With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
'Influencer marketing' means taking advantage of bloggers and other persons who have their own social media channels to promote goods and services. While the concept of transmitting arguably hidden advertising is problematic, there are many variations of this and the lines between hidden advertising and personal opinion are often blurred. As such, the Advertising Council recently issued guidelines for dealing with influencer marketing as a specific means of marketing communication.
The EU General Data Protection Regulation (GDPR) has created a new understanding and awareness of data protection. Despite being a directly applicable legal act, the GDPR has created significant work for the Austrian federal legislature, which has chosen to impose it by implementing the narrow but general Data Protection Act and introducing amendments to ordinary legal acts individually. However, these amendments are essentially limited to wording adjustments and restrictions on data subjects' rights.
The Austrian Data Protection Authority (DPA) recently published its first decision on retention periods following the enactment of the General Data Protection Regulation. The decision is final. The DPA had to decide how long a telecoms service provider must retain so-called 'master data' – that is, data required for the controller's legal relationship with the users of its services.
Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties.