It has been quite an active first six months for the Austrian Data Protection Authority ("DSB"). Fortunately, a number of decisions of the DSB have also been made public. In these decisions the DSB has taken a stand on a number of subjects relevant for GDPR practitioners, as the following examples show:
"Pay or okay" is okay. An Austrian newspaper structured its online presence as follows: To be able to access all articles online users must consent to so-called "marketing cookies". If users do not wish to consent to such cookies, they cannot fully access all of the newspaper's articles. Alternatively, users can opt for full access via an online subscription (which costs EUR 6 per month). The DSB did not see a violation of the requirement that consent must be "freely given", as refusing to give consent will not have "adverse consequences", inter alia because the users are provided with an alternative "equivalent service". The DSB found that a price of EUR 6 per month was not a disproportionately expensive alternative (Decision of 30.11.2018, DSB-D122.931/0003-DSB/2018).
Employee consent cannot be given voluntarily. The DSB did not deem consent given by employees to the installation of a GPS tracking system in company cars as being "freely given". In the case at hand, GPS data had been stored for 93 days and, thus, could be used to establish performance profiles of employees. As the substantive design and application of the GPS tracking system did not have any clearly identifiable advantages for the employee, the DSB found that the respective consent of the employee is not freely given. This decision makes it hard for companies to rely on employee consent in cases where there is no clear advantage for the employee. Nevertheless, the DSB did not rule out that a GPS tracking system can be justified, for example, by overriding legitimate interests (Decision of 08.08.2018, DSB-D213.658/0002-DSB/2018, not published and only mentioned in the DSB newsletter).
Drafting valid consent declarations is hard. The DSB had to assess a consent declaration for certain marketing activities as described in a membership application form. According to the DSB, this consent declaration did not fulfil the requirements set out in the GDPR: First, the way the consent declaration was phrased suggested that the member could only choose which marketing method (postal, email, telephone) should be used, but not whether the member should receive marketing at all. Second, the consent declaration had been placed immediately before the signature (for the membership application) – the DSB found that this created the impression that the consent to marketing is a requirement for the membership application (Decision of 31.07.2018, DSB-D213.642/0002-DSB/2018, not published and only mentioned in the DSB newsletter).
There is no (enforceable) data subject right to request pseudonymisation. The data subject requested a government department to delete her personal data, which the department refused to do. Thus, the data subject requested, based on Art 5 para 1 lit c GDPR, that her personal data be pseudonymised and filed a respective complaint with the DSB. The DSB dismissed this complaint and stated that data subjects have no right to request a data controller to implement specific data security measures (including pseudonymisation) or specific technical or organisational measures to comply with the duty of data minimisation as per Art 5 para 1 lit c GDPR (Decision of 13.09.2018, DSB-D123.070/0005-DSB/2018).
Images and pictures showing natural persons are not "special categories of data" per se. In Austrian legal commentary, there is controversy around whether images and pictures of natural persons are always to be categorised as "special categories of data" (as they reveal the racial or ethnic origin or health status of a person) or only if the purpose of the processing is to identify "special categories of data". The stronger arguments are in favour of the latter, yet, this is not a purely academic question. If the former would become the prevailing opinion, as a consequence, companies would only be entitled to use pictures of employees or events if everybody (!) in the image or picture had consented to the processing at hand (e.g. publication on the company website). Further, children's sports clubs would not be able to use pictures of children in their marketing activities, mainly because children under a certain age can not validly give their consent (and consent would be the only possible justification in this instance). Luckily, the DSB has taken the view that images and pictures showing natural persons are not "special categories of data" per se, and thus their processing might also be justifiable by overriding legitimate interests (Decision of 07.06.2018, DSB-D202.207/0001-DSB/2018).
Rejection of request for deletion because of potential claims in the future. A rejected applicant requested that the company he applied to for a job to delete his data. The company did not fulfil this request and argued that they needed to store the respective data relating to the applicant to be prepared for a potential claim of unequal treatment, which, according to the Austrian General Equal Treatment Act, can be filed by rejected applicants within six months of the date of rejection. Thus, the company argued that it should be exempt from the obligation to delete the applicant's data as such data is "necessary for the defence of legal claims". The applicant filed a complaint with the DSB. The DSB stated, as a general principle, that the mere possibility of a potential lawsuit in the future is not sufficient for this exemption to apply. In the case at hand, however, the DSB considered that this exemption should apply, as the company had shown the precise possible claims and their legal basis (i.e. claims by rejected applicants according to the Austrian General Equal Treatment Act) and that the data is only stored for the duration of the statutory period of limitations (i.e. six months) and a "subsequent delivery period" of one month (as it normally takes some additional time for a claim filed on the last day of the period to be delivered). Interestingly, the DSB did not rule out longer "subsequent delivery periods" (Decision of 27.08.2018, DSB-D123.085/0003-DSB/2018). This decision is definitely an improvement compared to a previous decision of the DSB (Decision of 28.05.2018, DSB-D216.471/0001-DSB/2018), in which the DSB ruled against a telecommunications company that wanted to store traffic data for longer than the 3-month period permitted by the Austrian Telecommunications Act (due to internal processes and delivery time).
An information right in the Payment Services Directive is not a lex specialis to the GDPR right of access. An individual who requested a copy of their bank statements for the period of 2013 to 2018 was only provided with a bank statement for the final year of this period. In addition, the financial institution demanded a fee of EUR 30 for each further bank statement for a prior year. The financial institution argued that, notwithstanding that the information request had to be fulfilled according to the national implementation of the Payment Services Directive, such directive in contrast to the GDPR permits financial institutions to demand such fees and so this permission was, supposedly, a lex specialis to the GDPR. The DSB ruled that the general right of access, as set out in the GDPR, is not limited by the specific information right set out in the Payment Services Directive; thus, the individual's bank statements should have been provided without a fee. However such right of access is not unlimited: The financial institution must ensure that personal information of third parties is redacted, as per Art 15 para 4 GDPR (Decision of 21.06.2018, DSB-D122.844/0006-DSB/2018). Accordingly, obtaining full bank statements will most probably only be possible with an information request under the respective national implementation of the Payment Services Directive.
Exemptions for journalistic purposes are to be interpreted very widely. Regarding processing activities carried out for journalistic purposes, EU member states shall, according to Art 85 of the GDPR, provide for exemptions and derogations from the GDPR if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information. The Austrian legislator has implemented such a law on the national level, however, the Austrian exemptions and derogations are only applicable for media companies. In the case at hand, a blogger wanted to have his blog posts deleted from an online platform (which was not a media company) and filed a respective complaint with the DSB. The DSB ruled that the term "journalistic purposes" has to be interpreted widely and that the Austrian implementation (in applying only to media companies) is too narrow. In applying the exemption also to blog posts by a private individual on an online platform (which aim to be read by an indefinite number of people and thus serve journalistic purposes) , the DSB found to lack jurisdiction for the complaint filed and consequently dismissed the complaint (Decision of 13.08.2018, DSB-D123.077/0003-DSB/2018, link to RIS).
Data subject complaints submitted to the DSB have to be in German. In the case at hand, the UK-based data subject filed a claim (in English) regarding a violation of its right to erasure under the GDPR by an Austrian company. With a request to remedy deficiencies ("Mangelbehebungsauftrag"), the DSB gave the data subject a chance to file a translated complaint and pointed out that a non-Austrian-based data subject can also file a complaint with a data protection authority in its home state. As the amended complaint was still mainly in English, the DSB dismissed the complaint (Decision of 21.09.2018, DSB-D130.092/0002-DSB/2018, link to RIS).