With thanks to friends at DORDA. Contact: [email protected]
|Stage of legislative progress
|Eg. pre-consultation, in consultation
The Austrian Data Protection Act ("ADPA") implementing the GDPR was adopted on 29 June 2017 and is applicable since 25 May 2018.
In addition, there are several special provisions in certain laws and business areas currently being amended or in (pre-)consultation (eg health sector, finance industry etc). These legislation procedures are mainly still ongoing, but are finalised in some areas. This leads to the a data protection fragmentation to certain decree.
|Approach to implementation
|Eg. amendments to existing law, total repeal of old laws|
Overall, the Austrian legislator used just a few opening clauses of the GDPR in a very moderate way highlighting a minimalistic approach to safeguard full harmonization. However, the ADPA nevertheless provides for some specific local provisions.
Further, special data protection provisions will follow in other Austrian laws since the ADPA is limited to the general provisions. Thus, we will learn in the future whether the Austrian legislator keeps up with its restraint or if stricter local rules will come through the backdoor of specific laws.
|Timescale for implementation
|Eg. pre-consultation, in consultation|
The ADPA was adopted on 29 June 2017 and is applicable since 25 May 2018.
There is no timescale for sector-specific data protection laws. Those provisions will follow step by step.
Areas where Member States must have local laws:
|Personal data and freedom of expression
Sec 9 ADPA provides special provisions concerning the processing of personal data in the context of freedom of expression and information. According to this provisions, several regulations of the GDPR (especially its principles and rights of data subjects) do not apply to the processing of personal data for journalistic purposes as well as for scientific, artistic or literary purposes.
Sec 30 ADPA governs the mechanism of imposing the GDPR-penalties: The fines shall primarily be imposed directly against the responsible legal entity. Besides, the Austrian Data Protection Authority is still entitled to punish natural persons in charge (especially managing directors or representatives appointed under administrative law; not the Data Protection Officer). However, as long as it is not required due to special circumstances of the individual incident, the responsible legal entity shall be fined, only.
Besides, Sec 62 ADPA provides for an administrative penalty of up to EUR 50.000 for any breach of the ADPA that is not subject to the GDPR fines (thus breaches of Austrian-specific provisions like CCTV-requirements).
Further, Sec 63 ADPA contains a criminal offence and provides for imprisonment or a fine for any unlawful data processing with the intention to gain profit or with the intention to damage another person (personal offences based on responsibility).
Areas where Member States may have local laws:
The ADPA does not provide for specific regulations in this regard. However, the ADPA contains the following principles:
Sec 6 ADPA provides for a general principle of data secrecy and obliges all data controllers, processors and their employees to keep all personal data strictly confidential.
Further, Sec 5 ADPA provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.
Data subjects have no right of access when this would jeopardize a trade or company secret of controller or a third party (Sec 4 (6) ADPA).
|Scientific, historical or statistical purposes
Sec 7 ADPA governs special provisions for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes:
Provided that the processing is not intended to result in a personalized outcome, it is admissible in case the used data is (i) publicly accessible, (ii) lawfully collected for other legitimate purposes or (iii) pseudonymised.
All other data processing activities for scientific, historical or statistical purposes require (i) a specific statutory authorization, (ii) the consent of the data subject or (iii) approval by the Austrian Data Protection Authority.
Since these provisions are quite restrictive, special regulations for certain areas (especially health-care and pharma sector) are currently in legislation process.
No, the ADPA does not provide for special provisions on the processing of personal data in the context of employment. However, the Austrian Data Protection Authority always had a very strict and reluctant approach as regards the processing of employees' data which is expected to be upheld.
|Personal data of deceased persons
No, the ADPA does not provide for special provisions on the processing of personal data of deceased persons.
As regards child's consent in relation to information society services, Sec 4 (4) ADPA lowers the minimum age to 14 years.
|Special rules for special categories of data
|Genetic, biometric or health data
No, the ADPA does not provide conditions for the processing of genetic, biometric or health data. Such special regulations are exptected to follow in specific laws for the health-care sector.
|Designation of a Data Protection Officer
The ADPA does not provide for specific preconditions to appoint a Data Protection Officer. Thus, the general provisions of the GDPR apply.
Sec 5 ADPA merely provides for a specific obligation for Data Protection Officers to keep all received information strictly confidential.
|National identification numbers/any other identifier of general application
No, the ADPA does not contain provisions as regards national identification numbers or any other identifier of general application.
|Any other areas under discussion