The GDPR entered into force on 25 May 2018. In the meantime, 2 months have passed without any media coverage of the consequences of the GDPR. Many have certainly asked themselves the question: What is the data protection authority doing?
Deletion of personal data
- 28.5.2018 DSB-D216.471/0001-DSB/2018 deletion of personal data The data protection authority has decreed that master data may be stored for 7 years in the specific case (according to § 132 Para. 1 BAO). The limitation period of 10 years (§ 207 Abs. 2 BAO ) is not sufficient to justify a longer storage.
- 28.5.2018 DSB-D216.580/0002-DSB/2018 deletion includes contact data After a deletion request, contact information was not deleted for easy communication or to prevent reconnection. According to GDPR article 17, the storage is only legitimate in the public interest, to fulfil a legal obligation or to assert, exercise or defend legal claims.
- 7.6.2018 DSB-D202.207/0001-DSB/2018 approval of image processing for research purposes
easyGDPR helps to document for which legal reasons the data have to be stored. But please note that only stating that 30 years are required for the issuance of a service certificate does not allow all data to be retained for 30 years. The data protection authority regards the storage limitation as very restrictive.
What’s the data protection authority doing: terms
With many complaints from the year 2017 (DVR) we have found terms of 4 to 7 months. What is noticeable is that the authority reacts relatively quickly and requests further information if necessary. When clarifying the facts of the case, there are several queries in almost all proceedings with the complainant and the respondent (the company accused of misconduct). If there are deadlines of 2-4 weeks per request, the procedure takes several months. Procedures in which the authority itself takes action or in which the complainant does not provide the required supporting documents and details are often completed in one to two months. As a result, after “only” two months after the entry into force of the GDPR, no results of complaints notified after the entry into force of the GDPR can be expected.
What’s the data protection authority doing? Outcome of the procedures
In the evaluated complaints, 40% were completely or partially rejected. Recommendations were made in 60% of cases. The recommendations are to be implemented in other executions. The deadlines range from immediately (or max. 2 weeks) for providing information to 2-3 months if processes in the company have to be changed. Execution means that the data protection authority will force the implementation also against the will of the responsible person at his expense. The authority attaches great importance to precise compliance with the GDPR. In the case of old decisions, great importance is attached to correct reporting in the DVR. Since 25 May, the DVR has been replaced by the Procedural Register.
easyGDPR makes it easy to create a complete process directory.