Punishment against medical company
An Austrian company in the “medical field” has been awarded the highest fines in Austria so far, namely € 50 000.
Unfortunately, the data protection authority has only given a few details about the case. It is known that the company was fined for two delicts. Firstly, the obligation to provide information was not complied with and, secondly, despite the obligation, no data protection officer had been appointed.
Here again it shows that the information policy of the Austrian data protection authority is expandable. While the data protection authorities in other states inform openly about their own work, it is difficult to obtain information in Austria. This is similar to the situation in Germany. However, it would be a fallacy to assume that the authorities are not taking any action. The public just does not know what focus the local authority has.
Type of Issue:
violated duty to inform
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
13. Information to be provided where personal data are collected from the data subject
37. Designation of the data protection officer
38. Position of the data protection officer