DSB (Austria)
Datenschutzbehörde | |
---|---|
Name: | Datenschutzbehörde |
Abbreviation : | DSB |
Jurisdiction: | Austria |
Head: | Mag. Dr. Andrea Jelinek |
Deputy: | Mag. Dr. Matthias Schmidl |
Adress: | Barichgasse 40-42, 1030 Wien, Austria |
Webpage: | www.dsb.gv.at |
Email: | dsb@dsb.gv.at |
Phone: | +43 1 52 152-0 |
Twitter: | n/a |
Procedural Law: | AVG (in DE) / AVG (in EN) |
Decision Database: | RIS (only in DE) |
Translated Decisions: | Category:DSB (Austria) |
Head Count: | 34[1] (2019) |
Budget: | € 2,3 Mio[2] (2019) |
The Datenschutzbehörde is the federal Data Protection Authority for Austria. It resides in Vienna and is in charge of enforcing GDPR for Austria.
Structure
The DSB is a monolithic authority. All decisions are taken on behalf of the head of the DSB. Cases are usually assigned to an employee that is named on all documents. The individual employee decided on behalf of the head of the DSB. There is no information about individual sections within the DSB.
Procedural Information
Applicable Procedural Law
The Austrian DSB operates under the Austrian Administrative Procedural Act (Allgemeines Verwaltungsverfahrensgesetz - AVG) unless the GDPR or the national Data Protection Act (Datenschutzgesetz) has more specific rules.
The AVG defines the form of the procedure and the rights of the parties before the DSB in general. For example, § 73 AVG stipulates a duty to decide over each complaint as soon as possible, but always within 6 months or § 17 AVG ensures a right of the parties to access to all documents. Under § 13 AVG applications can be submitted in person, in writing, via email or via phone. Each party (data subject and controller) have all procedural rights under the AVG.
The national Data Protection Act (Datenschutzgesetz - DSG) regulates certain procedural elements as a lex specialis for the DSB, like the details of the complaints procedure in § 24 DSG (see below).
Complaints Procedure under Art 77 GDPR
Under § 24(2) DSG any complaint needs to name:
- the violated right,
- as far as possible the controller,
- the facts of the case,
- the reasons why the complainant feels his rights are violated,
- the request to find a violation of the law and
- any information that allows to determine if the complaint was filed on time.
In addition all relevant documents (like the correspondence with the controller) need to be attached. Under § 24(4) DSG complaints need to be filed one year from the time the complainant has learned about the violation and three years from the incident.
Ex Officio Procedures under Article 57 GDPR
The DSB can run ex officio procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.
Relevant Elements under the Austria Data Protection Act and Administrative Procedural Act
In many ways the Data Protection Act (DSG) refers to the Administrative Procedural Act (AVG). The most relevant elements are:
- Contrary to the general 6 months deadline for any decision under § 73 AVG, § 24(10) DSG exempts the time a foreign lead supervisory authority processed a complaint from the deadline. This leads to a situation, where complaints may be pending in a foreign jurisdiction for exorbitant amounts of time. The Austrian law does not foresee a legal remedy in such a situation.
- § 24(6) DSG allows that a controller can remedy the violation until the end of the complaints procedure and thereby remedy the situation. The case then becomes moot and can be informally closed, when the data subject was previously heard on the alleged remedy.
Appeals
Appeals against decisions by the Austrian DSB can be taken by the parties concerned to the Federal Administrative Court (Bundesverwaltungsgericht - BVwG), which has three dedicated chambers for data protection cases. The decision by the BVwG can be further be appealed to the Supreme Administrative Court (Verwaltungsgerichtshof, VwGH).
Practical Information
Filing with the DSB
For most data protection claims against a controller and for complaints to the DSB standard forms (in German) are provided at dsb.gv.at. You can email them to the general email address of the DSB, or file them via mail, fax or any other form of communication the DSB provides. It is recommendable to
The complaint then gets screened and then sent to the controller (within Austria) or to the "Lead Supervisory Authority") if the controller resides outside of Austria.
When the case sent to another "Lead Supervisory Authority" you will be served with a formal, appealable decision.
For cases within Austria, there is then a ping-pong of submissions between the two parties and then a formal decision by the DSB. Both parties can apply for evidence, hearings and alike under the AVG, but in reality most cases are decided merely on the submissions by the parties. There are cases where the DSB did "on premises" inspections, when a party applied for it. The final decision will then be served with the parties - usually via email.
Known Problems
The DSB usually uses the following procedural approaches that may be problematic in your case:
- The often "close" cases when the controller complies with the law during the procedure. The law allows for such "healing" of a case. However this makes compliance before a procedure is started less attractive for a controller. The DSB could issue fines, even when a case was "healing", but usually does not do so.
- The DSB quickly "pauses" procedures once they have some international relevance to stop the 6 months deadline. The law provides for that. However cases are then often staying with other European DPAs for years without any further response.
- The DSB often uses wording during the exchange of the parties (e.g. "unless you respond within 2 weeks we assume that you withdraw your complaint") that many parties understand to mean that the DSB is actually siding with the other party. In reality these clauses are used in every letter as a standard way to get more cases closed quickly.
- The DSB often "pauses" the procedure to inquire the relevant non-Austrian Lead Supervisory Authority in a formal decision. There is then no additional formal decision about which specific Authority the DSB found to be the Lead Supervisory Authority. When the data subject disagrees with the view of the DSB and the case is sent off to the wrong Lead Supervisory Authority, there seems to be no formal decision that can be appealed.
Filing an Appeal
Any party can file an appeal against any DSB decision (or in the case of non-decision within 6 months) with the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). There is no need to be represented by a lawyer an the procedure is rather informal and usually does not require an oral hearing. The filing fee is € 35. Applicants do not have to reimburse the other sides' costs.
Decision Database
The DSB (and previously the DSK) has published more than 1.600 of their decisions in the Austrian decision database RIS.bka.gv.at since 1994. Not all decisions are published, only decisions that are novel or important usually get published.
Statistics
Funding
You can help us filling this section!
Personal
You can help us filling this section!
Complaints
You can help us filling this section!
Fines
You can help us filling this section!
EU/EEA/UK Data Protection Authorities | |
---|---|
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · Andalusia)· Sweden | |
Iceland · Liechtenstein · Norway · United Kingdom | EDPS · EDPB |
- ↑ Report: Europe’s governments are failing the GDPR by Brave, page 4 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf
- ↑ Report: Europe’s governments are failing the GDPR by Brave, page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf