Austrian Data Protection Authority Finds No Claim for Specific Security Measures Under GDPR Article 32

Dr. Axel Spies
Morgan Lewis
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis

From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.

The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.

The complainant argued that these authorities would store “the applicant’s sensitive personal data” in electronic form and without pseudonymization. Specifically, the data at issue related to the complainant’s sex life and contained health information. The Austrian government had allegedly obtained this data in 2007 in an “illegal covert investigation.”

The DPA ruled, inter alia, “Regarding an infringement of the fundamental right to secrecy by an ‘omission of pseudonymization’, it must be noted that the GDPR does not grant any right according to which a data subject could demand specific data security measures within the meaning of Art. 32 GDPR from a controller. Nor can a data subject . . . demand specific measures to minimize data within the meaning of Art. 5 (1) lit. c GDPR demand.”

The decision is making some waves in the EU, but it is good news for data controllers as there has been a controversial legal debate about this topic.

The interpretation of the Austrian DPA may also be significant for companies and individuals in other EU member states because the relevant provisions of the GDPR also apply directly in other countries. The DPA is likely the first authority providing legal guidance on the scope of Article 32 of the GDPR. Whether other data protection authorities will follow remains to be seen.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide