In early November, the Austrian Data Protection Authority issued a directive that data processing operations in all cases requires a data protection impact assessment (DPIA).

Under Europe’s new General Data Protection Regulation (GDPR), DPIA is required during data collection. The Austrian rule changes are bringing effect to GDPR into the national regime.

Please note that failure to carry out a DPIA can result in fines up to EUR 10m or 2% of worldwide annual turnover.

DPIA Examples

Some examples include:

(i) a credit rating database, AML- or anti-fraud database, behavioural and marketing profiles, profiling for simplified and automated decision making in finance, insurance, health and the marketing sector.

(ii) specialty operations such as those related to observation, supervision or control of natural persons (i.e., bodycams).

(iii) innovative technologies or organisational solutions related to artificial intelligence or biometric data (e.g., access controls through a combination of fingerprints and facial scan).

(iv) merging and/or cross-checking data sets from different origins.