Compliance with the EU General Data Protection Regulation (GDPR, in German: DSGVO) is one of the main objectives of entrepreneurial due diligence. Fines: Up to € 20 million, or 4% of the world’s total previous year’s revenue, the higher threshold applies.
Record of processing activities
The former DVR (data processing register of the data protection authority) is, since 25 May 2018, history. Since then you need to maintain your own record of processing activities. We support you in creation and maintenance of your processing records.
A so called Privacy Notice is a way to comply with the information requirements for data subjects with regard to processing activities affecting data subjects outside of your company. Benefit from our experience in drafting privacy notices.
Privacy impact assessment
Based on the record of processing activities, we conduct privacy impact assessments , in cooperation with your internal or external technical service providers as required and, if necessary, we coordinate the assessments with the Data Protection Authority.
Data subject rights
Persons, whose data you are processing, can claim their rights as “data subjects”. The core rights of affected data subjects are: Right to access to information, rectification, erasure, restriction, right to object, withdrawal of consent, right to transferability of data and the right to file complaints with the Data Protection Authority. We support companies in examining claims asserted by data subjects and, if necessary, handle such claims directly by attorneys’ correspondence.
Data Protection Authority
The Data Protection Authority may initiate preliminary investigations against companies on its own initiative or on a complaint by a person claiming to be affected by a violation of data protection law. We represent companies in proceedings before the Data Protection Authority.
Data protection proceedings
Persons who have suffered a breach of privacy or an injury through a violation of the strict new privacy laws are entitled to compensation for damages done. Such compensation covers non-material damage (“emotional damage”) as well. In contrast to claims under Austrian media law, there are no upper limits for such compensations under data protection law: immaterial damage must be compensated “fully and effectively”. We represent companies in data protection proceedings.
Data Protection Officer
A data protection officer is an (internal or external) advisory body of the company in data protection matters. If personal data processing is a core activity of your company, you may be required to appoint a data protection officer.