ra­ti­ons for which a Da­ta Pro­tec­tion Im­pact As­sess­ment is to be car­ri­ed out (Fe­deral Law Ga­zet­te II No. 278/2018):lays down a ca­ta­lo­gue of cri­te­ria con­cerning pro­ces­sing ope­ra­ti­ons for which the con­trol­ler nee­ds to con­duct a da­ta pro­tec­tion im­pact as­sess­mentim­ple­men­ta­ti­on act pur­suant to Art 35 (4) GD­PRRe­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on ex­emp­ti­ons of the Da­ta Pro­tec­tion Im­pact As­sess­ment (Fe­deral Law Ga­zet­te II No. 108/2018):lays down a list of pro­ces­sing ope­ra­ti­ons for which no da­ta pro­tec­tion im­pact as­sess­ment is re­qui­redim­ple­men­ta­ti­on act pur­suant to Art 35(5) GD­PRScopeAu­to­ma­ted and non-au­to­ma­ted da­ta pro­ces­sing ope­ra­ti­ons;In­for­ma­ti­on re­la­ting to da­ta sub­jects who are iden­ti­fied or iden­ti­fia­ble (na­tu­ral per­sons; the fun­da­men­tal right to da­ta pro­tec­tion es­ta­blis­hed in the con­sti­tu­tio­nal pro­vi­si­on of Sec­tion 1 DPA con­ti­nues to pro­tect le­gal per­sons (this re­la­tes to po­li­ti­cal dif­fi­cul­ties at the ti­me of the ad­op­ti­on of the DPA: con­sti­tu­tio­nal pro­vi­si­on could not be amen­ded due to the ab­sence of the re­qui­red 2/3 ma­jo­ri­ty in the par­lia­ment);The par­ty, de­ter­mi­ning the pur­po­ses and me­ans of pro­ces­sing of per­so­nal da­ta es­ta­blis­hed in Aus­tria (“da­ta con­trol­ler”);The par­ty, pro­ces­sing the da­ta on be­half of the da­ta con­trol­ler, if the da­ta con­trol­ler is sub­ject to DPA (“da­ta pro­ces­sor”);Da­ta con­trol­lers es­ta­blis­hed outs­ide Aus­tria but wi­t­hin an EU mem­ber sta­te, that use per­so­nal da­ta for an es­ta­blish­ment of the con­trol­ler in Aus­tria;Da­ta con­trol­lers not es­ta­blis­hed in any EU Mem­ber Sta­te which use per­so­nal da­ta in Aus­tria;Pe­nal­ties/en­force­mentSanc­tions un­der the DPA:Non-com­p­li­an­ce with DPA may re­sult in com­plaints, da­ta pro­tec­tion aut­ho­ri­ty au­dits and/or or­ders, ad­mi­nis­tra­ti­ve fi­nes, sei­zu­re of equip­ment or da­ta and ci­vil ac­tions and/or cri­mi­nal pro­cee­dings.The Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty may is­sue ad­mi­nis­tra­ti­ve fi­nes of up to EUR 50,000 for non-com­p­li­an­ce with DPA. The fi­nes un­der DPA will on­ly be im­po­sed if an of­fence does not con­sti­tu­te an of­fence un­der Art 83 GD­PR ("catch-all clau­se").Fi­nes may be im­po­sed on le­gal per­sonsbe­cau­se of an exe­cu­ti­ve­'s vio­la­ti­on; orfor mo­ni­to­ring or con­trol failu­res.A le­gal per­son is re­s­pon­si­ble for bre­aches, if an exe­cu­ti­ve does not com­ply with sur­veil­lan­ce du­ties or does not enact or­ga­ni­sa­tio­nal mat­ters, thus, en­ab­ling an of­fence to be com­mit­ted by a per­son working for the com­pa­ny. Mo­re­o­ver, fi­nes may be im­po­sed on a re­s­pon­si­ble per­son in ac­cor­dance with Sec­tion 9 Ad­mi­nis­tra­ti­ve Pe­nal Act 1991.Re­gis­tra­ti­on/no­ti­fi­ca­ti­on DPA does not pro­vi­de for any ob­li­ga­ti­ons to no­ti­fy da­ta ap­p­li­ca­ti­ons to the da­ta pro­tec­tion aut­ho­ri­ty (da­ta pro­ces­sing re­gis­ter).Art 37 GD­PR re­qui­res the con­trol­ler or pro­ces­sor