A Q&A guide to data protection in Austria.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The applicable Act in relation to collecting and using personal data in Austria is the Data Protection Act 2000 (Datenschutzgesetz 2000) (DSG). It is based on Directive 95/46/EC on data protection (Data Protection Directive).
There are several laws regulating specific aspects of the collection and use of personal data, including:
The regional data protection laws of the Austrian federal provinces (Bundesländer), which govern specific aspects of the processing of data in matters subject to the legislation of the Bundesländer. These laws were necessary to transpose the Data Protection Directive into Austrian law in accordance with the rules on legislative competence under the Austrian Federal Constitution.
Legal provisions relating to data protection are also found in:
Austrian Labour Relations Act (Arbeitsverfassungsgesetz).
Banking Act (Bankwesengesetz).
Trade Regulations Act (Gewerbeordnung).
Penal Code (Strafgesetzbuch).
Criminal Procedure Code (Strafprozessordnung).
Police Act (Sicherheitspolizeigesetz).
The right to data protection is a constitutional civil right which applies to everyone including natural persons, (public or private) legal entities and associations (referred to as data subjects).
The DSG regulates personal data, that is, information about an identified or an identifiable person.
"Sensitive data" is subject to stricter rules. Sensitive data is considered to be information about a person relating to:
Racial or ethnic origin.
Trade union membership.
Religious or philosophical beliefs.
If not otherwise stated, the following explanations refer to regular personal data. The special provisions for sensitive data are mentioned separately (see Question 11).
The DSG also contains special provisions about "indirect data". This refers to personal data if the identity of the data subject can be retraced, but not by legal means.
All kinds of data processing, whether by automatic or manual means, are subject to the DSG provisions. Data processing is any operation or set of operations that is performed on personal data, such as collecting, recording, saving, storing, organising, comparing, disclosing, using, erasing, and so on.
However, processing by manual means is only subject to the DSG if the data is collected in a data file, that is, a structured collection of data organised by certain criteria. The provisions for manual processing are less strict than for the processing of data by automatic means.
The provisions vary depending on the kind of processing performed. There are special provisions for data transmission (a sub-classification of processing), and there are two types of data transmission defined in the DSG:
Überlassung (mandate transmission), transmission of data from a controller to a processor.
Übermittlung (data transfer), transmission from a controller to another recipient who is not a processor (including publication of the data or use for an additional purpose by the same controller).
A processor is defined as a person who has been mandated by the controller to process the data for a specific job on behalf of the controller. The controller is a person who alone or jointly with others determines the purposes and means of the processing of personal data.
The DSG provisions apply to every kind of processing of personal data in Austria, irrespective of the nationality or origin of the person carrying out the processing. However, in two cases deviating rules apply:
If data is processed outside of Austria (but in the EU) on behalf of an Austrian establishment of the controller, the DSG applies.
If data is processed in Austria on behalf of a controller in an EU member state outside Austria, the provisions of that country apply instead of the DSG, unless the purpose of the processing can be attributed to an Austrian establishment of that controller.
The mere "transportation" of personal data through Austria is not subject to the DSG.
The DSG provides for special exemptions in relation to:
Scientific research and statistics.
Processing in case of emergency.
According to these provisions, natural persons can process personal data for private or family purposes if the data was either:
Disclosed by the data subject.
Legally obtained otherwise.
The Austrian data protection authority (Datenschutzkommission) (DSK) (see box, The regulatory authority) can give special permission to process personal data for the purpose of scientific research or statistics:
If obtaining the data subject's consent is impossible or would require disproportional effort.
If the processing is justified by grounds of public interest.
If the applicant has credibly shown his expertise.
In relation to journalism, the provisions of the DSG apply only partly. The processing of personal data for the purpose of journalism, as defined in the Media Act (Mediengesetz), is admissible if, and to the extent that, the processing is necessary for the reporting requirements of news agencies, media services and their employees within the fundamental right to free expression of opinion. If there is an emergency, controllers of the public sector and relief organisations can process personal data to the extent necessary to:
Provide help for directly affected persons.
Find and identify missing and deceased persons.
Provide information for relatives.
In general, the DSK must be notified of every data transfer. However, there are several exemptions. Notification is not required for a data transfer:
Of published data.
Of data necessary for public registers.
Of anonymous data.
By private persons for private purposes.
Required for certain media purposes.
Required for certain state security measures.
That constitutes a standard process as defined in the Standard and Sample Regulation (Standard- und Musterverordnung). Such standard processes include, for example, the data transfer of human resource data for human resources purposes, or the membership administration of private entities.
In general, the data transfer can be carried out as soon as the notification has been filed. The DSK can then advise the controller to amend the notification within two months after the day of notification. After this time has elapsed, the notification is final.
However, prior approval by the DSK is necessary if the data transfer:
Includes sensitive data (see Question 11).
Includes data about a person's criminal record.
Is carried out to get information about the data subject's credit standing.
Is carried out by means of a joint information system (Informationsverbundsystem). In a joint information system, several controllers have access to a program in which data is processed by all controllers.
Within two months, the DSK must decide whether the data transfer can be carried out.
The processing of personal data is only allowed if:
The purpose and the content of the processing are covered by the legal or contractual authority of the controller.
For a data transfer, the recipient has proved his competence for the purpose of the processing.
The legitimate interest of the data subject in the secrecy of the data is not infringed.
The constitutional rights of the data subject have not been strained excessively and certain basic principles have been observed.
The basic principles to be observed include:
Processing in good faith.
Determining the (legitimate) purpose of the processing, and not processing beyond this purpose.
Correct entry of the data.
Only saving the data until the purpose of the processing has been achieved.
In some cases the consent of the data subject is required to ensure that his interest in the secrecy of the data is not infringed (see Question 8). However, there are certain circumstances in which consent is not necessary for legal processing (see Question 10).
There are very few formal requirements for the consent. If the processing contains sensitive data, consent must be given explicitly. The DSG does not require consent to be given in writing, but it is advisable to obtain written consent declarations for evidential purposes. Certain formal standards of consent declarations have been developed based on various court rulings, for example, the wording of the consent declaration must be:
Separate from the rest of the text.
However, there are strict rules in the DSG in relation to the content of the consent. Consent is defined as the valid declaration of intention by the data subject to agree to the processing of the data. The data subject must be fully aware of the circumstances, the kind and extent of the processing of the data and must be free of constraint. This consent can be withdrawn at any time. Therefore, the consent declaration must name:
Each type of data to be processed.
The name of the recipients.
The exact purpose of the processing.
There must also be an indication that the consent can be withdrawn at any time.
There are no special rules regarding minors in the DSG. However, the consent requires a valid declaration of intention, which can only be made by a person of full legal capacity. Since minors do not have full legal capacity they cannot give valid consent to process their data.
The DSG provides three grounds (beside consent (see Question 9)) on which processing can be justified:
The law explicitly states an authorisation or a duty for the processing.
The data subject has a vital interest in the processing.
The interest in the processing of the person processing the data or of a third party outweighs the data subject's interest in the secrecy of the data.
There is no definition of the circumstances in which the interest of the controller or a third party outweighs the data subject's interest in the secrecy of the data, but the DSG contains a list with exemplary descriptions of such circumstances and there is a wide spectrum of court rulings that can be used to interpret the provision.
The processing of sensitive data (see Question 3) is subject to stricter restrictions. In many cases, if sensitive data is processed, the consent of the data subject is required. Only in special cases is consent not required, such as if:
The data has been published by the data subject.
The identity of the data subject cannot be retraced by legal means (indirect data, see below).
Legal provisions require the processing.
The data is processed by a public entity within the framework of its duties.
Only data about a public function of the data subject is processed.
The processing is necessary to protect vital interests of the data subject and the consent cannot be obtained in time.
Vital interests of a third party justify the processing.
The data processing is necessary to enforce a claim.
The data processing is carried out for private, or certain scientific, emergency or medical, purposes only. Additionally, certain associations can process sensitive data for specific purposes.
Sensitive data can only be processed after a preliminary check by the DSK. Such processing can be checked by the DSK at any time even without a special cause.
Further, there are special rules for indirect data (see Question 3). The legitimate interest of the data subject in the secrecy of the data is not infringed when processing indirect data. There is also no requirement for notification of indirect data.
There are further special provisions for certain types of data in particular cases. For example, the processing of data concerning the criminal record or the credit standing of a person also requires prior approval by the DSK before initiation. There are also special provisions for data processing in the public domain.
The minimum information to be provided to the data subject by the data controller at the point of collection of the personal data is the:
Purpose of the processing for which the data is collected.
Name and address of the controller.
If the data subject is already aware of this information there is no such obligation. Further information must be provided if processing in good faith requires it. It is definitely required if:
If the data is transferred within the controller's business or from a different controller, rather than collected by questioning the data subject, in certain cases the controller has no obligation to inform the data subject about the data transfer. This exception applies:
If the processing is required by law.
