Austria is the second EU country after Germany that has adopted a new national Data Protection Act (the “New Act”) implementing the GDPR. The New Act, which was officially published on July 31, 2017, will amend the current Data Protection Act and become applicable at the same time as the GDPR. Companies that fall within the New Act’s scope will therefore not only have to comply with the GDPR but also with the New Act.
The General Data Protection Regulation (GDPR), which overhauls data protection laws in all 28 EU Member States, will become applicable in 248 days. It will be the primary framework for processing of personal data directly applicable in all EU Member States – still, the GDPR but it is not all-encompassing. There are a number of areas in the GDPR where Member States will have to add their own rules to make it operational or add provisions to introduce local variations on the law (e.g., rules for data processing in the employment context and processing of sensitive personal information).
Highlights of the New Act
Unlike the GDPR implementation act in Germany, the New Act is relatively reserved in adding national variations. The main points under the New Act specific to Austria are:
The New Act is available here (in German).