to pu­blish con­tact de­tails of the da­ta pro­tec­tion of­fi­cer and to com­mu­ni­ca­te con­tact de­tails to Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty.Main ob­li­ga­ti­ons and pro­ces­sing re­qui­re­mentsIn­for­ma­ti­on re­qui­re­mentsa da­ta con­trol­ler collec­ting per­so­nal da­ta must pro­vi­de da­ta sub­jects with in­for­ma­ti­on on: the da­ta con­trol­ler’s iden­ti­ty (na­me, ad­dress, con­tact de­tails); the pro­ces­sing pur­po­ses and le­gal ba­sis; the da­ta ca­te­go­ries; the da­ta re­ci­pi­ents (so­le­ly if the da­ta is sub­ject to a con­trol­ler-to-con­trol­ler trans­fer); if con­sent is nee­ded, the pos­si­bi­li­ty to re­vo­ke the con­sent at any ti­me shall be in­di­ca­ted; and the da­ta sub­ject’s rights.Con­sent re­qui­re­mentsif con­sent is nee­ded, elec­tro­nic and pa­per con­sent is per­mis­si­ble and de­emed ef­fec­tive if it is pro­per­ly struc­tu­red and do­cu­men­ted. The da­ta sub­ject has to be pro­vi­ded with in­for­ma­ti­on on: the da­ta con­trol­ler’s iden­ti­ty; the pro­ces­sed da­ta ca­te­go­ries; the re­ci­pi­ents (if they are da­ta con­trol­lers as well); the pro­ces­sing pur­po­ses; and the right to re­vo­ke con­sent at any ti­me.Out­sour­cing re­qui­re­mentsWhe­re pro­ces­sing is car­ri­ed out by a pro­ces­sor on be­half of a con­trol­ler, the con­trol­ler shall on­ly use pro­ces­sors pro­vi­ding suf­fi­ci­ent gua­ran­tees to im­ple­ment ap­pro­pria­te tech­ni­cal and or­ga­ni­sa­tio­nal mea­su­res in such a man­ner that pro­ces­sing will meet the re­qui­re­ments of this Re­gu­la­ti­on and en­su­re the pro­tec­tion of the rights of the da­ta sub­ject (Art 28 GD­PR).Da­ta sub­ject rightsChap­ter III GD­PR ex­press­ly fo­re­sees the fol­lo­wing da­ta sub­ject rights:Right of ac­cess by the da­ta sub­ject (Art 15 GD­PR),Right to rec­tifi­ca­ti­on (Art 16 GD­PR),Right to era­su­re (Art 17 GD­PR),Right to re­stric­tion of pro­ces­sing (Art 18),Right to da­ta por­ta­bi­li­ty (Art 20 GD­PR),Right to ob­ject (Art 21 GD­PR),Right, not to be sub­ject to a de­ci­si­on ba­sed so­le­ly on au­to­ma­ted pro­ces­sing, in­clu­ding pro­filing.GD­PR pro­vi­des for ad­di­tio­nal rights of the da­ta sub­ject, such as the right to be in­for­med (Art 13 and 14 GD­PR), the right to lodge a com­plaint with the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty (Art 77 GD­PR in con­junc­tion with Sec­tion 24 DPA) or to the right to an ef­fec­tive ju­di­ci­al reme­dy (Art 78 and 79 GD­PR).Trans­fers out of coun­tryTrans­fer to third coun­tries is es­sen­ti­al­ly for­bid­den.Howe­ver, GD­PR fo­re­sees se­veral me­cha­nis­ms in or­der to trans­fer da­ta to third coun­tries, such as:Ade­quacy de­ci­si­on of Eu­ro­pean Com­mis­si­on ac­cor­ding to Art 45 GD­PR (e.g. Pri­va­cy Shield),In­ter­nal da­ta pro­tec­tion re­gu­la­ti­ons (Bin­ding Cor­po­ra­te Ru­les) ac­cor­ding to Art 46 GD­PR,Stan­dard contract clau­ses (SCCs) ac­cor­ding to Art 46 GD­PR,Code of con­ducts and cer­ti­fi­ca­ti­on me­cha­nis­ms as trans­fer tools ac­cor­ding to Art 46 GD­PR,Da­ta trans­fers on the ba­sis of Art 28 GD­PR.For fur­ther trans­fer