On May 4, 2016, the “Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” was promulgated. The General Data Protection Regulation enters into force on May 25, 2018. As an EU regulation, the General Data Protection Regulation (GDPR) is in principle directly applicable in every EU member state; however, it contains numerous opening clauses and thus allows national legislators certain leeway, which is why it is to be expected that there will also be an amendment to the Austrian Data Protection Act 2000 (DSG) until the regulation becomes directly applicable on May 28, 2018.

The regulation affects every company that processes personal data. The penalties have been tightened. It is advisable to familiarize yourself with the GDPR in good time.

Outlook for the General Data Protection Regulation

1. data protection impact assessment

Notification of data applications to the data protection authority is no longer provided for in the GDPR. Instead, there is the so-called data protection impact assessment (Art. 35 GDPR).

Pursuant to Art. 35 (1), in the case of forms of processing likely to result in a high risk to personal rights and freedoms by virtue of the nature, scope, context and purposes of the processing, in particular where technology is used, the controller must carry out a prior assessment of the impact of the processing on the protection of personal data.

Paragraph 3 further lists examples (demonstratively) for which a data protection impact assessment must be carried out.

The national supervisory authority shall draw up a list of those data applications for which a data protection impact assessment must be carried out (positive list) in accordance with Article 35(4). Pursuant to para. 5, the supervisory authority may draw up a list for which no assessment is required (negative list).

The data protection impact assessment must have a certain minimum content in accordance with Art 35 (7) GDPR:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
• an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of
  personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

With regard to the documentation and summary of the data protection impact assessment, the regulation does not explicitly specify any requirements. If the data protection impact assessment shows that the processing poses a high risk, the controller must consult the supervisory authority in accordance with Art. 36 (1) GDPR. If the supervisory authority is of the opinion that the planned processing does not comply with the Regulation, it can submit a written recommendation to the controller and exercise its powers in accordance with Art 58 GDPR (see Art 36 (2) GDPR).

2. register of processing activities

According to Art. 30 GDPR, controllers will be obliged to keep an overview of their data processing in future.

The directory must summarize the essential information about the data processing.

• the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and any data protection officer;
• the purposes of the processing;
• a description of the categories of data subjects and the categories of personal data;
• the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
• where applicable, transfers of personal data to a third country or to an international organization, including the identification of the third country or international organization concerned
  and, for the transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
• if possible, the envisaged time limits for erasure of the various categories of data;
• if possible, a general description of the technical and organizational measures;

Apart from the storage period, this corresponds to the content of the previous notifications to the data processing register. What is new, however, is that the obligation to keep the register applies not only to the principal (controller) but also to the service provider (processor).

3. data protection officer

The main innovation is the obligation to appoint a data protection officer in accordance with Art. 37 et seq. of the GDPR in certain cases, namely if

• the processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity,
• the core activity of the controller or processor consists of carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or
• the core activity of the controller or processor is the processing on a large scale of special categories of data referred to in Article 9 or of personal data relating to criminal convictions and offenses referred to in Article 10.

The role of the data protection officer is of crucial importance. In future, they will be required to inform and advise clients and service providers who process personal data about their obligations under the GDPR as well as their obligations under other EU or national data protection regulations. The data protection officer is also responsible for monitoring compliance with these regulations. The data protection officer is also the contact person for the supervisory authority.

4. penalty levels

Art. 83 GDPR regulates the general conditions for the imposition of fines.

Fines of up to 20 million euros or, in the case of a company, up to 4% of its worldwide annual turnover in the previous financial year can be imposed (cf. para. 4 Violations of documentation obligations and data protection impact assessment; para. 5).

5. other changes

• Conceptual changes: the client becomes the controller and the service provider becomes the processor
• The powers and tasks of the supervisory authorities have been extended, particularly with regard to the imposition of “fines”
• Clear consent as a cornerstone
• Information rights and transparency
• Strict rules for data transfer to third countries
• Data protection-compliant technology design: privacy by design and by default
• Uniform law enforcement
• Fixed contact persons for data processors within the EU
• Information obligations and data subject rights have been extended
  – Information can be provided in combination with standardized icons
  – Information and data subject rights must be provided without undue delay, but at the latest within one month
  – Right of access (cf. storage period)
  – Right to rectification
  – Right to erasure and to be “forgotten”
  – Right to restriction of processing
  – Obligation to notify all recipients in the event of rectification, erasure or restriction
  – Right to data portability
  – Right to object

DISCLAIMER
This information is provided free of charge. No guarantee or liability is assumed for the completeness or accuracy of the content contained therein. This is not a substitute for individual counselling.