Experience of the Austrian Data Protection Authority when enforcing Article 83 GDPR

Av: Herwig Zaczek, jurist på Österrikes motsvarighet till Datainspektionen, om hur de tillämpat GDPR.

Since the GDPR became applicable, the Austrian Data Protection Authority, as the competent Supervisory Authority of Austria pursuant to Article 58 paragraph 2 (i) GDPR,  has been tasked with the fining of violations of  the GDPR in accordance with  Article 83. In this context, the Austrian Data Protection Authority (hereinafter Austrian DPA) has imposed 38 fines and 11 reprimands within the meaning of Article 58 paragraph 2 (b) GDPR. In total, the Austrian DPA has imposed fines totaling €18,106,700.00.

Pursued Infringements

In the following paragraphs, essential case constellations are presented which, from the perspective of the Austrian DPA, have played a central role in the enforcement practice.

Image Processing

Particularly in cases of proceedings against private individuals, the (unlawful) operation of image processing systems, such as video surveillance systems in and on private buildings, and camera systems installed in vehicles (dash cams), has been in the center when imposing fines in accordance with Article 83 GDPR. It has been demonstrated time and again that many controllers are unaware that the use of video surveillance systems, such as those mounted for surveillance of the outside area of their home or apartment, could infringe the rights of data subjects. In particular, where the surveyed area includes (parts of) public areas (i.e. sidewalks and parts of streets) video surveillance systems could infringe both the data processing principles as foreseen in Article 5 para 1 GDPR as well as Article 6 para 1 GDPR. In addition, fines have been imposed on controllers who operated a dashcam in their car and recorded public street traffic, and thus other public street traffic users, over longer periods of time. In a particularly serious case, the Austrian DPA fined the coach of a women’s soccer team with € 10,000 (not final) for covertly filming two soccer players in the dressing room, while being naked and taking a shower. Regarding the data protection qualification of image processing operations, a recent judgment of the European Court of Justice, hereinafter referred to as CJEU, (Case C‑708/18 dated December 11, 2019) must be mentioned. Although the judgment was based on Directive 95/46 (Data Protection Directive, hereinafter referred to as Directive), it remains relevant for the assessment of the legality of image processing systems with regard to  the processing principles and legal grounds. The subject matter was whether a video surveillance system operated in a multi-party apartment building – which had been instigated by the co-owners to protect the security of the residents and their property as a result of multiple cases of burglary and property damage – is in line with the requirements regarding the lawfulness of data processing operations under the Directive.  According to the legal assessment of the CJEU, the operation of a video surveillance system can, in principle, be based on Article 7 (f) of the Directive (now Article 6 para 1 (f) GDPR].  Consent of the data subjects (= residents) is not necessarily required. However, the CJEU stressed that any data processing must comply with all principles of Article 6 of the Directive [now Article 5 para 1 GDPR] and with at least one of the legal grounds as regulated in Article 7 of the Directive [now Article 6 para 1 GDPR].

The objective which the controller essentially seeks to achieve when he or she installs a video surveillance system, namely protecting the property or the health and life of the co-owners of a building, is likely to be characterized as a legitimate interest, as defined in the former Article 7 (f) of the Directive [now Article 6 para 1 (f) GDPR]

In regard to the legitimate interest(s), it must be stated that this/these must have arisen before and existed at the time of processing; they must not only be hypothetical at this point in time. However, it is not imperative that the security of people’s property has previously been compromised: burglaries or property damage that occurred previously can in any case be taken as an indication of the existence of a legitimate interest.

The necessity of processing (the second prerequisite as per Article 6 para 1 (f) GDPR) requires that the objective cannot be achieved by using less interfering measures. Hence, and in line with the principle of data minimization pursuant to Article 5 para 1 (c) GDPR, it may be necessary to use a different method for providing the security of the building (e.g. security doors and improved locks).

In order to weigh the interests as per Article 6 para 1 (f) GDPR, the legitimate expectations of the data subjects must also be taken into account: residents of a multi-party residential complex in which burglaries and property damage have already occurred several times can reasonably expect that video surveillance is used in view of the incidents that have occurred. In strong contrast to this, for example, data subjects can trust that their privacy is guaranteed in places such as changing rooms or sanitary facilities and that in such places no video surveillance takes place.
The listed points, which result from the jurisprudence of the CJEU can be used as a guideline for the assessment of any form of image processing (stationary, mobile, dash cam). In any case, however, a case by case assessment is required, in which the interests of the controller and the legitimate interests of data subjects and their expectations are carefully balanced.

Direct Marketing und Data Brokering

The Austrian DPA imposed an administrative fine of 18 million Euros on Österreichische Post AG (ÖPAG – Austrian Post) following administrative fine proceedings with decision of 23 October 2019. After conducting an investigation and an oral hearing, the data protection authority considered it proven that ÖPAG had violated the GDPR by processing personal data on the alleged political affinity of data subjects. In addition, ÖPAG violated the law due to the further processing of data regarding the package frequency and the frequency of relocations for the purpose of direct marketing.

As these violations were committed unlawfully and with negligence, the Austrian DPA considers the abovementioned administrative fine as appropriate to prevent other or similar violations. The fine imposed is not yet final, as the controller filed an appeal to the Federal Administrative Court.

Other Infringements

In another decision, the Austrian DPA fined the operator of a medical center with € 50,000. In this case, the controller violated the GDPR in several respects, namely, among others:

  • by not designating a data protection officer as per Article 37 para 1 (c) GDPR and failing to meet the obligations under Article 37 para 7 to publish the contact details of the data protection officer and notify the DPA of these data;
  • by not complying with the requirements for obtaining consent from patients as per Article 7 para 2 GDPR: items not subject to consent and items subject to consent were integrated into one written consent form, without a distinguishable separation thereof, giving the appearance that consent was required for all items; the declaration of consent failed to provide sufficient clarity for what the consent should be the legal basis; and
  • by failing to meet the obligation to examine the need to carry out data processing impact assessments in accordance with Article 35 GDPR with regard to data processing processes typically taking place in a health facility, such as the administration of medical reports and other patient data.

Coherent Union-Wide Enforcement

To achieve the objective of a coherent implementation of Article 83 GDPR across the Union, the Austrian DPA, together with the representatives of the supervisory authorities of the other Member States, is a member of the European Data Protection Board. The Board is set up as a body of the Union with legal personality according to Article 68 para 1 GDPR and independently fulfills the tasks assigned to it by the GDPR. The Board devises in various working groups, amongst other things, guidelines within the meaning of Article 70 para 1 (k) GDPR, which are adopted by resolution in plenary. These (non-binding) guidelines serve to further interpret individual provisions of the GDPR and are therefore also available online (reference: https://edp

Herwig Zaczek, lawyer, has been working as a desk officer for the Austrian Data Protection Authority in the department for imposing fines according to Article 83 GDPR since mid-2018. Before joining the Austrian Data Protection Authority, he worked as a lawyer in the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection for six years.