One Year of the GDPR – Lessons Learned

One Year of the GDPR – Lessons Learned

Lawyers Melanie Gassler-Tischlinger and Georg Huber focus on “One year of the GDPR – Lessons Learned” in an article for “Aspekte”, the magazine published by the German Chamber of Commerce in Austria .

PDF Download “1 Jahr DSGVO” (Aspekte)

One Year of the General Data Protection Regulation – Lessons Learned

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force. It contains provisions for the protection of individuals with regard to the processing of their personal data. Although EU data protection regulations have existed since 1995, the GDPR brought about a change in the existing rules: data protection became the responsibility of companies.

Most companies had already prepared for the implementation of the GDPR on May 25, 2018. What data is stored, why and where? Who has access to it? What has to be deleted and when? What is the justification for the data processing?

The relatively complex and sometimes time-consuming implementation required considerable preparation resources in some companies. “The countdown is on,” they said. There was talk of “fines in the millions”.

A little over a year has passed since then. Were the forecasts and warnings accurate? And above all: how high were the fines imposed so far?

The GDPR in the media

One of the first GDPR curiosities occurred in Vienna. A tenant complained to “Wiener Wohnen” that his name was on the doorbell panel. Although it was probably neither a case of automated processing nor storage in a file system, Wiener Wohnen decided to replace all the bell signs of 220,000 apartments with apartment numbers. Tenants were then at liberty to add their own name. A simple and inexpensive method to avoid conflict.

At the beginning of 2019 it was revealed that the Austrian mail service “Österreichische Post” had traded customer data on a large scale. Names, addresses, gender, etc. were linked to parameters such as party affinity and resold. The Österreichische Post argued that data traders do the same thing and that the data were statistical projections. However, the Austrian data protection authority (Datenschutzbehörde – DSB) decided that the data on party affinity should not have been processed.

Proceedings relating to data subjects’ rights

One of the DSB’s first decisions concerned a job candidate who requested the deletion of his data following an online job application. The DSB decided that retention of the data for 6+1 months was permissible because the candidate could possibly file claims under the Equal Treatment Act within the six-month period.

A former employee demanded that his sick days be deleted. The DSB decided that there are legal retention periods that would prevent deletion in this case.

An individual requested information about transfers that were no longer available via e-banking. The bank charged EUR 20,-. The DSB decided that the GDPR provides for the right to free information and that the bank therefore had no right to reimbursement of costs. This decision is highly controversial.

The Regional Labour Court of Baden-Württemberg ruled that an employee is entitled to receive a copy of his personal performance and conduct data that is not stored in his personnel file.

A physician demanded that his profile and patient evaluations be deleted from an online platform. However, the DSB decided that in comparing the interests of the physician with those of the platform and its users, the latter should take precedence, because the platform was designed factually and objectively.

The consent of employees to GPS tracking of company vehicles was considered by the DSB to be involuntary and ineffective because no advantage was discernible for the employees. If the employer had not relied on the consent of the employees but on his legitimate legal interests (Art 6 para 1 lit f GDPR), e.g. protection of property, logbook, settlement with leasing company, etc., the tracking would have been deemed permissible under certain circumstances.

A patient’s consent was obtained to send medical results by unencrypted e-mail. Despite this, the DSB decided that encrypting affects data security (Art 32 GDPR) and that the data must be transmitted in encrypted form even if the patient agrees to unencrypted transmission.

The DSB assessed the “pay-or-track” system on as permissible. The GDPR’s prohibition on linking is not unconditional. Whoever chooses “track” has the advantage of being able to consume journalistic content.

Facebook and the operator of a “Facebook Fan Page” are “jointly responsible” and therefore have to conclude a contract pursuant to Art 26 GDPR, the European Court of Justice (ECJ) ruled last year. However, the German Data Protection Commission recently stated that the contract provided by Facebook was not adequate. The use of a GDPR-compliant fan page is therefore probably not possible at present.

In the “FashionID” case, the European Court of Justice recently ruled that website operators who include plug-ins on their pages (e.g. Facebook’s like button or Google Maps) must inform their users which data is passed on to whom and when on the basis of a plug-in. In addition, prior consent may also be required.


Between 25 May 2018 and 31 December 2018, 59 administrative criminal proceedings were initiated in Austria. The highest fine was EUR 6,700.00 for prohibited video surveillance.  Germany’s data protection commissioners reported that the highest fine imposed was EUR 80,000.

France’s data protection authority (CNIL) imposed a fine of EUR 50 million on the global Internet group Google. When Google Accounts are created, no sufficiently clear and understandable information is provided regarding the processing purposes and the storage period. In addition, users are not sufficiently informed of how many Google services are covered by their consent. However, with a worldwide turnover (2018) of USD 136 billion, the fine is not particularly high.

First findings after one year

– The GDPR has made its way into companies and the minds of those responsible there.

– It is important  for companies to be structured in such a way that they can react promptly in the event of requests for information, complaints or official proceedings.

– Obligations such as the compilation of a processing directory and a data protection declaration should be carried out, but they also have to be reviewed on an ongoing basis. Detailed questions are increasingly being raised.

– According to the Austrian data protection report 2018, there was a (nearly) tenfold increase in complaints in 2018. Between mid-2018 and the end of 2018, 134 administrative criminal proceedings were initiated, 501 data breach notifications were made and 1000 private complaints were submitted. The DSB conducted 129 official review proceedings. Sector inquiries are planned for 2019.

– Consents should be clearly formulated and relate only to the lawfulness of the processing.

– It may be more advantageous to rely on legitimate legal interests as a justification for data processing than on a – revocable – consent.

– The DSB and the Federal States’ data protection officers are very active. Fines are (still) relatively moderate, however – see: