Unlike the GDPR implementation act in Germany, the New Act is relatively reserved in adding national variations. The main points under the New Act specific to Austria are:
Application to legal persons. As is currently also the case under Austrian privacy law, the fundamental right to data privacy will still apply in Austria not only to natural persons, but also to legal persons. By contrast, the GDPR and most EU national privacy laws only apply to personal information pertaining to natural persons.
Consent of children. The New Act sets fourteen as the age at which a child can express a valid consent to processing their data, thereby using the flexibility offered by the GDPR to set a lower age. The GDPR establishes sixteen as the default age for children.
Processing of criminal convictions and offenses by private entities. Article 10 of the GDPR states that information regarding criminal convictions and offenses may only be processed if authorized by Member State law. Paragraph 4, Section 3 of the New Act provides for this possibility in Austria. Apart from a general reference to processing such information pursuant to a legal authorization or obligation, the New Act also indicates that such information may be processed if necessary for the purposes of legitimate interests (in the sense of Art. 6 (1)(f) GDPR). This is a distinct possibility that we have not yet seen in other (draft) implementation acts, and which would significantly change the restriction introduced by Article 10 of the GDPR.
Processing of photographic or video materials. The New Act contains specific regulations on the permissibility of processing personal information contained in photographic or video materials. It regulates the use of CCTV on public and private property, as well as the use of video recording for the purpose of monitoring employees.
Processing of employee information. Paragraph 11 of the New Act specifically mentions that the current privacy-related provisions of the Labor Relations Act will remain applicable to the processing of employee information. The GDPR provides for this possibility in Article 88 of the GDPR, where Member States may determine specific rules for employment-related data processing.
Fines imposed on legal entities. Paragraph 30 of the New Act provides specific rules to levy administrative fines on legal entities.
Many thanks for sharing details on implementation of GDPR in member state countries! It's so interesting to see in a real case that GDPR is not a monolithic regulation for the european zone, but that the text we all know is meant as a basis for implementation to which each country may add specific requirements.