DSB (Austria)

From GDPRhub
Datenschutzbehörde
LogoAT.png
Name: Datenschutzbehörde
Abbreviation : DSB
Jurisdiction: Austria
Head: Mag. Dr. Andrea Jelinek
Deputy: Mag. Dr. Matthias Schmidl
Adress: Barichgasse 40-42, 1030 Wien, Austria
Webpage: www.dsb.gv.at
Email: dsb@dsb.gv.at
Phone: +43 1 52 152-0
Twitter: n/a
Procedural Law: AVG (in DE) / AVG (in EN)

DSG (in DE) / DSG (in EN)

Decision Database: RIS (only in DE)
Translated Decisions: Category:DSB (Austria)
Head Count: 36[1] (2019)
Budget: € 2,3 Mio[2] (2019)

The Datenschutzbehörde is the federal Data Protection Authority for Austria. It resides in Vienna and is in charge of enforcing GDPR for Austria.

Structure[edit | edit source]

The DSB is a monolithic authority. All decisions are taken on behalf of the head of the DSB. Cases are usually assigned to an employee that is named on all documents. The individual employee decided on behalf of the head of the DSB. There is no information about individual sections within the DSB.

The DSB followed the previous "Datenschutzkommission" (DSK) which had a commission to take formal decisions. The DSB only got the power to enforce complaints in the private sector with the GDPR - other than the right to access which it could previously enforce in the public and private sector. All other issues between data subjects and controllers had to be enforced in civil litigation before the GDPR came into force.

Procedural Information[edit | edit source]

Applicable Procedural Law[edit | edit source]

The Austrian DSB operates under the Austrian Administrative Procedural Act (Allgemeines Verwaltungsverfahrensgesetz - AVG) unless the GDPR or the national Data Protection Act (Datenschutzgesetz) has more specific rules.

The AVG defines the form of the procedure and the rights of the parties before the DSB in general. For example, § 73 AVG stipulates a duty to decide over each complaint as soon as possible, but always within 6 months or § 17 AVG ensures a right of the parties to access to all documents. Under § 13 AVG applications can be submitted in person, in writing, via email or via phone. Each party (data subject and controller) have all procedural rights under the AVG.

The national Data Protection Act (Datenschutzgesetz - DSG) regulates certain procedural elements as a lex specialis for the DSB, like the details of the complaints procedure in § 24 DSG (see below).

Complaints Procedure under Art 77 GDPR[edit | edit source]

Under § 24(2) DSG any complaint needs to name:

  1. the violated right,
  2. as far as possible the controller,
  3. the facts of the case,
  4. the reasons why the complainant feels his rights are violated,
  5. the request to find a violation of the law and
  6. any information that allows to determine if the complaint was filed on time.

In addition all relevant documents (like the correspondence with the controller) need to be attached. Under § 24(4) DSG complaints need to be filed one year from the time the complainant has learned about the violation and three years from the incident.

Ex Officio Procedures under Article 57 GDPR[edit | edit source]

The DSB can run ex officio procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.

Relevant Elements under the Austria Data Protection Act and Administrative Procedural Act[edit | edit source]

In many ways the Data Protection Act (DSG) refers to the Administrative Procedural Act (AVG). The most relevant elements are:

  • Contrary to the general 6 months deadline for any decision under § 73 AVG, § 24(10) DSG exempts the time a foreign lead supervisory authority processed a complaint from the deadline. This leads to a situation, where complaints may be pending in a foreign jurisdiction for exorbitant amounts of time. The Austrian law does not foresee a legal remedy in such a situation.
  • § 24(6) DSG allows that a controller can remedy the violation until the end of the complaints procedure and thereby remedy the situation. The case then becomes moot and can be informally closed, when the data subject was previously heard on the alleged remedy.

Appeals[edit | edit source]

Appeals against decisions by the Austrian DSB can be taken by the parties concerned to the Federal Administrative Court (Bundesverwaltungsgericht - BVwG), which has three dedicated chambers for data protection cases. The decision by the BVwG can be further be appealed to the Supreme Administrative Court (Verwaltungsgerichtshof, VwGH).

Practical Information[edit | edit source]

Filing with the DSB[edit | edit source]

For most data protection claims against a controller and for complaints to the DSB standard forms (in German) are provided at dsb.gv.at. You can email them to the general email address of the DSB, or file them via mail, fax or any other form of communication the DSB provides. It is recommendable to

The complaint then gets screened and then sent to the controller (within Austria) or to the "Lead Supervisory Authority") if the controller resides outside of Austria.

