As from 25 May 2018, the GDPR will apply directly and replace current data protection legislation, viz. Directive 95/46/EC and the Austrian Data Protection Act of 2000 (Datenschutzgesetz 2000, DSG 2000) by which the Directive had been transposed into national law. In spite of the GDPR’s direct applicability, national implementation rules are necessary; the Austrian legislator has provided most of those rules in the Data Protection Amendment Act (Datenschutz-Anpassungsgesetz, Federal Law Gazette (BGBl) I 120/2017).

In terms of substantive law, the GDPR sets out the conditions relating to the processing of personal data by public organisations and enterprises. Apart from causing a change in terminology in Austrian data protection law (‘Verantwortlicher’ instead of ‘Auftraggeber’ for controllers and ‘Auftragsverarbeiter’ instead of ‘Dienstleister’ for processors), the GDPR introduces numerous new elements:

Regarding its territorial scope, in future also the processing of personal data in the context of an establishment of controllers or processors (collectively, ‘data processors’) in the Union will be covered, regardless of where the data processing takes place (Article 3(1) GDPR). Furthermore, the GDPR applies to data processors that are not established in the Union but nevertheless offer goods or services in the Union or monitor the behaviour of data subjects (principle of the marketplace as laid down in Article 3(2) GDPR). This means that in future major US providers, such as Google, must adhere to European data protection law.

Sections 16 et seq DSG 2000 established a general duty to notify the data protection authority but numerous provisions permitting exceptions (especially for standard applications) made it cumbersome to administer and ineffective. In its place, the GDPR has provided the duty to maintain a record of processing activities (Article 30 GDPR), the data protection impact assessment (Article 35 GDPR) and the appointment of a data protection officer (Article 37 GDPR).

(i) Within the processing record, data processors must maintain an internal overview of their data applications. The contents to be recorded is largely the same as that which must currently be reported to the data processing register (e.g. categories of data subject and personal data). Enterprises employing fewer than 250 persons must maintain a processing record only if specific risk elements are present (e.g. if the data processing involves a high risk to the rights and freedoms of data subjects of if sensitive data are processed).

(ii) A data protection impact assessment, which serves to assess the potential consequences of data processing operations, must be carried out if the planned type of processing ‘[is] likely to result in a high risk to the rights and freedoms of natural persons’. This applies to profiling (using personal data to create profiles of persons) or to the processing of sensitive data.

(iii) The data protection officer, created as an interlocutor for the supervisory authorities, has the responsibilities of advising the data processors and verifying compliance with the provisions of data protection law. Appointing a data protection officer is mandatory if the core activities consist of monitoring persons or processing sensitive data (to be determined on a case-by-case basis using the risk-based approach). This applies in particular to healthcare organisations, inquiry agencies and recruitment agencies.

Technical and organisational measures designed to ensure compliance become more and more important under the GDPR (privacy by design). In line with the principle of data minimisation, such measures are intended to ensure that only data which are necessary in relation to the purpose of the processing operation are processed. This principle must be borne in mind in particular in the context of creating data bases.

In addition, the GDPR increases already existing obligations (e.g. duties to pro-actively notify the data protection authority and provide information to data subjects). In view of the drastic aggravations of penalties, it is advisable to establish a catalogue of measures for the implementation of these duties of care and diligence because, depending on the type and seriousness of the respective infringement, administrative fines of up to EUR 20 million, or 4% of the total group-wide turnover, may be imposed (Article 83 GDPR).

Increased obligations on the part of the data processors go hand in hand with strengthened rights of the data subjects. The ‘right to be forgotten’ is widened to the effect that data processors having made data public must inform the responsible recipients of any requests to erase data (remove links, copies or replications) (Article 17 GDPR). The right to restriction of processing and the right to data portability (Articles 18 and 20 GDPR) are new features. The latter is intended to make changing providers easier (e.g. in the context of social networks, credit card agreements or energy supply agreements).

Businesses now have less than one year left to implement the stipulations of the GDPR.