Three interesting decisions on Austrian data protection law
Criminal Knowledge – fine for video surveillance system based on Art 84 GDPR – Case no. DSB-D550.038/0003-DSB/2018
In this decision the Austrian Data Protection Authority (DPA) had to deal with an unlawful video surveillance system. According to Austrian Data Protection Law (DSG 2018) a video surveillance is permissible, in particular if it serves the preventive protection of persons or property on private properties used exclusively by the data controller and does not extend beyond the property, with the exception of the inclusion of public traffic areas, which may be unavoidable for the purpose of attaining the intended purpose.
In this case the surveillance covered the public area (public parking lot and traffic area) and private individuals in front of the entrance of the data controller. The DPA decided that the video surveillance in this way is not permitted because it was in no way appropriate and not limited to what it was necessary. In addition, there was no logging of processing operations related to video surveillance. § 13 para 2 DSG 2018 stipulates that the data controller must protocol every processing operation for an image recording, unless it is a matter of real-time monitoring. The missing logging already started before 25th of May 2018, so that the data controller not only violated § 13 para 2 DSG 2018, but also § 50b para 1 DSG 2000 (for the period before 25th of May 2018). On top of that, the video surveillance was not suitably marked. There was no sign on the parking lot. In accordance with § 13 para 5 DSG 2018, the data controller must mark the video surveillance suitably. The data controller must be clearly identifiable from the label, unless this is already known to the persons concerned under the circumstances of the case. Labelling must be carried out locally in such a way that any potentially affected person approaching a monitored object has the opportunity to avoid video surveillance.
On the basis of § 62 para 1 no 4 DSG 2018, which is based on Art 84 GDPR, the DPA imposed an administrative fine of EUR 4,800 due to a not sufficiently marked video surveillance and recording a large part of the sidewalk. Compared to similar cases before the GDPR came into force, the administrative times are more than 5 times.
Voluntary consent to the setting of cookies against access to an online newspaper - Case no. DSB-D122.931/0003-DSB/2018
Breach of duty to inform in case of cold calling – Case no DSB-D123.076/0003.DSB/2018
At the end of June, the complainant was contacted via telephone by the respondent of a selling company for advertising purposes. However, the complainant, who is also an entrepreneur, had not given his consent within the meaning of § 107 para 1 TKG 2003 (Austrian Telecommunications Act) for contact via telephone for advertising purposes. When asked where the telephone number came from, the complainant did not provide any information. The complainant then addressed the DPA and asserted the infringement of the right to confidentiality and the duty to provide information pursuant to Art 14 GDPR. In the proceedings, the complainant stated that the called party's mobile phone number was published online and that it was the telephone number of a company, not of a natural person. The DPA had to deal with the question of a possible violation of the right to confidentiality through the use of the telephone number for advertising measures as well as with the question of whether the respondent would have complied with his information obligation by initially not providing the complainant with complete information on the data processing during the telephone conversation. The DPA granted the complaint. The fact that the complainant's mobile phone number was merely posted on the website of a regional association to which he belonged did not entitle the respondent under any circumstances to carry out unsolicited advertising calls. In this respect, there is a change of purpose. The complaint was therefore justified in this respect. Regardless of the provision of § 107 para 1 TKG 2003, the violation of which is sanctioned under administrative criminal law, or which the telecommunications authorities are ultimately responsible, the violation of the duty to provide information according to art 14 GDPR was acknowledged by the DPA in the same way.
Article provided by: Clemens Thiele (EUROLAWYER Rechtsanwälte)