When the case sent to another "Lead Supervisory Authority" you will be served with a formal, appealable decision.

For cases within Austria, there is then a ping-pong of submissions between the two parties and then a formal decision by the DSB. Both parties can apply for evidence, hearings and alike under the AVG, but in reality most cases are decided merely on the submissions by the parties. There are cases where the DSB did "on premises" inspections, when a party applied for it. The final decision will then be served with the parties - usually via email.

Known Problems[edit | edit source]

The DSB usually uses the following procedural approaches that may be problematic in your case:

  • The often "close" cases when the controller complies with the law during the procedure. The law allows for such "healing" of a case. However this makes compliance before a procedure is started less attractive for a controller. The DSB could issue fines, even when a case was "healing", but usually does not do so.
  • The DSB quickly "pauses" procedures once they have some international relevance to stop the 6 months deadline. The law provides for that. However cases are then often staying with other European DPAs for years without any further response.
  • The DSB often uses wording during the exchange of the parties (e.g. "unless you respond within 2 weeks we assume that you withdraw your complaint") that many parties understand to mean that the DSB is actually siding with the other party. In reality these clauses are used in every letter as a standard way to get more cases closed quickly.
  • The DSB often "pauses" the procedure to inquire the relevant non-Austrian Lead Supervisory Authority in a formal decision. There is then no additional formal decision about which specific Authority the DSB found to be the Lead Supervisory Authority. When the data subject disagrees with the view of the DSB and the case is sent off to the wrong Lead Supervisory Authority, there seems to be no formal decision that can be appealed.

Filing an Appeal[edit | edit source]

Any party can file an appeal against any DSB decision (or in the case of non-decision within 6 months) with the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). There is no need to be represented by a lawyer an the procedure is rather informal and usually does not require an oral hearing. The filing fee is € 35. Applicants do not have to reimburse the other sides' costs.

Decision Database[edit | edit source]

The DSB (and previously the DSK) has published more than 1.600 of their decisions in the Austrian decision database RIS.bka.gv.at since 1994.

Not all decisions are published, only decisions that are novel or important usually get published.

Statistics[edit | edit source]

Funding[edit | edit source]

According to a study by Brave[3] the Austrian DSB had a budget of €2,3 Mio in 2019. It is funded by the Republic of Austria. All fines and fees go to the federal budget, not into the budget of the DSB.

Personal[edit | edit source]

In 2019 the DSB had 39 employees, some of which were part-time employees or trainees. 23 of them were lawyers, 4 persons on the lead level ("gehobener Dienst") and 9 in the specialized services ("Fachdienst").

Caseload[edit | edit source]

The following are the statistics for 2019 according to the DSB's Annual Report:

  • DSB has received 2,102 complaints and issued 828 formal decisions. Another 577 cases were closed without a decision (mainly based on § 24(6), see above).
  • It received 407 complaints that were filed in another EU Member State and sent 88 complaints to another Member State.
  • There were 103 ex officio investigations.
  • There were 967 data breach notifications reported with the DSB.
  • The DSB has issued 89 penal procedures.
  • The DSB was subject to 164 appeals procedures before the Federal Administrative Court (BVwG).
  • They have given 4,384 legal advices.

Fines[edit | edit source]

The highest know fine was a find of € 18 Mio against the Austrian Postal Service for selling statistical analysis on the likely political opinion of mail recipients, based on the location age and other general information that was available. See DSB - Austrian Postal Service.

Until the end of 2019 the DSB has started 258 penal procedures. Other fines against smaller controllers are usually in the area of a couple of thousand euros. Not each complaint or investigation leads to fines, even when violations of the laws were found by the DSB.

Annual Reports[edit | edit source]

The DSB issues an Annual Report ("Datenschutzbericht") since 1993. It highlights statistics and relevant decisions and trends and can be found on dsb.gv.at.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain · Sweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB
  1. DSB - Annual Report 2019, Page 9 - https://www.dsb.gv.at/dam/jcr:c9c2daf9-9746-4088-bced-dc8e296076e0/Datenschutzbericht_2019.pdf
  2. Report: Europe’s governments are failing the GDPR by Brave, page 6 - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf
  3. Report: Europe’s governments are failing the GDPR by Brave - https://brave.com/wp-content/uploads/2020/04/Brave-2020-DPA-Report.pdf