Austrian "White List"

Wednesday, 13 June 2018

Exceptions from the OBLIGATION TO CARRY OUT A data protection impact assessment

Immediately on 25 May, the GDPR-day, the Austrian Data Protection Authority published its White List brining some clarity concerning the obligation to carry out a data protection impact assessment. As expected, especially standardized data processing activities and already registered processing operations that have to be approved by the authority in advance do not require an impact assessment.

On 25 May, the Austrian Data Protection Authority issued a regulation containing a list of processing operations for which no data protection impact assessment is required ("White List"; full text available in German language here). This list determines processing activities that are usually not deemed of resulting in a high risk for data subjects. Therefore, records of processing activities have to be maintained and other obligations of the GDPR and the Austrian Data Protection Act must be fulfilled but no additional data protection impact assessment has to be carried out.

In summary, the White List of the Austrian Data Protection Authority is rather extensive and particularly covers standardized data processing activities. Thus, especially the following basic processing operations do not require an impact assessment:

  • Customer administration (CRM tools)
  • Accounting
  • HR administration
  • Access control management
  • CCTV (limited to own property and a maximum storage time of 72 hours)
  • Scientific research and statistics
  • Records management
  • Event management

Overall, the catalogue of exceptions covers 22 data processing activities.

Besides these precisely defined standardized data operations, all data applications that were already approved by the Austrian Data Protection Authority before 25.5.2018 as well as the former standard applications of the Austrian Standard and Model Decree do not require an impact assessment.

The Austrian White List now also has to be submitted to the European Data Protection Board. Through that coordination mechanism, a Europe-wide standardisation of the obligation to carry out data protection impact assessments shall be obtained. Thus, the catalogue of exceptions might be changed in one way or another.

However, for the time being, Austrian companies have a certain legal security and don't have to carry out data protection impact assessments for the processing activities stated in the regulation of exceptions.

Black List upcoming?

Additionally to the White List the data protection authorities shall also establish a list of data processing operations which are definitely subject to the requirement for a data protection impact assessment ("Black List"). As of now, there is no information available on when such list will follow for Austria and we can only hope that it will be issued soon as well.