Austrian DPA fines controller in the medical sector

12 August 2019

On 12 August 2019, the Austrian DPA imposed an administrative fine of € 55,000 (of which € 5,000 are procedural costs) on a controller operating in the medical sector. Over the course of more than six months, the controller had neither appointed a data protection officer nor published its contact details or reported those to the supervisory authority. In addition, the controller had obliged the data subjects to give their consent to a data processing, which did not meet the criteria set out in Art. 7 GDPR and also violated its duty to provide information pursuant to Art. 13, 14 GDPR. Moreover, despite handling sensitive data, no data protection impact assessment, pursuant to Art. 35 GDPR, was carried out. The administrative fine is not final yet, a complaint against the fine is expected.

For further information, please contact the Austrian DPA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.