The Austrian regulator has issued its first fine for a GDPR violation. In this case, it was for a CCTV breach. This decision by the regulator, namely the Austrian Data Protection Authority (“DSB“), is particularly interesting. The Austrian Data Protection Act states that the DSB will at first exercise only remedial powers. For example, they would only issue reprimands for first-time infringers. Therefore, a fine was somewhat unexpected.
Notwithstanding this rule, according to Austrian press coverage, the DSB has issued a fine against an entrepreneur for violations of the GDPR. The entrepreneur had installed a CCTV camera in front of his establishment.
This camera recorded a large part of the pavement. Therefore, the DSB found this act to be in violation of the GDPR. The GDPR does not permit large-scale monitoring of public spaces.
Cameras must be correctly marked as conducting video surveillance. In this case, that didn’t happen. This means that the applicable transparency obligations have not been fulfilled.
However, the amount of the fine was quite moderate at just EUR 4,800.00. According to the deputy director of the DSB, fines should be proportionate. For example, a controller with an annual income of EUR 40,000 is unlikely to receive a EUR 20 million fine from the DSB.
In a short summary of the presentation given by the deputy director of the DSB 100 days after the GDPR became applicable:
- 115 fine proceedings were already pending before the DSB (79 of which were already pending prior to 25 May 2018);
- the DSB had initiated 58 “ex officio” investigations;
- 252 data breaches have been notified to the DSB. Compared to other jurisdictions, such as the UK, this is quite low; and
- 721 data subject complaints were pending with the DSB currently.
The first GDPR fine in Austria is now out there. Fine levels set by the DSB in the future will be difficult to predict. We will watch further developments very closely.