The data protection report shows that the Austrian data protection authority imposed 38 fines and issued 11 warnings to companies and individuals in 2019. The total of all fines sum up to € 18,106,700.
Since the European General Data Protection Regulation (GDPR) came into force on May 25, 2018, the Austrian Data Protection Authority as the national supervisory authority (according to Art. 58 Para. 2 GDPR) has the task of imposing fines for violations of the GDPR, which is written down in Article 83.
In particular, proceedings against private individuals because of video surveillance outside of private buildings or dashcams led to fines.
Time and again it has been shown that many individuals are not aware that the surveillance of the outdoor area of their houses violates the GDPR if at least a part of public space (e.g. sidewalks or street parts) are recorded. This encroaches the rights of uninvolved persons and thus violates the data processing principles according to Art. 5 Para. 1 GDPR.
Recording with a dashcam was also punished, as it records public traffic and thus other road users over a long period of time.
In another case, a football coach of a women’s football team was fined € 10,000 because he had secretly filmed two female players while they were in the changing room to change clothes and shower.
Austrian Post imposed the highest fine of € 18,000,000 because it used personal data commercially. As part of the commercial activity as an address publisher and direct marketing company, data on the political affinity of individual identified persons was created and sold to political parties. Using a statistical process, individual persons were recorded in an address database and assigned to avoidable political preferences. It was also established that the data, which must be recorded in the context of the activity as a postal company, was used for the address publishing and direct marketing branches. These findings were then also sold.
The penalty imposed because of the determined violations of GDPR is not final yet , because the Post has lodged a complaint.
In a further decision on August 12, 2019, the Austrian data protection authority imposed a fine of € 50,000 on the operator of a medical center. In this case, the GDPR was violated several times. One violation was the lack of a data protection officer. This violated Art. 37 Paragraph 1 and the obligations to publish the contact details of the data protection officer and notify data protection authority (see Art. 37 Paragraph 7).
Another reason for fine was the failure to meet the requirements for obtaining consent from patients. Consent for data processing was obtained, which did not require consent, but gave the impression that consent was necessary for this. In addition, the declaration of consent was unclearly formulated, which made it impossible to see for which data processing the consent was given. Furthermore, the obligation to check whether a data protection impact assessment according to Art. 35 GDPR is necessary was violated.
The well-known saying goes: “Ignorance of the law is no excuse”. Do you need advice or would you like to expand your knowledge in the field of GDPR and data security in a workshop, then take a moment and learn from certified GDPR experts how to do it correctly.