Data Privacy / Data Protection

In our modern information driven society, processing data virtually is indispensable. Humanity and its machines continuously gather and process more and more data and the majority of these data relates to an identified or identifiable individual. Hence, the data protection legislation must be considered.


The partners at GEISTWERT have been active in the field of data protection for many years and they have successfully advised and represented many renowned clients in national and international data protection projects and proceedings. Furthermore, the partners at GEISTWERT were audited and certified by various organizations in the field of data protection, such as EuroPrise and CIS. They also teach data protection law at the Danube University and the University of Applied Sciences Vienna. Moreover, the partners of GEISTWERT regularly publish contributions regarding the data protection laws. GEISTWERT also takes care of the Austrian part of www.gdpr-expert.com, a website outlining the current and former regulations on European and national levels.

In light of the European General Data Protection Regulation (GDPR) and the Austrian Data Protection Amendment Act 2018 (“DSG 2018”) supplementing the GDPR, data protection law has enormously gained more and more recognition and importance, and rightfully so indeed, especially when considering the data protection laws’ substantial socio-political standing in conjunction with the perception that “data may well be the new oil/gold of the 21st Century”: the data protection law protects the so-called “Data Subjects” against the unlawful processing of their personal data. In this context, we must particularly not forget that we all are Data Subjects in one way or another as well since our personal data are processed by third parties. As a result and in terms of our “informational self-determinations”, the data protection laws shall enable us „Data Subjects“ to retain control of “our data”.

So, what news does the GDPR bring to the table? Although the GDPR and the DSG 2018 largely uphold the principles of the previous legal situation and to some extent even liberalize the former Austrian data protection practice, the new legal framework (effective as of 25 May 2018) provides for revolutionary reforms regarding the ways how personal data may be lawfully processed as well as regarding the “administrative obligations” have to be fulfilled even if the processing is legitimate: Not only for Data Controllers, but also for Data Processors in particular, the GDPR stipulates numerous new obligations, which likely may only be effectuated within a project, which subsequently is to be transposed into a “data protection management system”. In GEISTWERT’s view, any GDPR-project requires the close cooperation between organization, technology and legal, so that such project may only be tackled in an interdisciplinary manner. The new transparency-obligations, and thus the comprehensive obligations to inform about the data processing as and the corresponding accountability, are a result, respectively a core-task, of such a project, and they ultimately call for a register of all data processing activities and their corresponding frameworks.

These framework conditions in particular and also further framework conditions will set new challenges, which, in practice, may not be stood up to all too easily. Establishing GDPR-compliance therefore requires a capable team.

Whilst the Austrian Data Protection Authority (“DPA”) gained new competences as an inquisitor-like prosecution-authority under the GDPR and the DSG 2018 (with fines of up to EUR 20 million or 4% of the global group-wide turnover, whichever is higher) on the one hand, the former general notification obligations as well as the former (quite comprehensive) obligations to acquire the DPA’s prior approval, on the other hand, cease to exist on the Austrian national level. This particularly applies to the field of “sensitive data” and the “international data traffic to countries outside of the EEA”.