Decisions of the data protection authority in Austria are documented in the RIS. Many decisions made before the introduction of the GDPR are still relevant now. Here is a selection:
Video surveillance
The data protection authority has ruled in several cases that video surveillance is not permissible for the enforcement of civil claims.
- 5.12.2017 DSB-D216.405/0006-DSB/2017: Video surveillance of vehicles taking a shortcut across private property without authorization.
This monitoring of traffic areas is not allowed. The camera may now only monitor the entrances of the building + 50 cm. - 2.3.2017 DSB-D213.453/0003-DSB/2016: unmarked video surveillance of a servitude path.
To find the perpetrator of property damage, a game camera was installed and not marked (private video trap). The purpose of the marking, if at all spatially conceivable, is not only to create the possibility of avoiding (bypassing) the monitored area, but also to Protective effect of video surveillance be significantly strengthened by deterrence . Monitoring without labeling is also not permitted to identify a violator. - 11/22/2017 DSB-D216.309/0007-DSB/2017: Surveillance of neighboring property to preserve evidence.
In order to prove evidence of violations of the Commercial Code, the neighboring property was monitored. This monitoring is not allowed. As a rule, video surveillance is only required for Purposes of protection of the monitored object or person, or the Fulfillment of legal due diligence permissible.
Deletion
- 5/28/2018 DSB-D216.471/0001-DSB/2018 Deletion of personal data.
The data protection authority has ruled that master data in the specific case may be kept for 7 years (according to pursuant to § 132 para. 1 BAO). The limitation period of 10 years (§ 207 para. 2 BAO ) is not sufficient to justify a longer retention . - 5/28/2018 DSB-D216.580/0002-DSB/2018 Deletion includes contact information.
After a delete request, contact information was not deleted for ease of communication as well as to prevent re-contact. According to DSGVO Article 17 , storage is only legitimate in the public interest, for the fulfillment of a legal obligation or for the assertion, exercise or defense of legal claims.
easyGDPR helps to document for which legal reasons the data must be retained. But beware, just stating that 30 years is required to issue a certificate of service does not allow all data to be kept for 30 years. The data protection authority takes a very restrictive view of the storage limit.
Information distribution
- 1/22/2018 DSB-D122.767/0001-DSB/2018 Providing information.
It is important to ensure the identity of those concerned, but it is not acceptable to simply ignore requests without sufficient identification. Reasons must be given in writing as to why the information will not be provided.
Pursuant to § 71 WTBG, certified public accountants are obliged to exercise their profession conscientiously, diligently and
independently
exercise. Therefore, they are responsible and must also provide information about client data.