Data protection in Austria: overview
A Q&A guide to data protection in Austria.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The applicable Act in relation to collecting and using personal data in Austria is the Data Protection Act 2000 (Datenschutzgesetz 2000) (DSG). It is based on Directive 95/46/EC on data protection (Data Protection Directive).
There are several laws regulating specific aspects of the collection and use of personal data, including:
The regional data protection laws of the Austrian federal provinces (Bundesländer), which govern specific aspects of the processing of data in matters subject to the legislation of the Bundesländer. These laws were necessary to transpose the Data Protection Directive into Austrian law in accordance with the rules on legislative competence under the Austrian Federal Constitution.
Legal provisions relating to data protection are also found in:
Austrian Labour Relations Act (Arbeitsverfassungsgesetz).
Banking Act (Bankwesengesetz).
Trade Regulations Act (Gewerbeordnung).
Penal Code (Strafgesetzbuch).
Criminal Procedure Code (Strafprozessordnung).
Police Act (Sicherheitspolizeigesetz).
In April 2016, the General Data Protection Regulation 2016/679, the replacement for the Data Protection Directive that has been negotiated for years, finally entered into force. It will be directly applicable in Austria and in the rest of the EU from 25 May 2018 and will (to the largest extent) unify data protection law throughout the EU.
Scope of legislation
The DSG regulates personal data, that is, information about an identified or an identifiable person. Austria also introduced the category of indirectly personal data. This refers to personal data where the identity of the data subject can be retraced, but not by legal means.
"Sensitive data" is subject to stricter rules. Sensitive data is considered to be information about a person relating to:
Racial or ethnic origin.
Religious or philosophical beliefs.
All kinds of data processing, whether by automatic or manual means, are subject to the DSG provisions. Data processing is any operation or set of operations that is performed on personal data, such as collecting, recording, saving, storing, organising, comparing, disclosing, using, erasing and transferring.
However, processing by manual means is only subject to the DSG if the data is collected in a data file that is a structured collection of data organised by certain criteria. The provisions for manual processing are less strict.
The provisions vary depending on the kind of processing performed. There are special provisions in respect to data transmission (a sub-classification of processing), and there are two types of data transmission defined in the DSG:
Überlassung (mandate transmission), this is the transmission of data from a controller to a processor.
Übermittlung (data transfer), this is the transmission from a controller to another recipient who is not a processor.
A controller is a person who alone or jointly with others determines the purposes and means of the processing of personal data.
The processor is defined as a person who has been mandated by the controller to process the data for a specific job on behalf of the controller.
The DSG provisions apply to every kind of processing of personal data in Austria irrespective of the nationality or origin of the person carrying out the processing. However, in two cases deviating rules apply:
If data is processed outside of Austria (but in the EU) on behalf of an Austrian establishment of the controller, the DSG applies.
If data is processed in Austria on behalf of a private controller established in an EU member state outside Austria, the law of that country applies instead of the DSG, unless the purpose of the processing can be attributed to an Austrian establishment of that controller.
The mere "transportation" of personal data through Austria is not subject to the DSG.
In general, the DSB must be notified of every data processing. However, there are several exemptions.
Notification is not required in relation to the data processing:
Of published data.
Of data necessary for public registers.
Of anonymous data or indirectly personal data (see Question 3)
By private persons for private purposes.
Required for certain media purposes.
Required for certain state security measures.
That constitutes a standard process as defined in the Standard and Sample Regulation (Standard- und Musterverordnung). Such standard processes include, for example, the data processing of human resource data for human resources purposes, or the membership administration of private entities.
In general, the data processing can be carried out as soon as the notification has been filed. The DSB can then advise the controller to amend the notification within two months after the day of notification. After this time has elapsed the notification is final.
However, prior approval by the DSB is necessary if the data processing:
Includes sensitive data.
Includes data about a person's criminal record.
Is carried out to get information about the data subject's credit standing.
Is carried out by means of a joint information system (Informationsverbundsystem). In a joint information system several controllers have access to a program in which data is processed by all controllers.
Within two months the DSB must decide whether the data transfer can be carried out.