me­cha­nis­ms or tools, plea­se see Art 44 – 49 GD­PR.Da­ta Pro­tec­tion Of­fi­cerCon­trol­lers and pro­ces­sors must ap­point a Da­ta Pro­tec­tion Of­fi­cer in ca­se whe­rePro­ces­sing is car­ri­ed out by a pu­blic aut­ho­ri­ty or pu­blic bo­dy,co­re da­ta pro­ces­sing ac­tivi­ties con­sist of ex­ten­si­ve re­gu­lar and sys­te­ma­tic mo­ni­to­ring,co­re da­ta pro­ces­sing ac­tivi­ties con­sist of pro­ces­sing of spe­cial ca­te­go­ries of da­ta on a lar­ge sca­le or of pro­ces­sing cri­mi­nal da­ta.Aus­tri­an mi­nis­tries are ob­li­ged to ap­point at least one Da­ta Pro­tec­tion Of­fi­cer ac­cor­ding to Sec­tion 5 (4) DPA.Se­cu­ri­tyTa­king in­to ac­count the sta­te of the art, the costs of im­ple­men­ta­ti­on and the na­tu­re, scope, con­text and pur­po­ses of pro­ces­sing as well as the risk of va­ry­ing li­kelihood and se­ve­ri­ty for the rights and free­doms of na­tu­ral per­sons, the con­trol­ler and the pro­ces­sor shall im­ple­ment ap­pro­pria­te tech­ni­cal and or­ga­ni­sa­tio­nal mea­su­res to en­su­re a le­vel of se­cu­ri­ty ap­pro­pria­te to the risk, in­clu­ding in­ter alia as ap­pro­pria­te:the pseud­ony­mi­sa­ti­on and en­cryp­ti­on of per­so­nal da­ta;the abili­ty to en­su­re the on­go­ing con­fi­den­tia­li­ty, in­te­gri­ty, avail­a­bi­li­ty and resi­li­ence of pro­ces­sing sys­tems and ser­vices;the abili­ty to res­to­re the avail­a­bi­li­ty and ac­cess to per­so­nal da­ta in a ti­me­ly man­ner in the event of a phy­si­cal or tech­ni­cal in­ci­dent; anda pro­cess for re­gu­lar­ly tes­ting, as­ses­sing and eva­lua­ting the ef­fec­tiven­ess of tech­ni­cal and or­ga­ni­sa­tio­nal mea­su­res for en­su­ring the se­cu­ri­ty of the pro­ces­sing.Breach no­ti­fi­ca­ti­onIn the ca­se of a per­so­nal da­ta breach, the con­trol­ler shall wi­thout un­due de­lay and, whe­re fea­si­ble, not la­ter than 72 hours af­ter ha­ving be­co­me awa­re of it, no­ti­fy the per­so­nal da­ta breach to the su­per­vi­so­ry aut­ho­ri­ty com­pe­tent in ac­cor­dance with Art 55 GD­PR, un­less the per­so­nal da­ta breach is un­li­kely to re­sult in a risk to the rights and free­doms of na­tu­ral per­sons. Whe­re the no­ti­fi­ca­ti­on to the su­per­vi­so­ry aut­ho­ri­ty is not ma­de wi­t­hin 72 hours, it shall be ac­com­pa­nied by re­a­sons for the de­lay.When the per­so­nal da­ta breach is li­kely to re­sult in a high risk to the rights and free­doms of na­tu­ral per­sons, the con­trol­ler shall com­mu­ni­ca­te the da­ta breach to the da­ta sub­ject wi­thout un­due de­lay.No ge­ne­ral ad­di­tio­nal re­qui­re­ments un­der lo­cal law ap­p­ly.To no­ti­fy the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty, you may use the da­ta breach no­ti­fi­ca­ti­on form and send it to [email protected].Di­rect mar­ke­tingDi­rect Mar­ke­tingThe GD­PR and Aus­tri­an Da­ta Pro­tec­tion Act (DPA) ap­p­ly to all mar­ke­ting and ad­ver­ti­sing ac­tivi­ties in­vol­ving per­so­nal da­ta. Per­so­nal da­ta me­ans any in­for­ma­ti­on re­la­ting to an iden­ti­fied or iden­ti­fia­ble na­tu­ral per­son (Art 4 pa­ra 1 GD­PR).This is the main le­gis­la­ti­on that mar­ke­ters / Ad tech com­pa­nies