DPIA list of the Austrian supervisory authority

In May 2018, according to Art. 35 para. 5 GDPR, the DSB issued a ‘Data protection impact assessment exception ordinance (DPIA-EO), a so-called ‘white-list’, which came into force on 25 May 2018.

The so-called ‘black-list’ was published on 9 November 2018 with the ‘Data protection authority ordinance on processing operations for which a data protection impact assessment is to be conducted (DPIA-P)’ and entered into force on 10 November 2018.

The regulations for the DPIA and corresponding explanations are available (in German) on the DSB website at the following link:

https://www.dsb.gv.at/verordnungen-in-osterreich

Particularities

A derogation from the Austrian blacklist does not stipulate the need of a DPIA for certain types of processing in connection with employment if there is a company agreement or valid approval from the personnel representatives.

Processing operations according to the 3rd main section of the DSG (§§ 36 ff; Processing of personal data for security police purposes, including state protection by the police, military self-defence, the investigation and prosecution of criminal offenses, the enforcement of sentences and of precautionary measures) are not covered by the DPIA-P.