Main data protection rules and principles
Main obligations and processing requirements
The processing of personal data is only allowed if:
The purpose and the content of the processing are covered by the legal or contractual authority of the controller.
For a data transfer, the recipient has proved his competence for the purpose of the processing
The legitimate interest of the data subject in the secrecy of the data is not infringed.
The constitutional rights of the data subject have not been strained excessively and certain basic principles have been observed.
The basic principles to be observed include:
Processing in good faith.
Determining the (legitimate) purpose of the processing, and not processing beyond this purpose.
Correct entry of the data.
Only saving the data until the purpose of the processing has been achieved.
In some cases the consent of the data subject is required to ensure that his interest in the secrecy of the data is not infringed. The DSG provides for several other grounds to justify a data processing besides obtaining the data subject's consent (see Question 10).
There are very few formal requirements for the consent. If the processing contains sensitive data, consent must be given explicitly (an implied or inferred consent would not be sufficient). In general, the DSG does not require consent to be given in writing, but it is advisable to obtain written consent declarations for evidential purposes.
However, there are strict rules in the DSG in relation to the content of the consent. Consent is defined as the valid declaration of intention by the data subject to agree to the processing of the data. The data subject must be fully aware of the circumstances, the kind and extent of the processing of the data and must be free of constraint. Such consent can be withdrawn at any time.
There are no special rules regarding minors in the DSG. It is also not a highly problematised issue in Austrian judicature. Austrian scholars have different views on a minor's capacity to give consent to the usage of personal data. Some are of the opinion that the consent requires a valid declaration of intention, which can only be made by a person of full legal capacity. They conclude that since minors do not have full legal capacity they cannot give valid consent to process their data. Others say that a valid consent does not require full legal capacity but only sufficient cognitive faculty and power of judgement with regard to the meaning and the consequences of the given consent, which also a "mature minor" (that is, a minor at or above the age of 14) can have.
The DSG provides four grounds (beside consent (see Question 9) on which processing can be justified:
The law explicitly states an authorisation or a duty for the processing.
The data subject has a vital interest in the processing.
The interest in the processing of the controller or of a third party outweighs the data subject's interest in the secrecy of the data.
Only anonymous or indirectly personal data are processed.
There is no definition of the circumstances in which the interest of the controller or a third party outweighs the data subject's interest in the secrecy of the data, but there is a wide spectrum of rulings which can be used to interpret the provision.
The processing of sensitive data (see Question 3) is subject to stricter restrictions. In many cases, if sensitive data is processed the consent of the data subject is required. Only in special cases is consent not required, such as, if:
The data has been published by the data subject.
The identity of the data subject cannot be retraced by legal means (indirectly personal data, see below).
Legal provisions require the processing.
The data is processed by a public entity within the framework of its duties.
Only data about a public function of the data subject is processed.
The processing is necessary to protect vital interests of the data subject and the consent cannot be obtained in time.
Vital interests of a third party justify the processing.
The data processing is necessary to enforce a claim.
The data processing is carried out for private, certain scientific, emergency or medical purposes only. Additionally, certain associations can process sensitive data for specific purposes.
Sensitive data can only be processed after preliminary clearance by the DSB. Such processing can be checked by the DSB at any time even without a special cause.
Further, there are special rules for indirectly personal data (see Question 3). The legitimate interest of the data subject in the secrecy of the data is not infringed when processing indirectly personal data. There is also no requirement for notification of processing of indirectly personal data.
There are further special provisions for certain types of data in particular cases. For example, the processing of data concerning the criminal record or the credit standing of a person also requires prior approval by the DSB before initiation. There are also special provisions for data processing in the public domain.
Rights of individuals
The minimum information to be provided to the data subject by the controller at the point of collection of the personal data is the:
Purpose of the processing for which the data is collected.
Name and address of the controller.
If the data subject is already aware of this information there is no such obligation. Further information must be provided if processing in good faith requires it, in particular, if:
If data is transferred within the controller's business or from a different controller, rather than collected by questioning the data subject, in certain cases the controller has no obligation to inform the data subject about the data processing. This exception applies:
If the processing is required by law.
