The most important parts of the AVG for you at a glance.
- Taking appropriate measures
Each company ("controller") should take appropriate technical and organisational measures to protect personal data of employees or customers, at a level applicable to that company. In the event of an incident, the company should restore the availability of and access to personal data. There should also be a procedure in place to test, assess and evaluate the said measures. - Obtaining data subject's consent
The data subject must clearly and actively indicate that their personal data may be used. The AVG refers to this as free, specific, informed and unambiguous consent. The data subject can also withdraw this consent. Furthermore, he has the right to comprehensive information about the processing of his personal data, the right to inspect and correct his personal data, the right to object and the right to have his personal data erased. - Mandatory data breach notification
A data breach occurs when personal data falls into the hands of someone who should not have it. Think of a lost, stolen or hacked laptop. A serious data breach should be reported to the Personal Data Authority within 72 hours. - Appointing Data Protection Officer (FG)
Governments and companies that process specific personal data on a large scale should appoint an independent (internal or external) FG. The FG supervises the processing of personal data. - Beware of cross-border data processing
When a company has multiple branches in, for example, the European Union, this is a cross-border situation. In that case, a lead regulator should be appointed, with primary responsibility for supervising cross-border data processing operations. - Register of processing operations
Every company and processor with 250 employees or more must keep a register of processing activities. - Consequences of non-compliance with AVG
The Personal Data Authority can impose very substantial fines of up to €20 million (depending on the offence) for non-compliance with the AVG.
