Decisions of the data protection authority in Austria are documented in the RIS. Many decisions made before the introduction of the DSGVO are still relevant today. Here is a selection:
The data protection authority has decided in several cases that video surveillance is not admissible for the enforcement of civil claims.
- 5.12.2017 DSB-D216.405/0006-DSB/2017: Video surveillance of vehicles taking a shortcut without authorisation on private propertyThis monitoring of traffic areas is not permitted. The camera may only monitor the entrances of the building + 50 cm.
- 2.3.2017 DSB-D213.453/0003-DSB/2016: unmarked video surveillance of a Servitutsweg
A wild camera was installed and not marked (private video trap) in order to find the perpetrator of property damage. The purpose of the marking, if spatially conceivable at all, is not only to create the possibility of avoiding (bypassing) the monitored area, but also to significantly strengthen the protective effect of video surveillance by deterrence. Surveillance without marking is also not permitted for the identification of an injuring party.
- 22.11.2017 DSB-D216.309/0007-DSB/2017: Surveillance of the neighbouring property to preserve evidence
In order to prove evidence of violations of the trade regulations, the neighboring property was monitored. This surveillance is not permitted. As a rule, video surveillance is only permitted for the purpose of protecting the monitored object or person or fulfilling legal duties of care.
- 28.5.2018 DSB-D216.471/0001-DSB/2018 Deletion of personal data
The data protection authority has decreed that master data may be stored for 7 years in the specific case (according to § 132 Para. 1 BAO). The limitation period of 10 years (§ 207 Abs. 2 BAO ) is not sufficient to justify a longer storage.
- 28.5.2018 DSB-D216.580/0002-DSB/2018 Deletion includes contact details
After a deletion request, contact information was not deleted for easy communication or to prevent reconnection. According to DSGVO Article 17, the storage is only legitimate in the public interest, to fulfil a legal obligation or to assert, exercise or defend legal claims.
easyGDPR helps to document for which legal reasons the data must be stored. But please note that only stating that 30 years are required for the issuance of a service certificate does not allow you to keep all data for 30 years. The data protection authority regards the storage limitation as very restrictive.
provision of information
- 22.1.2018 DSB-D122.767/0001-DSB/2018 provision of information
It is important to ensure the identity of those affected, but it is not acceptable to simply ignore inquiries without sufficient identification. It must be justified in writing, why the information is not granted. According to § 71 WTBG, economic trustees are obliged to exercise their profession conscientiously, carefully and on their own responsibility. Therefore, they are responsible and must also provide information about client data.