Skip to main content

“White list” – (Austrian) Exceptions to the Privacy Impact Assessment


The General Data Protection Regulation (GDPR) stipulates that (data) controllers must carry out what is known as a "data protection impact assessment" (DPIA) before data processing is likely to entail a high risk for the rights and freedoms of natural persons.

The Austrian Data Protection Authority (DPA) has issued a regulation in this regard (Regulation of the Data Protection Authority on the exceptions to the Data Protection Impact Assessment). The regulation lists those data processes that are exempted from the obligation to carry out data protection impact assessments (so-called "white list").

Accordingly, the following processing activities, whose purpose is specified in the Annex to the Regulation, are in principle excluded from the obligation to carry out a data protection impact assessment:

  • Customer administration, accounting, logistics, accounting
  • personnel management / human resources
  • membership management/administration
  • Customer service and marketing for own purposes
  • Property and inventory management
  • registers, evidences, books
  • Access management for computer systems
  • Access control systems
  • Stationary image processing and the associated acoustics processing for surveillance purposes (CCTV)
  • Real-time image and acoustics data processing
  • Image and acoustic processing for documentation purposes
  • Patient / client / customer administration and fee billing/accounting of individual physicians, healthcare providers and pharmacies
  • Legal and consulting professions
  • Archiving, scientific research and statistics
  • statements of support
  • Budgetary management of local and other public-law entities
  • Public Tax Administration
  • Administration of subsidies
  • Public relations and information activities by public officials and their business devices
  • File management (office automation) and management of proceedings
  • Organization of events
  • Awards and honors

Likewise, according to the white list, data applications which were subject to prior checking under the old regime (DSG 2000) and were registered in the Austrian data processing register before the end of May 24, 2018, or which were not reportable are excluded from the DPIA.

Austrian Chairwoman of the EDPB

When the GDPR came into force, the European Data Protection Board (EDPB) was established instead of the so-called Article 29 Working Party.The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The head of the Austrian DPA, Andrea Jelinek, was elected Chairwoman of the Article 29 Data Protection Working Party at the beginning of the year, thus becoming Chair of the EDPB on 25.05.2018. 

Austrian DPA can also impose high administrative penalties - Decision of the Austrian Constitutional Court of 13.12.2017

With this decision, the Austrian Constitutional Court (re-)answered the question of whether administrative authorities can impose heavy fines.

The starting point of this procedure was a petition for legal review by the Austrian Federal Administrative Court (BVwG), which had to decide on the appeal against punishment by the Austrian Financial Market Authority (FMA). The FMA is currently the only authority in Austria that can impose administrative penalties in the millions. The BVwG had reservations as to whether it was constitutionally permissible for an administrative authority - such as the FMA - to impose such large fines or that this would not have to be done by a proper court. This view was based on the recent case law of the Austrian Constitutional Court, according to which very high fines are mandatory imposed by ordinary (criminal) courts, because only these provide sufficient procedural guarantees and have judicial independence.

The VfGH declined in its decision of 13.12.2017 from its previous case law. The introduction of an administrative court of first instance, whose members are judges, provides adequate legal protection against administrative penalties. Accordingly, very high fines could be imposed by administrative authorities.

This decision has implications for the DPA, which has been able to impose administrative penalties of up to EUR 20 million since 25.05.2018 or, in the case of a company, up to 4% of the total worldwide turnover of the previous financial year. The admissibility of the imposition of such high fines by the DPA (as an administrative authority) is thus clarified from a constitutional point of view.


Article provided by: RA Prof. Dr. Clemens Thiele, LL.M (EuroLawyer)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.