The data protection authority has now also commented on the current wave of warning letters:
- It is recommended to have the website technically checked
- There is a right to information (within 4 weeks). It must therefore either provide information about the data collected (e.g. IP address in the log files) or provide negative information. It is pointed out that a power of attorney of the representative is necessary, that personal data may be transmitted to a third person (lawyer). Please note that this data must be sent encrypted by mail. Password must not be sent by mail.
- On the subject of claims for damages, the DPO states that it does not fall within its remit.
- There is no statement with regard to injunctive relief
- The DPA is currently assessing whether the GDPR applies to Google Fonts and whether IP addresses fall under personal data
Our recommendation, do not pay, but respond to the warning in a timely manner or request an extension of time. Website check if they will use Google Fonts at all, how their website is built, remove anything that is not currently used and services that do not meet the GDPR guidelines.
On the page of the WKO you will find sample letters for your reply.