One year with the DSGVO

Sebastian Bartmann, on site at the Chamber of Commerce.

On 28 May 2019, the Vienna Chamber of Commerce hosted an event on the basic data protection regulation. The DSGVO has been in force for one year. Experiences were exchanged and practices of the Data Protection Authority (DPA) were explained.

Sights on the news: Data protection authorities have a lot to do. Google had to pay a fine of 50 million euros – following a decision in France. In Austria, Österreichische Post AG has traded illegally with its customers’ data and possibly violated the DSGVO several times.

Why it is important:The aim of the DSGVO is, as Ing. Mag. Dr. Vincenz Leichtfried of LV7 explained, that companies should deal with their data. And that is to

  • Clean up the IT system and create an overview
  • To increase IT security
  • To avoid damage

The overall picture: After great uncertainty before the DSGVO came into force, the last year with the DSGVO has been quite harmless. In addition to individual complaint investigations, the DSB focused mainly on insurance companies and the health sector.

The details: The data protection authority currently still focuses on large companies. After insurance companies and health care, media companies are likely to be the focus this year.

In addition to the activities of the DSB, all complaints must also be examined. There is a complaint form on the DSB website which can be used by any person concerned. One has to provide the name and a proof of the violation. If one has been reported, the DSB will not only investigate the reported breach, but in general the company’s data budget. Insurances do not cover DSGVO violations, because you have had enough time to implement the rules.

In numbers: So far there have been about…

  • 2000 complaints
  • 160 Examinations
  • 185 Criminal proceedings

More facts:

  • The DSB usually publishes decisions only when he or she considers that publication is important to inform the public, e.g. about current practices.
  • In the case of data collection via cookies, the data is already considered personal when an IP address is stored.
  • Anonymisation is equivalent to deletion, following a decision by the DSB.
  • The tendency is for imposed penalties to become increasingly severe.
  • Every data protection incident must be documented. This must not be started too late to be able to show good will in an emergency.
  • To always be on the safe side, one should try to get away from “intent”. This is achieved by adhering to all guidelines to the best of one’s ability and by documenting implementations well.

Go deeper:

All published decisions of the DSB can be read on the RIS website.

The DSB also writes a quarterly newsletter with exciting news.

On the WKO website there is a checklist for companies as well as a lot of further information and sample contracts.

Ing. Dr. Vincenz Leichtfried from Lv7 and Mag. Nino Tlapak from are very well informed in the DSGVO area.

Abonnieren Sie
Benachrichtigung über
Inline Feedbacks
View all comments