If the data subject cannot be reached.
If the infringement of the rights of the data subject is very unlikely and the costs of the procedure to inform all data subjects are excessively high.
Finally, there is no obligation to inform the data subject if the processing is not subject to the duty of notification.
Data subjects have a right to:
Information about the personal data concerning them.
The correction of inaccurate data or deletion.
Object to the processing.
Right of information
If the data subject asks for information about the data concerning him, the controller must provide information on:
The data processed.
The data source.
The name of all recipients of data transmissions.
The purpose of the data processing.
The legal basis for the data processing.
The request for information must be made in writing. The data subject requesting information must provide evidence of his identity. The information request can be declined if this is necessary for the data subject's protection, or if there are outweighing legal interests of the controller or a third party. However, the right of information does not apply if only indirectly personal data are processed.
The controller must provide the information within eight weeks. If the controller declines the information request he must provide reasons for this within eight weeks.
In general, the information must be provided free of charge.
Right to correction or deletion
Every controller must correct or delete inaccurate and illegally processed data as soon as the inaccuracy or the inadmissibility of the data processing becomes known to him, or if the data subject makes a founded request to do so. For the sake of clarity, personal data that is stored longer than necessary also falls under the category of illegally processed data. The correction or deletion must be effected within eight weeks. If the request of the data subject to correct or delete the data is dismissed the controller must inform the data subject within eight weeks of the reasons for the dismissal.
Right of objection
Every data subject has the right to raise objections to the processing of data concerning him if:
The processing is not based on a legal obligation.
The outweighing legal interest in the secrecy of the data resulting from his special situation is infringed on.
If these conditions are met, the controller must delete the data within eight weeks and must refrain from any transfer of this data.
On a well-founded request by the data subject, every controller must correct or delete inaccurate and illegally processed data within eight weeks or, in case of dismissal of such request, inform the data subject of the reason for the dismissal (see Question 13).
Every controller and processor must take measures to ensure data protection.
The measures aim to prevent accidental or illegal destruction of the data. They must also ensure proper processing, and that the data is only accessible to authorised persons.
The following security measures should be taken to the extent necessary to ensure the above principles:
Explicit assignment of tasks to each organisational unit.
Allowing data processing only on valid instructions by authorised personnel.
Instructing all employees about their duty to provide the necessary data security.
Regulating access authorisation to the premises of the data controller or the data processor.
Regulating access authorisation to data and computer programs, and protecting data processing mediums from access by unauthorised persons.
Defining access authorisation to run data processing mediums, and installing access restrictions to ensure that unauthorised persons cannot access the programs.
Keeping records of the actual processing operations carried out.
Documenting all the security measures taken.
If the controller learns that data from his data application is systematically and seriously misused and the data subject may suffer damages, he must immediately inform the data subject in an appropriate manner. This obligation does not exist if the information would require an inappropriate effort, taking into consideration that only minor damage to the data subject is likely and the cost of the information to all persons concerned. There is no obligation to inform the DSB.
Processing by third parties
The controller can only mandate processors if they are able to ensure legal and secure processing. The controller must settle the necessary details with the processor and check on the processor's compliance by gathering the relevant information.
There are certain duties processors must observe when processing data for the controller (in addition to any contractual duties). Processors must:
Process the data only within the scope of the agreement.
Ensure that all necessary security measures are taken (see Question 15).
Only engage other (sub-) processors with the consent of the controller.
As far as reasonable, provide technical and organisational prerequisites to enable the controller to fulfill his duties in relation to the data subject's right of information, right to correction or deletion, and right of objection (see Question 13).
Return all documents containing personal data to the processor, or save or delete these documents on behalf of the controller as soon as the processing services have been completed.
Provide the controller with the information necessary to supervise the duties above.
If the controller and processor define the content of these duties in more detail in a contract, this contract must be concluded in writing. Otherwise, the agreement between controller and processor regarding the security measures to be taken does not have to be in writing.
Electronic communications are regulated by:
Directive 2002/58/EC on the protection of privacy in the electronic communications sector (Privacy and Electronic Communications Directive), amended by Directive 2009/136/EC .