will need to com­ply with in terms of se­cu­ri­ty mea­su­res and no­ti­fy­ing per­so­nal da­ta bre­aches.Ad­mi­nis­tra­ti­ve fi­nes un­der GD­PR and DPA are im­po­sed by the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty (link he­re).Ac­tions for da­mages (“Scha­den­er­satz­kla­gen”) and in­junc­tions (“Un­ter­las­sungs­kla­gen”) as well as in­te­rim in­junc­tions (“einst­wei­li­ge Ver­fü­gun­gen”) un­der GD­PR and DPA are im­po­sed by the courts.Plea­se find a co­py of the Aus­tri­an Da­ta Pro­tec­tion Act via the fol­lo­wing link: Aus­tri­an Da­ta Pro­tec­tion ActIn ad­di­ti­on, pro­vi­si­ons of the Aus­tri­an Tele­com­mu­ni­ca­ti­ons Act (TKG 2003) (which im­ple­ments the EU ePri­va­cy Di­rec­tive 2002/58/EC) ap­p­ly to spe­ci­fic mar­ke­ting and ad­ver­ti­sing pur­po­ses e.g. im­po­sing ad­di­tio­nal re­qui­re­ments on the way or­ga­ni­sa­ti­ons can car­ry out un­so­li­ci­ted di­rect elec­tro­nic mar­ke­ting.The Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty en­forces vio­la­ti­ons of da­ta sub­ject rights un­der TKG 2003 by is­suing ad­mi­nis­tra­ti­ve fi­nes, sin­ce the Tele­com­mu­ni­ca­ti­ons Act 2003 is a lex spe­cia­lis to the GD­PR.Plea­se find a co­py of the Aus­tri­an Tele­com­mu­ni­ca­ti­ons Act via the fol­lo­wing link: Aus­tri­an Tele­com­mu­ni­ca­ti­ons ActCoo­kiesWith re­gard to the use of coo­kies, the Aus­tri­an Tele­com­mu­ni­ca­ti­on Act 2003 is con­side­red the lex spe­cia­lis to the GD­PR. Da­ta sub­jects must be in­for­med about the use of coo­kies wi­t­hin the mea­ning of Sec­tion 96 Aus­tri­an Tele­com­mu­ni­ca­ti­on Act 2003. Aus­tri­an web­site ope­ra­tors are ob­li­ged to in­form af­fec­ted users com­pre­hen­si­ve­ly and to ob­tain their con­sent. Vio­la­ti­on of the re­gu­la­ti­on could re­sult in an ad­mi­nis­tra­ti­ve fi­ne of up to EUR 37,000.The use of coo­kies is on­ly per­mit­ted if:the user is in­for­med in de­tail in ad­van­ce;con­sent has be­en gi­ven be­fo­re the use of coo­kies; andthe con­sent was gi­ven vol­un­ta­ri­ly, wi­thout doubt and by an ac­tive act.The Coo­kie Po­li­cy may sta­te that the brow­ser set­tings may be ad­jus­ted ac­cor­dingly. The pos­si­bi­li­ty to mo­di­fy the set­tings, if pro­per­ly in­for­med, may be con­side­red as suf­fi­ci­ent con­sent.Other da­ta pro­tec­tion in­itia­ti­vesRe­gu­la­ti­on of the Aus­tri­an Da­ta Pro­tec­tion Aut­ho­ri­ty on the re­qui­re­ments for the ac­credi­ta­ti­on of cer­ti­fi­ca­ti­on bo­dies ac­cor­ding to Art 43 (6) GD­PR, to be pu­blis­hed in 2020.Use­ful linksGui­de to GD­PR, pro­vi­ded by the Aus­tri­an Da­ta  Pro­tec­tion Aut­ho­ri­ty (Ger­man)Aus­tri­an Tele­com­mu­ni­ca­ti­ons ActAus­tri­an Da­ta Pro­tec­tion Act Cy­ber Se­cu­ri­tyLast re­view­ed March 2020Risk sca­leme­di­umLaws and re­gu­la­ti­onsNet­work and In­for­ma­ti­on Sys­tem Se­cu­ri­ty Act (“Netz­werk – und In­for­ma­ti­ons­si­cher­heits­ge­setz” - NISG) as the im­ple­men­ting act of Di­rec­tive (EU) 2016/1148 con­cerning mea­su­res for a high com­mon le­vel of se­cu­ri­ty of net­work and in­for­ma­ti­on sys­tems across the Uni­on.Ap­p­li­ca­ti­onThe NISG ap­p­lies to