fbpx

Download free GDPR compliance checklist!

Tag Archives for " Austria "

€114 Million in Fines Imposed by EU Authorities Under GDPR

New findings from DLA Piper show that 160,000 data breach notifications reported across 28 European Union Member States and data protection authorities have imposed €114 million in monetary fines under the GDPR for a wide range of infringements. Not all fines were related to data breach infringements, however.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

Source: €114m in Fines Imposed by Euro Authorities Under GDPR – Infosecurity Magazine

Criminal proceedings against Österreichische Post

The Austrian data protection authority imposed an administrative fine of 18 million euros on Österreichische Post AG (Austian Postal Service) after conducting administrative fine proceedings.

Austrian DPA concluded taht Österreichische Post had violated the GDPR by processing personal data on the alleged political affinity of affected data subjects. In addition, another GDPR violation was the further processing of data on package frequency and the frequency of relocations for the purpose of direct marketing.

However, the penalty is not final, as it can be challenged before the Federal Administrative Court within four weeks after the delivery of the penalty notice.

Source: Criminal proceedings of the Austrian data protection authority against Österreichische Post AG (Austrian Postal Service) | European Data Protection Board

Austrian Supreme Court Says GDPR Lawsuits Can Be Filed Throughout EU

The Austrian Supreme Court has ruled that complaints concerning the EU General Data Protection Regulation (GDPR) can be brought anywhere in the EU.

The decision overturned a ruling by a lower Austrian court which held that a privacy lawsuit against Facebook had to be brought in Ireland, where the company is headquartered.

Source: Austrian Supreme Court: GDPR Lawsuits Can Be Filed Throughout EU

Austrian Data Protection Authority finalises investigation into Österreichische Post AG

The Austrian Data Protection Authority has finalised its investigation into the Austrian Post (Österreichische Post AG) and issued a decision stating the Austrian Post has violated several provisions of the GDPR.

Specifically, the Austrian DPA is of the opinion that the Austrian Post processes special categories of personal data (political opinions) by attributing preferences for certain political parties to data subjects by using statistical calculation methods, without explicit consent given by the data subjects. Furthermore, it found, DPIA for this kind of processing and the record of processing activities were erroneous.

The Austrian DPA imposed an immediate ban on these processing operations, ordered the erasure of the data and ordered the Austrian Post to carry out a new DPIA and to rectify its record of processing.

Source: Austrian Data Protection Authority finalises investigation into Österreichische Post AG

Austrian DPA takes “result-oriented perspective” in data erasure decision

The Austrian data protection authority (‘DSB’) published, on 30 January 2019, its decision, dated 5 December 2018, on the right to data erasure, further to an individual’s complaint.

In particular, the DSB highlighted that the complainant had alleged that an unnamed insurance company had infringed his right to data erasure by only deleting data stored for marketing purposes and anonymising the remainder.

Full article: Austria: DSB takes “result-oriented perspective” in data erasure decision

Austria’s Post Office under fire over data sharing

Austria’s national post office found itself under fire Tuesday for collecting and selling information about customers’ political allegiances in what privacy campaigners say bears similarities to the Facebook data-sharing scandal.

According to the investigative journalism website Addendum, the Austrian Post sold the names, addresses, age and gender of around three million customers to other companies for targeted marketing purposes.

Source: Austria’s Post Office under fire over data sharing

Validity of consent coupled with free online services

The Austrian Data Protection Authority, headed by the chair of the European Data Protection Board (EDPB), provided a clear way forward for advertising-based business models.

Following a complaint against an Austrian newspaper, the Austrian Data Protection Authority decided that the prohibition on making the provision of a service conditional on consent (“coupling prohibition”; Article 7(4) GDPR) can effectively be circumvented by additionally offering a consent-free equivalent service for a reasonable remuneration.

Full article: Validity of consent coupled with free online services – Chair of EDPB opens a path

Austrian DPA Issues Decision on Validity of Cookie Consent Solution

On November 30, 2018, the Austrian Data Protection Authority published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website.

Full article: Austrian DPA Issues Decision on Validity of Cookie Consent Solution | Privacy & Information Security Law Blog

Austria: “Cookie Walls / Paywalls” hybrids are permissible?

In a recent case, the Austrian Data Protection Authority (ADPA) decided for the first time on the permissibility of a consent for the use of cookies, as well as the concept of freely given consent under the GDPR.

The case involves the cookie consent on the website of an Austrian newspaper. In this decision, the ADPA has seen a hybrid cookie wall / paywall solution as permissible, but has failed to address several important issues potentially arising in such cases

Full article: Austria: “Cookie Walls / Paywalls” hybrids are permissible?

First GDPR fine issued by Austrian data protection regulator

Austrian Data Protection Authority (“DSB”) has issued a fine against an entrepreneur for violations of the GDPR. The entrepreneur had installed a CCTV camera in front of his establishment that also recorded a large part of the sidewalk. The DSB found this act to be in violation of the GDPR, as large-scale monitoring of public spaces is not permitted under the GDPR. Apparently the camera was also not sufficiently marked as conducting video surveillance, meaning that the applicable transparency obligations had not been fulfilled.

The amount of the fine, however, was quite moderate: EUR 4,800. According to the deputy director of the DSB, fines should be proportionate – e.g. a controller with an annual income of, for example, EUR 40,000 is unlikely to receive a EUR 20 million fine from the DSB.

Source: First GDPR fine issued by Austrian data protection regulator, Gernot Fritz

>