1st Austrian Trade Congress – Mousetraps, Jägermeister and GDPR

The worldwide data volume is growing, and at an ever faster rate. It is currently doubling every two years. In this unbelievably large volume of data, there are not only opportunities but also great dangers lurking. On the one hand, more data provides a greater target for cybercrime, while on the other hand, more and more personal data is becoming digital and, when combined, provides companies with the opportunity to paint a comprehensive picture of us as customers or employees, or organizations or governments to spy on citizens. Reason enough for FTAPI Software GmbH to organize the 1st Austrian congress for data protection in practice on February 11th and 12th in Vienna and to inform about current developments with prominent speakers like Max Schrems, Katharina Nocun or Michael Mrak.

Max Schrems, who talked “out of the sewing box of a data protection activist”, knows that proceedings against data collecting US corporations are lengthy. On April 9, 2015, his trial Max Schrems vs. Facebook started at the State Court for Civil Matters. The trial was initially delayed by questions of jurisdiction: Whether a class action lawsuit is possible, whether the data protection lawyer can even sue as a private individual in Austria… Years passed before these questions were clarified. Schrems knows that this is against “opponents with very deep pockets”. It is no problem for these companies to invest ten million euros in such a procedure and to drag it through all instances.

Who decides on the use of data
Schrems accuses Facebook of data protection violations. The trial is about the delicate question of who on Facebook is allowed to decide how the data is used – in other words, who is responsible for what is posted. Facebook has so far taken the position that if there are problems with data, for example if a photo infringes copyright, the user is responsible. However, Facebook alone has the say in the evaluation and use of the data. The court is now trying to clarify this “dilemma”.

In general, the question of liability is only semi-transparent, especially for SMEs, for whom Facebook is an important marketing platform. The idea was to “be able to use Facebook services as a business without having to consult three lawyers at once,” Schrems noted.

The importance of the right to information
“The Data I Called” was not only the title of Katharina Nocun’s lecture, but also the title of the civil rights activist’s book. The net activist and graduate economist led nationwide campaigns on data protection, whistleblowing and civil rights, among others for the citizens’ movement Campact e.V., Mehr Demokratie e.V., and the Federation of German Consumer Organisations (vzbv).

“Everyone should have the opinion that they have something to hide,” is the conclusion of Nocun. Why? You can find out why by exercising your right to information in accordance with Article 15 of the Basic Data Protection Regulation (GDPR) and requesting the data stored by companies or authorities.

Psychological profile when collecting points
Data is also collected diligently for non-digital shopping. “If you collect points in a bonus program, your data is naturally also recorded,” Nocun continues. If nothing can be deduced from an individual transaction yet, a psychological profile of the individual is created over a longer period of time. For example, the low fruit and vegetable content of the purchases is just as indicative of an unhealthy change in life as the purchase of a mousetrap on an unkempt apartment and Jägermeister’s purchase on loneliness.

Rainer Neumann also insisted on the use of Article 15 GDPR in his presentation “Data must also go again”. The long-standing board member of Postbank and SCHUFA had done this himself at Deutsche Bahn and had only received incomplete information after repeated requests. “For a company that itself had a data scandal ten years ago and where a board member is only responsible for data protection, I had expected more,” said Neumann, who now works as a data protection officer.

The right to be forgotten
He also pointed out that companies often neglect the “right to be forgotten” when implementing GDPR. This also became the fate of Deutsche Wohnen, which was sentenced to a record 14.5 million at the end of last year.

Michael Mrak clarified the connection of the GDPR with comparable international laws and the challenges of Big Data under the title “Data Protection – Looking beyond the horizon”. Mrak heads the Compliance department at Casinos Austria and the Austrian Lotteries. He is the data protection officer and also the money laundering officer for the group and is responsible for the development and operation of the group-wide compliance management system. According to Mrak, the GDPR has been a success in comparison with other countries because it has managed to establish a uniform understanding of personal data in the EU.

Weak points are often unknown
As a cyber expert, Christine Deger advises and accompanies companies in all aspects of cyber security. She gave a lecture on “the current cyber security threat situation and how companies can protect themselves”. According to Deger, one of the problems is that CIOs often don’t know where their weaknesses lie. The current statistics prove this: Three-quarters of the economy has been affected by cybercrime in the last two years, with damage amounting to more than 100 billion euros.

In the meantime, the speed at which malware spreads is particularly impressive. “Malware becomes so intelligent that I get scared,” says Deger. “Until you shut down one affected system, it already jumps over to the next one.

Attacks simply store on the net
Malware as a service has also become a problem. It is currently very easy to configure a cyber attack on the Internet and earn money with it or “to get the competition off the ground within three days”.

However, due to the existing obligation to report incidents under GDPR, incidents are at least now becoming public and it is possible to deal with them better.

GDPR – one of the simplest laws
GDPR was also the topic of the two concluding lectures. While Andreas Zavadil from the Austrian supervisory authority for data protection talked about “Challenges with GDPR and previous ruling practice”, Leo Deser from TÜV SÜD Sec-IT GmbH explained the requirements for data protection on websites. “GDPR is one of the simplest laws I know”, summarized Leo Deser. “It does not demand perfection from you, but a risk-oriented approach.

The 1st Austrian Congress on Data Protection in Practice was organized by FTAPI Software GmbH in cooperation with audatis Services GmbH, impetus Unternehmensberatung GmbH and xalevi Solutions GmbH. On the second day, the partners presented strategies, solutions and practical examples to the attendees, with which the way into the digital future can be realized securely.


FTAPI is a German software provider based in Munich. The core product FTAPI SecuTransfer is based on the specially developed SecuPass security technology and stands for simple and secure data exchange, supplemented by data rooms, secure forms and processes.

As a secure content platform, FTAPI enables customers, partners and employees to collaborate on highly sensitive data and access it worldwide.
Used in the right places, FTAPI helps to push digitalization in companies with simple means and to increase the efficiency of work processes significantly. Enormous potentials can be realized without much effort, especially in input management, invoice receipt and sending payslips.

Under the vision of “Securing Digital Freedom”, FTAPI is thus committed to the preservation of the identity of individuals and companies. FTAPI is the market leader in the German-speaking world, but is now used by thousands of companies in over 120 countries.
More information is available at www.ftapi.com