ope­ra­tors of es­sen­ti­al ser­vices (OES) in the fol­lo­wing sec­tors:En­er­gy (electri­ci­ty, cru­de oil, na­tu­ral gas),Trans­port (air, rail, wa­ter, road),Ban­king (credit in­sti­tu­ti­ons),Fi­nan­ci­al mar­ket in­fra­struc­tu­res (tra­ding ve­nues, cen­tral coun­ter­par­ties),Health­ca­re (es­pe­cial­ly hos­pi­tals and pri­va­te cli­nics),Drin­king wa­ter sup­p­ly andDi­gi­tal In­fra­struc­tu­re (In­ter­net Ex­ch­an­ge Points, DNS Ser­vice Pro­vi­ders, TLD Na­me Re­gis­tries).It fur­ther ap­p­lies topro­vi­ders of di­gi­tal ser­vices (PDS) (on­line mar­ket­pla­ces, on­line se­arch en­gi­nes and cloud com­pu­ting ser­vices); andpu­blic ad­mi­nis­tra­ti­on bo­dies.Aut­ho­ri­tyAc­cor­ding to § 26 (2) NISG the lo­cal ad­mi­nis­tra­ti­ve aut­ho­ri­ties are the com­pe­tent su­per­vi­so­ry aut­ho­ri­ties. Key Ob­li­ga­ti­onsSe­cu­ri­ty mea­su­resPro­vi­ding net­work and in­for­ma­ti­on se­cu­ri­ty, de­fi­ned by the NISG as the abili­ty to prevent, de­tect, de­ter and eli­mi­na­te se­cu­ri­ty in­ci­dents.Tech­ni­cal and or­ga­niza­t­io­nal se­cu­ri­ty mea­su­res must be ap­pro­pria­te, pro­por­tio­na­te, com­ply with the sta­te of the art and be ade­qua­te to the risk iden­ti­fied with "re­a­sonable ef­fort".PDS’ must ad­di­tio­nal­ly con­sider fac­tors such as the se­cu­ri­ty of sys­tems, thus im­ple­men­ta­ti­on of such in­for­ma­ti­on se­cu­ri­ty ma­nage­ment sys­tems.OES’ are ob­li­ged to es­ta­blish a com­pu­ter emer­gen­cy res­pon­se team (CERT) for com­mu­ni­ca­ti­on with aut­ho­ri­ties and com­pu­ter emer­gen­cy teams.Se­cu­ri­ty in­ci­dents must be re­por­ted im­me­dia­te­ly to the na­tio­nal com­pu­ter emer­gen­cy team, con­tai­ning all re­le­vant in­for­ma­ti­on on the se­cu­ri­ty in­ci­dent and the tech­ni­cal back­ground known at the ti­me of the in­iti­al re­port, in par­ti­cu­lar the sus­pec­ted or ac­tu­al cau­se, the in­for­ma­ti­on tech­no­lo­gy in­vol­ved and the ty­pe of fa­ci­li­ty or in­stal­la­ti­on in­vol­ved.Pe­nal­ties/en­force­mentSec­tion 29 (1) NISG pro­vi­des for fi­nan­ci­al pe­nal­ties of up to EUR 100,000 in ca­se of in­frin­ge­ment.Is the­re a na­tio­nal com­pu­ter emer­gen­cy re­s­pon­se team (CERT) or com­pu­ter se­cu­ri­ty in­ci­dent re­s­pon­se team (CSIRT)?The NISG pro­vi­des for a na­tio­nal com­pu­ter emer­gen­cy team to be set up to en­su­re the se­cu­ri­ty of the net­work and in­for­ma­ti­on sys­tems. The Na­tio­nal Com­pu­ter Emer­gen­cy Team and Sec­to­ral Com­pu­ter Emer­gen­cy Teams shall as­sist OES and PDS. The Pu­blic Ad­mi­nis­tra­ti­on Com­pu­ter Emer­gen­cy Team (Go­v­CERT) shall as­sist pu­blic ad­mi­nis­tra­ti­on bo­dies in ma­na­ging risks, in­ci­dents and se­cu­ri­ty in­ci­dents.Is the­re a na­tio­nal in­ci­dent ma­nage­ment struc­tu­re for re­spon­ding to cy­ber se­cu­ri­ty in­ci­dents?Se­cu­ri­ty in­ci­dents must be re­por­ted im­me­dia­te­ly to the na­tio­nal com­pu­ter emer­gen­cy team, con­tai­ning all re­le­vant in­for­ma­ti­on on the se­cu­ri­ty in­ci­dent and the tech­ni­cal back­ground known at the ti­me of the in­iti­al re­port, in par­ti­cu­lar the sus­pec­ted or ac­tu­al cau­se, the