Европейски комитет за защита на данните

Austrian DPA fines controller in the medical sector

Monday, 12 August, 2019

On 12 August 2019, the Austrian DPA imposed an administrative fine of € 55,000 (of which € 5,000 are procedural costs) on a controller operating in the medical sector. Over the course of more than six months, the controller had neither appointed a data protection officer nor published its contact details or reported those to the supervisory authority. In addition, the controller had obliged the data subjects to give their consent to a data processing, which did not meet the criteria set out in Art. 7 GDPR and also violated its duty to provide information pursuant to Art. 13, 14 GDPR. Moreover, despite handling sensitive data, no data protection impact assessment, pursuant to Art. 35 GDPR, was carried out. The administrative fine is not final yet, a complaint against the fine is expected.

For further information, please contact the Austrian DPA: dsb@dsb.gv.at