Austrian DPA Approves SOX Whistleblowing Hotline but with Limitations
Time 1 Minute Read
Categories: European Union, International

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights through the service provider managing the hotline. The DPA did not consider SOX to provide a legal basis for the transfer, but rather found that the legal basis was provided by the legitimate interests of the Austrian subsidiary, as conveyed by instructions of the employer, admissible in the context of an employment relationship, including a Code of Conduct. The conditions placed on the hotline are based on the recommendations issued by the Article 29 Working Party in its Working Paper 117. Full text of the decision is available in German here.

Tags: Article 29 Working Party, Austria, Whistleblowing
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
CJEU Rules on Excessive Requests

On January 9, 2025, the Court of Justice of the European Union issued its judgment in the case Österreichische Datenschutzbehörde.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CJEU Rules that Principle of Minimization Limits the Personal Data that Can Be Used for Targeted Advertising

On October 4, 2024, the Court of Justice of the European Union issued its judgment in case C‑446/21 to assess whether the GDPR imposes limits to Meta Platforms Ireland’s use of personal data collected outside of the Facebook social network for advertising purposes.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CJEU Determines that a Mere Infringement of the GDPR is not Sufficient to Require Compensation

On May 4, 2023, the Court of Justice of the European Union (“CJEU”) issued a judgment in the Österreichische Post case (C-300/21). In the decision, the CJEU clarified that a mere infringement of the EU General Data Protection Regulation (“GDPR”) is not sufficient to give data subjects the right to receive compensation under Article 82 of the GDPR. Article 82 provides that any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 1 Minute Read
Danish DPA Declares Use of Google Analytics Unlawful Without Supplementary Measures

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page