Austrian legislation implementing the General Data Protection Regulation
When the General Data Protection Regulation (GDPR) enters into force on 25 May 2018, legislators in member states must ensure that their national legislation complies with the GDPR’s rules. As opposed to a directive, which would first have to be implemented in Austrian law, the GDPR directly applies across the EU and its provisions prevail over national law. Yet due to 69 specific “opening clauses” provided for by the GDPR, member states retain the ability to introduce individual national rules in its implementation. The Austrian legislator has made use of this leeway through the Austrian Data Protection Amendment Act (Datenschutz-Anpassungsgesetz) 2018, which was passed by the Austrian National Council on 31 July 2017. The Act enacts the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Datenschutzgesetz – DSG) and repeals the old Federal Act concerning the Protection of Personal Data 2000. The new Data Protection Act will enter into force on 25 May 2018 along with the GDPR.
Changes arising from the new Data Protection Act
Key provisions of the new Act maintain the fundamental right to data protection and concern data processing for specific purposes (e.g. for scientific research or statistics or to make addresses available to inform or survey data subjects) and for the purpose of picture processing. The respective stipulations have been phrased in clearer language using the terminology of the GDPR.
The new Data Protection Act further extends the technical and organisational measures to be taken by controllers and processors. In § 50, the new Act for instance regulates the obligation of documenting all processing operations, enabling an assessment and review of whether processing was legitimate.
The Austrian legislator also utilised the opening clauses with regard to the processing of personal data on criminal convictions and offences to address the dilemma posed by the use of whistleblower hotlines and to create a sound legal basis for them.
Compared to older legislation, the GDPR stipulates neither notification obligations nor authorisation requirements.Instead, the new Data Protection Act extends the powers of the Austrian Data Protection Authority, which acts as the supervisory authority for data protection, to review data processing operations and establishes the Authority’s right to gain access to data applications and enter rooms in which data applications are located. The new Data Protection Act further addresses the Data Protection Authority’s right to impose administrative penalties of up to EUR 50,000 on natural and legal persons in addition to the fines pursuant to the GDPR.
Preparations for the new Data Protection Act and the GDPR are already necessary
As opposed to the German amendment act, the Austria Data Protection Act is clear and accessible. Many parts, however, were copied from the GDPR. The most significant deviations can be found in Chapter 2 of the Data Protection Act and concern the Data Protection Authority and the Data Protection Council.
Both the GDPR and the Data Protection Act stipulate that adequate and state-of-the-art security measures must be taken to address the risks associated with personal data and to ensure their protection. In light of the far-reaching implications, companies are well advised to kick off a company-wide compliance process, which might easily take several months.
Managers should thus use the remaining time to take stock of, review and document in records of processing activities all internal practices, data applications as well as organisational and technical security measures of their company. If necessary, additional contracts must be concluded with other controllers or processors. The efforts that will be required to implement the necessary changes depend on the data protection practices currently in place. If your company has so far paid little attention to data protection, the process could turn out to be rather time-consuming.