Imposing administrative fines

In accordance with § 30 DSG, the Data Protection Authority is the body that can impose fines.

The fines may be imposed on:

  • the company for a breach by an executive,
  • the company for surveillance and inspection failures,
  • controllers (i.e. a director or manager may be personally punished pursuant to § 9 Administrative Penal Act, but the DSB may refrain from punishing the natural person if a penalty has already been imposed on the legal person).

No fine may be imposed on public authorities or public entities.

Administrative penal provision

Administrative penal provisions are included in § 62 DSG.

Unless the offense does not constitute an offense pursuant to Article 83 GDPR or is subject to more severe punishment according to other administrative penal provisions, an administrative offense punishable by a fine of up to €50,000 is committed by anyone who:

  • intentionally and illegally gains access to data processing or maintains an obviously illegal means of access,
  • transmits data intentionally in violation of the rules on confidentiality (§6), in particular intentionally uses data entrusted to him or her according to §7or §8 for other prohibited purposes
  • by giving incorrect information intentionally obtains personal data according to §10
  • processes images contrary to the provisions of Chapter 1, Part 3, or
  • refuses inspection pursuant to §22 para. 2.

The data protection authority is responsible for the decision.

Tasks and powers of the Austrian supervisory authority

Tasks

Duties of the DPA in addition to those stipulated in the GDPR are regulated in § 21 DSG.

This includes advising the committees of the National Council and the Federal Council, the Federal Government and state governments at their request on legislative and administrative measures. The DSB is also to be consulted on the enactment of federal laws and regulations concerning matters of data protection.

The DSB must make public the list of processing operations for which a data protection impact assessment has to be conducted pursuant to § 35 by way of a provision in the Federal Law Gazette.

Powers

According to the DSG, the supervisory authority has three types of powers:

  • investigative powers,
  • corrective powers (to stop unlawful conduct, e.g. by imposing fines) as well as
  • authorisation and advisory powers.

The DSB is entitled, after agreement between the owner and the controller or processor, to enter the premises in which the data processing takes place, put data processing equipment into operation, carry out the processing operations that are to be examined as well as make copies of the data carriers.

If there is a significant, immediate threat to legitimate secrecy interests in data processing, the DPA may, in the event of danger during the implementation, decide to prohibit the continuation of data processing immediately.

Legal action

All notices from the Data Protection Authority can be appealed by issuing a complaint to the Federal Administrative Court, which will decide on the case via a three-judge panel (one professional judge and two lay judges).

Rulings of the Federal Administrative Court can be challenged by appeal to the Administrative Court or appeal to the Constitutional Court.