The law also expands upon Article 6 of the GDPR by allowing for personal data to be processed for additional purposes that are incompatible with the original purpose, if it “is necessary to assert, pursue, or defend civil law claims” of the controller, so long as it is not overridden by the interests of data subjects.
The law goes further in restricting data subject rights as well. For example, data controllers will not be required to fulfill a right of access request if the personal data is stored only for compliance with statutory or contractual retention obligations, or solely for the purpose of data security and data protection control. The right of erasure (“right to be forgotten”) is also restricted if erasure of the personal data would require an unreasonably high effort due to the specific type of storage.
The law also takes advantage of the flexibility found in Article 37(4) of the GDPR given to Member States to specify instances in which controllers and/or processors must designate a data protection officer (DPO). Specifically, the GDPR derogations require controllers to designate a DPO in the following circumstances:
- When at least ten employees of a controller or processor regularly conduct automated processing of personal data;
- When engaged in high-risk activities mandating a data protection impact assessment (DPIA) under Article 35 of the GDPR; or
- When engaged in the processing of personal data on a commercial basis for the purposes of market or opinion research.
The law also includes criminal sanctions and increased prison sentences (up to three years) for violations of certain provisions. For example, for intentionally transferring or making available a large number of personal data, without authorization, to third parties with intent to make a profit.
Austria is the second country to enact a national law to supplement the GDPR. However, unlike Germany, Austria’s law takes a more limited approach to GDPR derogations.
The new law lowers the age at which a minor can consent to the processing of their personal data in relation to information society services without parental consent to 14 years old. The default set by the GDPR is age 16, but leeway is given to Member States to lower this to as low as 13.
It is yet to be seen how this will affect data controllers, but it is likely to present a challenge for the providers of these information society services in multiple Member States if they have different age limits to comply with. For instance, Germany opted not to change the age of consent; therefore, the default age of 16 set by the GDPR will apply. However, many other countries have proposed GDPR derogations to lower the age, including Finland, who proposed lowering the age to either 13 or 15; Ireland, to 13; and the UK to 13.
Another interesting area to note about the Austrian law is that it applies not only to natural persons (like the GDPR and other privacy laws), but to legal persons as well — a wording found in Austria’s constitutional right to data protection. This provision of the law is in direct contradiction with the GDPR, which applies only to the processing of personal data of natural persons. Therefore, this could potentially make for an interesting conflict of laws.
The law also provides that personal data relating to criminal convictions and offences may be processed on the legal basis of legitimate interests of the controller. This is significant given that Article 10 of the GDPR limits the processing of this category of data to instances where “under the control of official authority,” unless authorized by Member State law such as this. Controllers who use CCTV systems to monitor their facilities or who operate whistleblowing hotlines will thus be able to process this data in the legitimate interests of security. It will be interesting to see whether other Member States follow suit in exercising this GDPR derogation, as lobbying efforts to fill gaps like this are expected.
How to prepare for GDPR derogations
Organizations should take the following steps to prepare for applicable GDPR derogations implemented by Member States:
1. Identify Requirements
The first step is to determine which EU Member State jurisdictions are applicable to your organization’s processing activities. Therefore, it will be critical to have a solid understanding of your data — what types of personal data is collected (e.g., special categories), where the data is located, and where data subjects reside. Work already done on Article 30 data mapping initiatives will be incredibly useful here, as the information detailed in those records can be leveraged for these purposes.
2. Fill Gaps
After identifying what EU Member State laws apply, you can then begin a gap analysis to understand what work you need to do to update your various policies, procedures and business processes to ensure compliance with those applicable laws. In some areas, such as age of consent for processing related to information society services, standardization will not be possible due to the GDPR derogations, and thus flexibility in how personal data is processed will be needed, i.e., how you process a German data subject’s personal data may need to be different from how you process the personal data of an Austrian data subject.
3. Keep Things Current
So far, only two Member States have enacted laws to supplement the GDPR, but the others are close behind with their own GDPR derogations. It is also inevitable that amendments to these laws will take place. Therefore, it will be imperative to keep track of these changes, and ensure that your policies, procedures and business processes are flexible to change.