On September 12th 2018, the Austrian DPA made its very first administrative penal decision for infringements of the GDPR and Austrian Data Protection Act.
The Austrian DPA imposed a fine on a Limited Liability Company which is running a sports betting café as the controller within the meaning of Article 4. 7 GDPR of an image processing system (video surveillance). The subject cameras have been in use at least since March 22nd 2018.
The controller has violated Art. 5 para. 1 lit. a and c as well as Art. 6 para. 1 of the General Data Protection Regulation (GDPR) and several provisions of the Austrian Data Protection Act (DSG).
Due to these administrative offences, the Limited Liability Company as a controller is imposed administrative fines to the total amount of € 5.280,00.
The infringements refer to the following: the video surveillance system covers public streets as well as parking lots, both part of the public area in front of the entrance of the sports betting café. This is not adequate for the purposes of the processing and is not limited to a necessary extent. There are no logs of video surveillance processing operations. There is no deletion of the personal image data recorded by the video surveillance within 72 hours and no separate logs for processing in this regard and a justification for an extended storage period is missing (as determined in the Austrian Data Protection Act). In Addition to that, the filmed area does not have adequate signage about CCTV.
The controller lodged a complaint with the Federal Administration Court against this decision.
For more information, please contact the Austrian supervisory authority at firstname.lastname@example.org