It has taken the Austrian regulator no more than 4 months to issue their first fine for a GDPR violation. This decision by the regulator, the Austrian Data Protection Authority ("DSB"), is particularly interesting as the Austrian Data Protection Act states that the DSB will at first exercise only remedial powers (and, in particular, to issue reprimands) for first-time infringers.
Notwithstanding this rule, according to Austrian press coverage the DSB has issued a fine against an entrepreneur for violations of the GDPR. The entrepreneur had installed a CCTV camera in front of his establishment that also recorded a large part of the sidewalk. The DSB found this act to be in violation of the GDPR, as large-scale monitoring of public spaces is not permitted under the GDPR. Apparently the camera was also not sufficiently marked as conducting video surveillance, meaning that the applicable transparency obligations had not been fulfilled.
The amount of the fine, however, was quite moderate: EUR 4,800. According to the deputy director of the DSB, as cited in the article , fines should be proportionate – e.g. a controller with an annual income of, for example, EUR 40,000 is unlikely to receive a EUR 20 million fine from the DSB.
According to a short summary of the presentation given by the deputy director of the DSB 100 days after the GDPR became applicable:
- 115 fine proceedings were already pending before the DSB (79 of which were already pending prior to 25 May 2018);
- the DSB had initiated 58 "ex officio" investigations;
- 252 data breaches had been notified to the DSB (which seems to be quite on the lower end of the spectrum compared to other jurisdictions, e.g. the UK); and
- 721 data subject complaints were pending before the DSB at this date.
The first GDPR fine in Austria is now out there. It remains to be seen at which amounts the DSB sets fines in future proceedings. We will watch further developments closely.