If the data subject cannot be reached.
If the infringement of the rights of the data subject is very unlikely and the costs of the procedure to inform all data subjects are excessively high.
Finally, there is no obligation to inform the data subject if the processing is not subject to the duty of notification (see Question 7).
Data subjects have a right to:
Information about the personal data concerning them.
The correction of inaccurate data or deletion.
Object to the processing.
If the data subject asks for information about the data concerning him, the controller must provide information on:
The data processed.
The data source.
The name of all recipients of data transmissions.
The purpose of the data processing.
The legal basis for the data processing.
The request for information must be made in writing, unless the controller agrees to oral requests. The data subject requesting information must provide evidence of his identity. The information request can be declined if this is necessary for the data subject's protection, or if there are outweighing legal interests of the controller or a third party.
The controller must provide the information within eight weeks. If the controller declines the information request he must provide reasons for this within eight weeks.
In general, the information is free. If the information is requested in relation to data from a terminated data processing, or if the data subject has already asked for information within the same calendar year, the controller can ask for cost reimbursement.
Every controller must correct or delete inaccurate and illegally processed data as soon as the inaccuracy or the inadmissibility of the data processing becomes known to him, or if the data subject makes a founded request to do so. The correction or deletion must be effected within eight weeks. If the request of the data subject to correct or delete the data is dismissed, the controller must inform the data subject within eight weeks of the reasons for the dismissal.
Every data subject has the right to raise objections to the processing of data concerning him if:
The processing is not based on a legal obligation.
The outweighing legal interest in the secrecy of the data resulting from his special situation is infringed on.
If these conditions are met, the controller must delete the data within eight weeks and must refrain from any transfer of this data.
On a well-founded request by the data subject, every controller must correct or delete inaccurate and illegally processed data within eight weeks or, in case of dismissal of such request, inform the data subject of the reason for the dismissal (see Question 13).
Every controller and processor must take measures to ensure data protection. The type and extent of measures to be taken depend on the:
Type of data processed.
Amount and purpose of the processing.
The measures must prevent accidental or illegal destruction of the data. They must also ensure proper processing, and that the data is only accessible to authorised persons.
The following security measures should be taken to the extent necessary to ensure the above principles:
Explicit assignment of tasks to each organisational unit.
Allowing data processing only on valid instructions by authorised personnel.
Instructing all employees about their duty to provide the necessary data security.
Regulating access authorisation to the premises of the data controller or the data processor.
Regulating access authorisation to data and computer programs, and protecting data processing mediums from access by unauthorised persons.
Defining access authorisation to run data processing mediums, and installing access restrictions to ensure that unauthorised persons cannot access the programs.
Keeping records of the actual processing operations carried out.
Documenting all the security measures taken.
If the controller learns that data from his data application is systematically and seriously misused and the data subject may suffer damages, he must immediately inform the data subject in an appropriate manner. This obligation does not exist if the information would require an inappropriate effort, taking into consideration that only minor damage to the data subject is likely and the cost of the information to all persons concerned. There is no obligation to inform the DSK.
The controller can only mandate processors if they are able to ensure legal and secure processing. The controller must settle the necessary details with the processor and check on the processor's compliance by gathering the relevant information.
There are certain duties processors must observe when processing data for the controller (in addition to any contractual duties). Processors must:
Process the data only within the scope of the agreement.
Ensure that all necessary security measures are taken (see Question 15).
Only engage other (sub-)processors with the consent of the controller.
As far as reasonable, provide technical and organisational prerequisites to enable the controller to fulfil his duties in relation to the data subject's right of information, right to correction or deletion, and right of objection (see Question 13).
Return all documents containing personal data to the processor, or save or delete these documents on behalf of the controller as soon as the processing services have been completed.
Provide the controller with the information necessary to supervise the duties above.
If data is transmitted to processors outside Austria, or if the controller and processor define the content of these duties in more detail in a contract, this contract must be concluded in writing. Otherwise, the agreement between controller and processor regarding the security measures to be taken does not have to be in writing.
Electronic communications are regulated by:
Directive 2002/58/EC on the protection of privacy in the electronic communications sector (Privacy and Electronic Communications Directive).
The Austrian Telecommunications Act (Telekommunikationsgesetz) (TKG).
The provider must inform the subscriber or user of the personal data of (TKG):
The legal basis of the collection, processing or transmission of the personal data.
The purposes of the data collection, processing or transmission.
How long the data will be stored.
This information must also explain the right to refuse processing.
