DSB (Austria): Difference between revisions

From GDPRhub
Line 68: Line 68:
The DSB can run ''ex officio'' procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.
The DSB can run ''ex officio'' procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.


===Special Elements under the Austria Data Protection Act and Administrative Procedural Act===
===Relevant Elements under the Austria Data Protection Act and Administrative Procedural Act===
''You can help us filling this section!''
In many ways the Data Protection Act (DSG) refers to the Administrative Procedural Act (AVG). The most relevant elements are:
 
* ...


===Appeals===
===Appeals===
Line 86: Line 88:
The DSB usually uses the following procedural approaches that may be problematic in your case:
The DSB usually uses the following procedural approaches that may be problematic in your case:


* The often "close" cases when the controller complies with the law during the procedure. The law allows for such "healing" of a case. However this makes compliance before a procedure is started less attractive for a controller. The DSB could issue fines, even when a case was "healing", but usually does not do so.
*The often "close" cases when the controller complies with the law during the procedure. The law allows for such "healing" of a case. However this makes compliance before a procedure is started less attractive for a controller. The DSB could issue fines, even when a case was "healing", but usually does not do so.
* The DSB quickly "pauses" procedures once they have some international relevance to stop the 6 months deadline. The law provides for that. However cases are then often staying with other European DPAs for years without any further response.  
*The DSB quickly "pauses" procedures once they have some international relevance to stop the 6 months deadline. The law provides for that. However cases are then often staying with other European DPAs for years without any further response.
* The DSB often uses wording during the exchange of the parties (e.g. "unless you respond within 2 weeks we assume that you withdraw your complaint") that many parties understand to mean that the DSB is actually siding with the other party. In reality these clauses are used in every letter as a standard way to get more cases closed quickly.
*The DSB often uses wording during the exchange of the parties (e.g. "unless you respond within 2 weeks we assume that you withdraw your complaint") that many parties understand to mean that the DSB is actually siding with the other party. In reality these clauses are used in every letter as a standard way to get more cases closed quickly.


=== Filing an Appeal ===
===Filing an Appeal===
Any party can file an appeal against any DSB decision (or in the case of non-decision within 6 months) with the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). There is no need to be represented by a lawyer an the procedure is rather informal and usually does not require an oral hearing. The filing fee is € 35. Applicants do not have to reimburse the other sides' costs.
Any party can file an appeal against any DSB decision (or in the case of non-decision within 6 months) with the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). There is no need to be represented by a lawyer an the procedure is rather informal and usually does not require an oral hearing. The filing fee is € 35. Applicants do not have to reimburse the other sides' costs.



Revision as of 11:59, 26 November 2020

Datenschutzbehörde
Dsblogo.png
Name: Datenschutzbehörde
Abbreviation : DSB
Jurisdiction: Austria
Head: Mag. Dr. Andrea Jelinek
Deputy: Mag. Dr. Matthias Schmidl
Adress: Barichgasse 40-42, 1030 Wien, Austria
Webpage: www.dsb.gv.at
Email: dsb@dsb.gv.at
Phone: +43 1 52 152-0
Twitter: n/a
Procedural Law: AVG (in DE) / AVG (in EN)

DSG (in DE) / DSG (in EN)

Decision Database: RIS (only in DE)
Translated Decisions: Category:DSB (Austria)
Head Count: 37
Budget: € 2,6 Mio

The Datenschutzbehörde is the federal Data Protection Authority for Austria. It resides in Vienna and is in charge of enforcing GDPR for Austria.

Structure

The DSB is a monolithic authority. All decisions are taken on behalf of the head of the DSB. Cases are usually assigned to an employee that is named on all documents. The individual employee decided on behalf of the head of the DSB. There is no information about individual sections within the DSB.

Procedural Information

Applicable Procedural Law

The Austrian DSB operates under the Austrian Administrative Procedural Act (Allgemeines Verwaltungsverfahrensgesetz - AVG) unless the GDPR or the national Data Protection Act (Datenschutzgesetz) has more specific rules.

The AVG defines the form of the procedure and the rights of the parties before the DSB in general. For example, § 73 AVG stipulates a duty to decide over each complaint as soon as possible, but always within 6 months or § 17 AVG ensures a right of the parties to access to all documents. Under § 13 AVG applications can be submitted in person, in writing, via email or via phone. Each party (data subject and controller) have all procedural rights under the AVG.

The national Data Protection Act (Datenschutzgesetz - DSG) regulates certain procedural elements as a lex specialis for the DSB, like the details of the complaints procedure in § 24 DSG (see below).

Complaints Procedure under Art 77 GDPR

Under § 24(2) DSG any complaint needs to name:

  1. the violated right,
  2. as far as possible the controller,
  3. the facts of the case,
  4. the reasons why the complainant feels his rights are violated,
  5. the request to find a violation of the law and
  6. any information that allows to determine if the complaint was filed on time.

In addition all relevant documents (like the correspondence with the controller) need to be attached. Under § 24(4) DSG complaints need to be filed one year from the time the complainant has learned about the violation and three years from the incident.

Ex Officio Procedures under Article 57 GDPR

The DSB can run ex officio procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.

Relevant Elements under the Austria Data Protection Act and Administrative Procedural Act

In many ways the Data Protection Act (DSG) refers to the Administrative Procedural Act (AVG). The most relevant elements are:

  • ...

Appeals

Appeals against decisions by the Austrian DSB can be taken by the parties concerned to the Federal Administrative Court (Bundesverwaltungsgericht - BVwG), which has three dedicated chambers for data protection cases. The decision by the BVwG can be further be appealed to the Supreme Administrative Court (Verwaltungsgerichtshof, VwGH).

Practical Information

Filing with the DSB

For most data protection claims against a controller and for complaints to the DSB standard forms (in German) are provided at dsb.gv.at.

The complaint then gets sent to the controller (within Austria) or to the "Lead Supervisory Authority") if the controller resides outside of Austria.

For cases within Austria, there is then a ping-pong of submissions between the two parties and then a formal decision by the DSB.

Known Problems

The DSB usually uses the following procedural approaches that may be problematic in your case:

  • The often "close" cases when the controller complies with the law during the procedure. The law allows for such "healing" of a case. However this makes compliance before a procedure is started less attractive for a controller. The DSB could issue fines, even when a case was "healing", but usually does not do so.
  • The DSB quickly "pauses" procedures once they have some international relevance to stop the 6 months deadline. The law provides for that. However cases are then often staying with other European DPAs for years without any further response.
  • The DSB often uses wording during the exchange of the parties (e.g. "unless you respond within 2 weeks we assume that you withdraw your complaint") that many parties understand to mean that the DSB is actually siding with the other party. In reality these clauses are used in every letter as a standard way to get more cases closed quickly.

Filing an Appeal

Any party can file an appeal against any DSB decision (or in the case of non-decision within 6 months) with the Federal Administrative Court (Bundesverwaltungsgericht, BVwG). There is no need to be represented by a lawyer an the procedure is rather informal and usually does not require an oral hearing. The filing fee is € 35. Applicants do not have to reimburse the other sides' costs.

Decision Database

The DSB (and previously the DSK) has published more than 1.600 of their decisions in the Austrian decision database RIS.bka.gv.at since 1994. Not all decisions are published, only decisions that are novel or important usually get published.

Statistics

Funding

You can help us filling this section!

Personal

You can help us filling this section!

Complaints

You can help us filling this section!

Fines

You can help us filling this section!

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB