Austria Issues First GDPR Fine
The Austrian Data Protection Authority has, according to reports, issued its first fine under GDPR against an entrepreneur with a CCTV camera in front of his establishment. The violations involved unpermitted large scale monitoring of public spaces as well as the failure to meet the applicable transparency obligations. The amount of the fine was EUR 4,800.
GDPR permits fines as high as the greater of EUR 20 million or 4% of global annual revenue at the company. However, fines are expected to be proportionate to the size of the company and the violation of the law. In particular, Austria was expected to provide an opportunity for first-time infringers to correct the violation before issuing a fine. However, it is unclear whether this actually happened from the media report.
Under Article 35, a systematic monitoring of a publicly accessible area on a large scale requires a data protection impact assessment (DPIA) prior to undertaking processing that is likely to result in a high risk to the rights and freedoms of natural persons.
The entrepreneur also reportedly failed to meet the GDPR transparency requirements by failing to clearly and conspicuously notify individuals that their personal data was being processed.
It was not long ago that the European Data Protection Supervisor told Reuters that the European Union would issue fines before the end of 2018, although it is unlikely that a fine of this size was what the EDPS was referring to in the interview. Comments from the Chair of the European Data Protection Board during the Senate Commerce Committee suggested that the most complained about issue so far by consumers has been forced consent. Facebook is among the technology companies that complaints have been made against.
The French DPA and the United Kingdom Information Commissioner’s Office have previously warned companies about noncompliance with GDPR and given them time to become compliant. If Austria has indeed issued its first fine, it may be the first under GDPR.
Other Blog Posts on GDPR Enforcment:
More DPAs Issuing GDPR Fines and Warnings
EDPB Releases Guidelines on Territorial Scope of GDPR
EDPB Releases Comments on DPIA Requirements under Article 35.4
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
Privacy Complaints Up in France after GDPR
ICO Threatens Max GDPR Fine to AggregateIQ
ULD DPA Issues Ban on Data Processing Under GDPR
Data Privacy Complaints Double in UK under GDPR
German DPA Circulates GDPR Compliance Survey