The regulations above do not conflict with technical storage or access (for example, through cookies) if the sole purpose is to perform or facilitate the transmission of a communication through a communications network or, to the extent absolutely necessary, to provide a service explicitly requested by the subscriber or user.
The subscriber must also be informed of the usage possibilities based on search functions embedded in electronic versions of the directories. This information must be given:
In an appropriate form (in particular within the framework of general terms and conditions).
No later than the commencement of the legal relations.
The right to information under the DSG is unaffected. Usually, private policies or standard terms and conditions contain this information under the TKG.
Logfiles or web-logs are qualified as "traffic data" under the Privacy and Electronic Communications Directive and the TKG, respectively. Traffic data must not be stored, and must be erased or made anonymous after termination of the connection except for special cases regulated by law (TKG). If required for the purposes of subscriber billing, including payments for preparatory services, the operator must store traffic data until payment has been made and the bill has not been challenged within a period of three months. The data are not to be deleted if:
The bill has been challenged, until the expiry of the time period during which such challenge can lawfully be made.
The bill has not been paid, until the expiry of the time period during which the payment can lawfully be pursued.
Proceedings regarding the bill have been initiated, until the final decision.
In case of a dispute concerning the bill, the competent authorities have to be provided with the respective traffic data.
Processing of traffic data must be restricted to persons who:
Handle billing or traffic management, fault recovery, customer enquiries, fraud detection or marketing communications services.
Provide value-added services.
Have been commissioned by the above.
The amount of stored or processed traffic data must be restricted to what is absolutely necessary.
Under Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (Data Retention Directive), the TKG provides for the mandatory retention of specific traffic and location data by providers for a period of six months in the interest of the investigation, detention and prosecution of a crime. In general, access to the data can only be granted to prosecutors based on a judge’s warrant in accordance with the detailed requirements of the TKG and applicable criminal law provisions.
The sending of electronic mail (including SMS) to consumers (as defined in the Austrian Consumer Protection Act) without the recipient's prior consent (opt-in) is not permitted if the sending either:
Takes place for purposes of direct marketing.
Is addressed to more than 50 recipients.
Prior consent to electronic mail is not required if all of the following apply:
The sender has received the contact details for the communication in the context of a sale or a service to customers.
The communication is transmitted for the purpose of direct marketing of similar products or services.
The customer has been clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to this use of their electronic contact details when they are collected, and on the occasion of each message.
The customer does not appear in a list (kept by the Rundfunk und Telekom Regulierungs-GmbH) in which persons and companies who do not wish to receive commercial communications by electronic mail can be entered free of charge.
The sending of electronic communications for purposes of direct marketing is prohibited even where these requirements exist if either:
The identity of the sender on whose behalf the communication is transmitted is disguised or concealed.
There is no valid address to which the recipient can send a request that the communications stop.
The electronic communication does not comply with the requirements set forth in Section 6 of the Austrian Electronic Commerce Act (E-Commerce-Gesetz) (ECG) regarding minimum requirements of commercial information (in particular clear indication that the information provided is commercial communication and identification of the person or legal entity which is the principal behind the communication).
The electronic communication refers to a website with a content that is not in compliance with the minimum requirements for commercial information as set out in Section 6 ECG.
Data transmissions to recipients outside Austria are admissible if the data processing is admissible within Austria (for requirements, see Question 8). In addition, in the case of mandate transmissions (see Question 4) to recipients outside Austria, the recipient (processor) must agree in writing to observe the general duties of a processor (see Question 16) unless the processing is based on certain legal obligations.
Data transfers as well as mandate transmissions to a recipient outside Austria are, in general, subject to the DSK's permission. There is a general exception for transmissions to:
An EU member state.
Switzerland, Argentina, Canada, Guernsey, Isle of Man and Jersey.
Recipients in the US who have certified to the US Department of Commerce that they will adhere to the Safe Harbour requirements.
Further exceptions exist for certain cases, for example, published or indirect data (see Question 11) and for data processing that constitutes a standard process as defined in the Standard and Sample Regulation (see Question 7).
Permission must be granted if an adequate level of data protection is provided, or if the controller certifies that the legitimate interest of the data subjects in the secrecy of their data will be protected outside Austria. This certification can be based on contractual warranties.
The Austrian legislator has not released or officially approved any standard contractual clauses. However, the standard contractual clauses as defined by the EU (Commission Decision 2001/497/EC, Commission Decision 2004/915/EC and 2010/87/EU) are generally accepted by the DSK as sufficient evidence that the standard level of data protection is safeguarded.
