Financial Crime World

Here is the converted article in markdown format:

Controller’s Obligation to Notify Data Breach and Consequences

=====================================================

The General Data Protection Regulation (GDPR) requires controllers to notify personal data breaches to the relevant supervisory authority without undue delay. This notification must be made within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk for the data subjects.

Notification Obligations

  • Controllers are obligated to inform the Data Protection Authority (DPA) of a personal data breach.
  • Notifications must be made without undue delay and contain specific information about:
    • The nature of the breach
    • Potential consequences
    • Measures taken or proposed to mitigate the effects

Electronic Marketing and Unsolicited Emails

Austrian Law Prohibits Spam

Austrian law prohibits unsolicited electronic marketing (spam) unless prior consent is obtained from the recipient. To comply with this requirement, controllers must obtain explicit opt-in consent before sending marketing emails.

Draft EU ePrivacy Regulation

The draft EU ePrivacy Regulation aims to introduce new rules for electronic communication and marketing, including provisions for: + Unsolicited electronic marketing + Potential fines of up to 4% of total worldwide annual turnover or €20 million

Cookies

Website operators must inform visitors about cookies that collect personal data, unless they are essential for website functionality. Prior consent (opt-in) is required for non-functional cookies, such as: + Marketing cookies + Tracking cookies + Analytics cookies

The cookie consent must be based on clear and comprehensive disclosure of: + Purposes + Legal basis + Retention period

Draft EU ePrivacy Regulation Proposals

The draft EU ePrivacy Regulation proposes to allow users to consent to cookies through their browser settings, eliminating the need for website banners.

Data Transfer and Third Parties

International Data Transfers

International data transfers are governed by Articles 44-50 of the GDPR. No prior notification or approval is required, but controllers must: + Maintain an internal record of processing activities + Conduct a privacy impact assessment for sensitive processing activities

Written Agreements with Processors and Controllers

Controllers transferring personal data to processors must sign a written agreement containing prescribed minimum content. Those transferring data to other controllers require specific legal justification.

Appropriate Safeguards

Appropriate safeguards, such as EU standard contractual clauses or binding corporate rules, are necessary for transfers outside the European Economic Area.

Penalties and Compensation

Non-compliance with Austrian data protection provisions can result in: + Penalties from claims by data subjects, competitors, and the Data Protection Authority + Administrative fines of up to €20 million or 4% of total worldwide annual turnover