“White list” – (Austrian) Exceptions to the Privacy Impact Assessment


The General Data Protection Regulation (GDPR) stipulates that (data) controllers must carry out what is known as a "data protection impact assessment" (DPIA) before data processing is likely to entail a high risk for the rights and freedoms of natural persons.

The Austrian Data Protection Authority (DPA) has issued a regulation in this regard (Regulation of the Data Protection Authority on the exceptions to the Data Protection Impact Assessment). The regulation lists those data processes that are exempted from the obligation to carry out data protection impact assessments (so-called "white list").

Accordingly, the following processing activities, whose purpose is specified in the Annex to the Regulation, are in principle excluded from the obligation to carry out a data protection impact assessment:

  • Customer administration, accounting, logistics, accounting
  • personnel management / human resources
  • membership management/administration
  • Customer service and marketing for own purposes
  • Property and inventory management
  • registers, evidences, books
  • Access management for computer systems
  • Access control systems
  • Stationary image processing and the associated acoustics processing for surveillance purposes (CCTV)
  • Real-time image and acoustics data processing
  • Image and acoustic processing for documentation purposes
  • Patient / client / customer administration and fee billing/accounting of individual physicians, healthcare providers and pharmacies
  • Legal and consulting professions
  • Archiving, scientific research and statistics
  • statements of support
  • Budgetary management of local and other public-law entities
  • Public Tax Administration
  • Administration of subsidies
  • Public relations and information activities by public officials and their business devices
  • File management (office automation) and management of proceedings
  • Organization of events
  • Awards and honors

Likewise, according to the white list, data applications which were subject to prior checking under the old regime (DSG 2000) and were registered in the Austrian data processing register before the end of May 24, 2018, or which were not reportable are excluded from the DPIA.

Austrian Chairwoman of the EDPB

When the GDPR came into force, the European Data Protection Board (EDPB) was established instead of the so-called Article 29 Working Party.The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The head of the Austrian DPA, Andrea Jelinek, was elected Chairwoman of the Article 29 Data Protection Working Party at the beginning of the year, thus becoming Chair of the EDPB on 25.05.2018. 

Austrian DPA can also impose high administrative penalties - Decision of the Austrian Constitutional Court of 13.12.2017

With this decision, the Austrian Constitutional Court (re-)answered the question of whether administrative authorities can impose heavy fines.

The starting point of this procedure was a petition for legal review by the Austrian Federal Administrative Court (BVwG), which had to decide on the appeal against punishment by the Austrian Financial Market Authority (FMA). The FMA is currently the only authority in Austria that can impose administrative penalties in the millions. The BVwG had reservations as to whether it was constitutionally permissible for an administrative authority - such as the FMA - to impose such large fines or that this would not have to be done by a proper court. This view was based on the recent case law of the Austrian Constitutional Court, according to which very high fines are mandatory imposed by ordinary (criminal) courts, because only these provide sufficient procedural guarantees and have judicial independence.

The VfGH declined in its decision of 13.12.2017 from its previous case law. The introduction of an administrative court of first instance, whose members are judges, provides adequate legal protection against administrative penalties. Accordingly, very high fines could be imposed by administrative authorities.

This decision has implications for the DPA, which has been able to impose administrative penalties of up to EUR 20 million since 25.05.2018 or, in the case of a company, up to 4% of the total worldwide turnover of the previous financial year. The admissibility of the imposition of such high fines by the DPA (as an administrative authority) is thus clarified from a constitutional point of view.


Article provided by: RA Prof. Dr. Clemens Thiele, LL.M (EuroLawyer)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.