Data transfer agreements are sufficient to ensure that the standard level of data protection is safeguarded. However, this is merely one aspect of the legitimacy of data processing. The other conditions (see Question 8) must be fulfilled as well, and one requirement might be the consent of the data subject (see Question 9). The DSK only gives its permission to transfer data to recipients outside Austria if all conditions for the legitimate processing of personal data are met.
If data is transmitted to a recipient outside the EU the data processing, including the data transfer agreement, needs to be approved by the DSK (see Question 19). If the EU standard contractual clauses are used, the DSK is compelled to accept them.
The proceedings to receive permission for the data transmission (permission proceedings) are initiated by an application to the DSK. There are no formal requirements for the application. To enable the DSK to evaluate the application, the applicant must specify:
The type of data to be transmitted.
The purpose of the processing.
The names of the recipients.
The countries of the recipients.
The application for permission is independent of the notification process.
Anyone can file a complaint with the DSK about an alleged infringement of data protection rights. There is no charge to file a complaint, and there are no formal requirements.
If there is substantial evidence of an infringement of data protection rights, the DSK can check the data processing complained about. The DSK can ask the controller or processor for information and examine the relevant documents. Data processing subject to prior approval (see Question 7) can be checked by the DSK even without substantial evidence. The DSK can do all of the following:
Enter the premises of the data controller or processor.
Use the data processing equipment.
Carry out the processing procedure.
Make copies of all relevant documents.
The controller/processor is obligated to co-operate with and support the DSK in its investigations.
In addition, the DSK can make recommendations to the controller/processor and set a time limit for the controller/processor to comply with these recommendations. If the controller/processor does not comply within the time limit, the DSK can:
Initiate proceedings to check the registration, which can result in the cancellation of the registration.
File a criminal complaint, if criminal provisions are applicable.
If the data subject is a private (natural or legal) person, file an action for a declaratory judgment against the controller/processor before civil courts.
If the data subject is a public entity, inform the competent supervisory authority.
The DSK is competent to rule on a complaint regarding an infringement of the right of information (see Question 13). For complaints regarding an infringement of the right to correction or deletion, the DSK is only competent if the controller/processor is a public entity (except legislative or judicial bodies). For all other cases, the DSK is not competent: the claims must be filed with the civil courts instead.
In cases of infringement of the right of data protection or the right to correction or deletion, the data subject can claim for an injunction and cessation of the infringement. The court can grant an interim injunction in this regard. These claims must be brought before the civil courts.
In addition, the data subject can file an action for damages with the civil courts. The prerequisite for indemnification is the existence of a financial loss, caused by the infringement of data protection regulations, based on negligent conduct.
The controller and processor are liable for the actions of their personnel. They can be discharged from liability if they can prove that neither they nor any of their personnel are liable for the infringement.
The Penal Code (Strafgesetzbuch) contains several provisions which might apply in cases of data protection infringement. For example, the illegal access to a computer system, the abusive trapping of electronic data, as well as manipulation of an electronic processing with the intention of unjustified enrichment, are prohibited. The penalty is a fine or up to six months' imprisonment.
The DSG also contains criminal sanctions. The wilful infringement of data protection with the intention of unjustified enrichment or to harm another person is prohibited under penalty of up to one year's imprisonment.
Further, the DSG contains administrative penalties of up to EUR25,000 (as at 1 March 2011, US$1 was about EUR0.7) for:
Wilful illegal data access.
Wilful illegal data transfer.
Illegal processing, despite a binding court ruling.
Wilful deletion of data, despite a request for information.
A penalty of up to EUR10,000 applies for cases in which:
The duty of notification is violated.
Data is transmitted to a recipient outside Austria without the permission of the DSK.
A data controller does not comply with its duties to inform the data subjects or the DSK.
If the necessary security measures have not been taken.
A penalty of up to EUR500 applies for cases in which the data subject's right of information, the right to correction and deletion, or the right of objection (see Question 13) is violated. Finally, an infringement of data protection laws might give rise to claims based on competition law.
In general, active enforcement of data protection laws is increasing, because data protection has received increasing public attention in recent years.
Main areas of responsibility. Surveillance and enforcement of compliance with data protection legislation, and administration of the data protection register.
Qualified. Austria, 1999; New York, US, 2002
Areas of practice. Labour and employment law; expatriates; data protection; life sciences; corporate law.
For more details of recent transactions, publications, and so on, see full PLC Which lawyer? profile here.
Qualified. Austria, 1994; New York, US, 1993
Areas of practice. Mergers and acquisitions; anti-trust law and competition law; company law; civil law.