Tech & Sourcing @ Morgan Lewis


From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.

The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.

The complainant argued that these authorities would store “the applicant’s sensitive personal data” in electronic form and without pseudonymization. Specifically, the data at issue related to the complainant’s sex life and contained health information. The Austrian government had allegedly obtained this data in 2007 in an “illegal covert investigation.”

The DPA ruled, inter alia, “Regarding an infringement of the fundamental right to secrecy by an ‘omission of pseudonymization’, it must be noted that the GDPR does not grant any right according to which a data subject could demand specific data security measures within the meaning of Art. 32 GDPR from a controller. Nor can a data subject . . . demand specific measures to minimize data within the meaning of Art. 5 (1) lit. c GDPR demand.”

The decision is making some waves in the EU, but it is good news for data controllers as there has been a controversial legal debate about this topic.

The interpretation of the Austrian DPA may also be significant for companies and individuals in other EU member states because the relevant provisions of the GDPR also apply directly in other countries. The DPA is likely the first authority providing legal guidance on the scope of Article 32 of the GDPR. Whether other data protection authorities will follow remains to be seen.