in­for­ma­ti­on tech­no­lo­gy in­vol­ved and the ty­pe of fa­ci­li­ty or in­stal­la­ti­on in­vol­ved.If a se­cu­ri­ty in­ci­dent oc­curs, it shall be re­por­ted wi­thout de­lay to CERT.at. The law does not pro­vi­de for a cer­tain ti­me li­mit, but sin­ce a fol­low-up and a fi­nal re­port are al­so re­qui­red and the­se ha­ve to be sub­mit­ted “wi­thout un­due fur­ther de­lay”, a very short ti­me li­mit – a few hours to a ma­xi­mum of 24 hours (de­pen­ding on the se­ve­ri­ty of the in­ci­dent) – has to be as­su­med.A se­cu­ri­ty in­ci­dent can be no­ti­fied by using the on­line por­tal of CERT.at avail­able un­der https://nis.cert.at/. Fur­ther, re­porting can al­so be do­ne by sen­ding an E-mail to CERT.at at re­[email protected] When do­ing re­porting via E-mail you should in­clu­de the in­for­ma­ti­on set out in the fol­lo­wing form: https://cert.at/me­dia/files/about/con­tact/files/form_de.txt.  In ad­di­ti­on, plea­se find fur­ther in­for­ma­ti­on on the re­com­men­ded en­cryp­ti­on and other mea­su­res on the fol­lo­wing web­site: https://cert.at/de/ue­ber-uns/kon­takt/Other cy­ber se­cu­ri­ty in­itia­ti­ves The "Aus­tri­an Hand­book on In­for­ma­ti­on Se­cu­ri­ty" pro­vi­des a broad over­view of re­co­gni­zed in­for­ma­ti­on se­cu­ri­ty stan­dards ba­sed on com­mon in­ter­na­tio­nal stan­dards such as ISO/IEC 27000. It ser­ves to im­ple­ment com­pre­hen­si­ve se­cu­ri­ty con­cepts in pu­blic ad­mi­nis­tra­ti­on and pri­va­te sec­tor.https://www.si­cher­heits­hand­buch.gv.at/ (Link to Aus­tri­an In­for­ma­ti­on Se­cu­ri­ty Hand­book – Ger­man)Use­ful linksCert.at Web­sitehttps://www.go­v­cert.gv.at/nis-mel­dung/in­dex/in­dex_en.html (NIS-re­porting)https://cert.at/me­dia/files/about/con­tact/files/form_de.txt (Tem­pla­te for in­ci­dent no­ti­fi­ca­ti­on)https://www.ris.bka.gv.at/Gel­ten­de­Fas­sung.wxe?Ab­fra­ge=Bun­des­nor­men&Ge­set­zes­num­mer=20010536 (NISG – Ger­man)https://www.si­cher­heits­hand­buch.gv.at/ (Link to Aus­tri­an In­for­ma­ti­on Se­cu­ri­ty Hand­book – Ger­man) << back to Over­view

Feed

Zeige nur
Erschienen am 11.05.2018 auf diepresse.com
Neu­er Auf­trag für den Da­ten­schutz
22/03/2018
EU-Da­ten­schutz-Grund­ver­ord­nung: Tipps für die Be­stel­lung ei­nes Da­ta Pro­tec­tion...
21/03/2018
Da­ten­schutz-Grund­ver­ord­nung und Ar­beit­neh­mer-Da­ten­schutz - "5 vor 12" (Vi­deo)
Erschienen am 07.03.2018 auf extrajournal.net
Ein Un­ter­neh­mens­ri­si­ko na­mens DS­GVO
Erschienen am 10.02.2018 im Medium: Die Presse
DS­GVO: Al­les über das Ver­ar­bei­tungs­ver­zeich­nis
13/12/2017
Das neue Da­ten­schutz­ge­setz ab 25. Mai 2018: Schutz­um­fang und wich­tigs­te...
erschienen am 21.09.2017 auf industriemagazin.at
Iden­ti­fi­zie­ren, do­ku­men­tie­ren, lö­schen: Was die DS­GVO für die In­dus­trie...
Erschienen am 10.08.2017 im Medium: Wiener Zeitung
Der neue Da­ten­schutz - ei­ne Her­aus­for­de­rung für Kran­ken­häu­ser
Erschienen am 30.06.2017 auf wienerzeitung.at
Pa­ra­dig­men­wech­sel beim Da­ten­schutz
Erschienen am 30.06.2017 im Medium: druck & medien Magazin
Sind Sie ge­wapp­net für die Da­ten­schutz-Grund­ver­ord­nung?