Changes in the Austrian Data Protection Act
On April 20, 2018, the Austrian federal government amended the DSG. Among other things, §11 instructs the data protection authority to issue warnings only to , especially in the case of first-time violations. In general, the authority should consider the proportionality of the incidents. GDPR penalties are now no longer provided for in Austria for the first offense.
In recent days, this has been hyped in the media (“Austria pulls the teeth out of data protection“, …). The news was particularly surprising because Andrea Jelinek, the head of the data protection authority, still said in an interview in February: “Fines must be effective.”
What does this mean in practice?
Has Austria abolished penalties?
Even without the new Austrian Data Protection Act, the GDPR requires in Article 83 that penalties must be proportionate (but effective). The effect of the new Austrian regulations is that initial contact with the authority does not end in punishment. But it is expected that the authority will get back to us soon after and look into rectifying the complaints.
The new regulations did not prohibit penalties. But also the GDPR requires in Article 83 adequacy of any penalties (not only in Austria). Consideration must be given to actual harm, actions taken, and cooperation with the authority when assessing penalties. However, it is also emphasized that the penalties should be effective.
It follows that doing nothing and hoping for impunity is a bad strategy.
A good procedure directory enables you to set appropriate measures. This allows you to effectively minimize potential damages and penalties.
What does the change really bring to Austria?
The change in Austria gives companies the legal certainty that the GDPR will not be interpreted with extreme severity. The rule that warnings must be given on the first offense is a wild card that takes away a lot of the stress of what could happen. But it’s not a free pass to ignore the law.
Without preparation, the likelihood that the agency will find multiple violations and feel compelled to impose effective penalties is very high.