EU basic data protection regulation – lessons learned

1. What reports does the European Data Protection Committee[1] have on the implementation of the GDPRin the EU[2]?

The national data protection authorities in the EU have initiated 206,326 proceedings since the GDPR came into effect on 25 May 2018. Of which 94,622 cases based on complaints, 64,684 based on notifications of data protection breaches.

Previous decisions have focused on rights of data subjects such as the right to deletion, the appropriate legal basis for data processing and Data Breach notifications.

52% of national cases have already been decided. Only 1% of decisions were challenged before the courts.

Cross-border procedure: A coordination procedure between the data protection authorities and the EDSA will ensure consistency of case law across the EU. In 642 cross-border procedures, the lead supervisory authority must first be determined. So far, 45 so-called one-stop shop decisions have been made by leading data protection authorities.

The EDSA is currently working on more detailed rules for binding corporate rules, for the interaction between the DSGVO and a future ePrivacy Regulation (regulating digital media and electronic communications services) and on new EU standard data protection clauses.

2. What has (not) happened in data protection in Austria since 25 May 2018?

The Data Protection Act was amended again on 15.01.2019 (BGBl. I No. 14/2019). At federal and state level, several hundred laws and ordinances have been adapted in all sectors.

Especially important for the implementation of the DSGVO are the ordinances on exceptions to the data protection impact assessment, Federal Law Gazette II No. 108/2018, and on processing operations for which a data protection impact assessment must be carried out, Federal Law Gazette II No. 278/2018.

Again and again fake news such as “No penalties in Austria” or “99.9% of the companies have already sufficiently implemented the DSGVO” are disseminated.[3]

The data protection authority had 28 employees in March 2018. A further 16 employees are to be required.[4]

Data protection authorities and courts will still have many controversial legal issues to resolve in the coming years, such as deletion.

3. Example: Deletion of data – decisions of data protection authorities since 25 May 2018

The data protection authority has already decided some questions – some of which are not yet legally binding:

  • Applicant data, i.e. data of rejected applicants, may be stored for 7 months – provided that a risk of contestation due to unequal treatment is sufficiently demonstrated.
  • Appropriate deletion periods must also be implemented for log data.
  • An otherwise generally permissible data processing had to be deleted because the data controller had not adequately informed the data subjects about this processing (see Art. 13 + 14 GDPR)! More information at

4. Previous fines imposed by the data protection authority

The French CNIL has imposed a €50 million fine on Google. Google has announced appeal.

The Austrian Data Protection Authority has initiated a total of 59 new administrative criminal proceedings since 25 May 2018. These procedures concern illegal video surveillance (§ 12f DSG), insufficient security of processing (Art 32 GDPR), insufficient information to data subjects (Art 13f GDPR) and late reporting of data protection violations (Art 33 GDPR). The small number of 5 fine notices to date in Austria is not surprising. The GDPR has only been effective for 9 months and a possible punishable fact is usually clarified only in advance, e.g. in a complaint procedure which can itself take many months. The fines imposed were – in comparison to the high level of penalties – negligible, the highest being € 4,800. These low penalties were, however, imposed on small organisations as far as can be seen. According to the GDPR, the fines should not only be dissuasive, they must also be appropriate.

5. Is the economically justifiable implementation of the GDPR possible for SMEs and EPUs?

Data protection requires legal, organisational and technical data protection know-how. This combination is rarely present internally in SMEs and would therefore often have to be purchased (costly) in order to achieve appropriate implementation of the GDPR obligations.

In addition, the GDPR has imposed very extensive documentation obligations on persons responsible and contract processors (Art 5 (2) GDPR) – far more than “only” the compilation of a list of processing activities. These documentations cause very high expenditure of work and cannot be done properly without above special know-how. This increases the costs and work involved in implementing the GDPR to such an extent that it is often perceived as unreasonable.

On the other hand, processing activities in SMEs operating in the same sector are very often at least very similar. Therefore, a finished GDPR documentation for a model company from one sector can be used by many SMEs from that sector and adapted to their specific data processing circumstances. Thus, the GDPR has not yet been finally implemented, as the GDPR requires a continuous improvement process. But the often dramatically high initial expenditure for an adequate GDPR implementation in the SME is reduced by such a finished industry solutions by a multiple and represents a good starting point for future data protection and Compliance in the SME.

DatDOK provides such industry solutions – see

RA Dr Markus Frank

1] EDSA consists of representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS).