Austrian Government Passes GDPR-Compliant Law

The Austrian Parliament seized the opportunity, granted by the GDPR’s opening clauses that give European Union member states the discretion to enact their local laws, to  pass the new Data Privacy Act that fine-tunes data privacy legal structures to the impending General Data Protection Regulation (GDPR).

This move enhances the process of adapting the domestic legal framework to comply with the new EU regulations. The Act took care of the multiple proposals received from the public. The Austrian Parliament passed the new Act without amending the constitutional provisions in the old data Privacy Act. Many provisions significantly changed from the draft law.

The current safeguarding of legal persons’ data remains unchanged. This is because the fundamental right to data privacy is retained its current form.   The amendments are expected soon since the October 15, 2017 parliamentary elections have already taken place with Sebastian Kurz likely to take leadership. The terms in the right to data privacy in its current form are ambiguous and subject to interpretation. Consequently, efforts must be made in the Parliament to introduce amendments to ensure the protection of the legal persons’ data.

Minor’s Personal Data Processing

Children aged 14 years and above will be legally authorized to give consent to the processing of their personal data. The act stipulates that children aged at least 14 years old will not require the consent of legal guardians to approve processing of their personal data. This implies that legal guardians will only have a mandate to give consent or confirm processing of personal data to minors aged 13 years and below.

Criminal Convictions and Offenses

Criminal convictions and offenses data will be processed if it is essential for legitimate reasons pursued by the controller or third party. Processing is also allowed if it comes from a legal duty to exercise due diligence. These will legally justify processing of personal data for most of the internal investigations.

GDPR provides several legal grounds of justification for processing personal data by media firms, their service providers or the employees when conducting their journalistic duties. In the new Austrian Data Privacy Act, most of those grounds for justification will not apply in that country. However, the act introduced additional justifications for processing personal data for public benefits related to scientific and historical research reasons, archiving and statistical purposes.

The draft law reinforced the independence of Data Privacy Authority of the highest executive powers such as President and ministers. However, this provision failed to be enacted due to the failure to reach the two-thirds majority in the parliament. The same fate befell safeguarding of manually processed data.

Austria is now waiting for further amendments, particularly in those areas that lacked parliamentary supermajority and the constitutional changes. Parliamentary leadership is now in place following the October 15, 2017 elections. Since the Act did not deviate much from t GDPR, it creates a consistent data privacy regime that matches the European Union General Data Protection regulation.