The new EU General Data Protection Regulation (GDPR) entered into force as of 25 May 2018. It has resulted in a comprehensive amendment of the Austrian Data Protection Act (DSG). The right to data protection is a fundamental right that has been risen to constitutional status. Essentially, the processing of personal data is forbidden, and is only permissible if provided for by law.
GDPR - General Data Protection Regulation
The fist part of the GDPR contains numerous definitions, in particular on personal data. This is any information concerning an identified or identifiable natural person. A person is identified when it is distinguished from all other persons in a group of persons and is thus uniquely determined on the basis of individual or multiple data.
Processing of data, consent, withdrawal
The GDPR defines principles according to which the processing of personal data may take place. The processing must be carried out lawfully and for specified, explicit, and legitimate purposes. Such processing, however, must be limited to what is strictly necessary, and it must be transparent for the data subject which personal data will be processed and to what extent. In addition, the processor must ensure an adequate level of security of the data, and inaccurate data must be deleted immediately.
In this context, the question often arises as to when the processing of data is actually lawful within the meaning of these provisions. The major determinant here is the consent. An effective consent, however, is subject to very high requirements, so that such consent must be given voluntarily, for the given case, in an informed manner, and with the unambiguous indication of the data subject's wishes. Moreover, such consent can be withdrawn at any time, and the data subject must be informed beforehand about their right to withdraw consent. Data processing is also lawful as part of contract initiation, contract performance, or compliance with legal obligations. In addition, data processing is possible on the basis of justified interest.
Furthermore, the statutory provisions of the GDPR or the DSG extensively address further measures such as the mandatory appointment of a data protection officer, the obligation to create a data protection impact assessment, and in particular the individual obligations toward the data subjects. In the new GDPR, any violations against these statutory provisions carry heavy punishments. As an administrative body, the Data Protection Authority is vested with various investigative and corrective powers, such as warnings, orders, or house searches, though it also has penal powers and can impose heavy fines for violations.
Legal advice on data protection
Recently, we received in particular queries on video surveillance at waste collection sites for the prevention of vandalism, on the installation of location sharing devices in logistics vehicles for the flexible planning of delivery routes, and on the creation of generally required privacy statements. In addition to that, however, we will be happy to support our clients in the preparation of a data protection impact assessment, a contractual arrangement on order processing, or a corresponding legal opinion on any data protection problems they may encounter.