The Austrian Telecommunications Act (Telekommunikationsgesetz) (TKG).
In case of technical storage or access (for example, through cookies), subscribers or users of public communication services must be informed of:
Their collected personal data.
The legal basis of the collection, processing or transmission of the personal data.
The purposes of the data collection, processing or transmission.
How long the data will be stored.
This information must also explain the right to refuse processing. However, this duty to inform subscribers and users is limited to the providers of public communication services.
If the sole purpose of the technical storage or access is to perform or facilitate the transmission of a communication through a communications network or, to the extent absolutely necessary, to provide a service explicitly requested by the subscriber or user, the notification duty does not apply.
The right to information under the DSG is unaffected. Usually, private policies or standard terms and conditions contain this information under the TKG.
Logfiles or web-logs are qualified as "traffic data" under the Privacy and Electronic Communications Directive and the TKG, respectively. Traffic data must not be stored, and must be erased or made anonymous after termination of the connection except for special cases regulated by law (TKG). If required for the purposes of subscriber billing, the providers of public communication services must store traffic data until payment has been made and the bill has not been challenged within a period of three months.
In case of a dispute concerning the bill, the competent authorities have to be provided with the respective traffic data.
Traffic data must only be processed by persons who:
Handle billing or traffic management, fault recovery, customer enquiries, fraud detection or marketing communications services.
Provide value-added services.
Have been commissioned by the above.
The amount of stored or processed traffic data must be restricted to what is absolutely necessary.
Under Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (Data Retention Directive), the TKG provides for the mandatory retention of specific traffic and location data by providers for a period of six months in the interest of the investigation, detention and prosecution of a crime. Meanwhile, both the Data Retention Directive and the Austrian provisions for mandatory data retention have been invalidated by the ECJ and the Austrian Constitutional Court respectively because the courts found that they were interfering with the fundamental rights of respect for private life and protection of personal data.
The sending of electronic mail (including SMS) to consumers (as defined in the Austrian Consumer Protection Act) without the recipient's prior consent (opt-in) is not permitted if the sending either:
Takes place for purposes of direct marketing.
Is addressed to more than 50 recipients.
Prior consent to electronic mail is not required if all of the following apply:
The sender has received the contact details for the communication in the context of a sale or a service to customers.
The communication is transmitted for the purpose of direct marketing of similar products or services.
The customer has been clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to this use of their electronic contact details when they are collected, and on the occasion of each message.
The customer does not appear in a list (kept by the Rundfunk und Telekom Regulierungs-GmbH) in which persons and companies who do not wish to receive commercial communications by electronic mail can be entered free of charge.
The sending of electronic communications for purposes of direct marketing is prohibited even where these requirements exist if either:
The identity of the sender on whose behalf the communication is transmitted is disguised or concealed.
There is no valid address to which the recipient can send a request that the communications stop.
The electronic communication does not comply with the requirements set forth in Section 6 of the Austrian Electronic Commerce Act (E-Commerce- Gesetz) (ECG) regarding minimum requirements of commercial information (in particular clear indication that the information provided is commercial communication and identification of the person or legal entity which is the principal behind the communication).
The electronic communication refers to a website with a content that is not in compliance with the minimum requirements for commercial information as set out in Section 6 ECG.
International transfer of data
Transfer of data outside the jurisdiction
Data transmissions to recipients outside Austria are admissible if the data processing is admissible within Austria (for requirements, see Question 8). However, this is merely one aspect of the legitimacy of data processing. Data transfers as well as mandate transmissions to a recipient outside Austria are, in general, subject to the DSB's authorisation. There is a general exception for transmissions to:
Recipients in an EU member state.
Recipients in Switzerland, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Andorra, Uruguay, New Zealand and, under the requirements provided in the respective Commission decisions, also Canada and Israel.
Until the ECJ’s decision of 6 October 2015 (C-362/14), recipients in the US who certified to the US Department of Commerce that they will adhere to the Safe Harbor requirements. The ECJ invalidated the Commission's Safe Harbor decision with immediate effect. On 12 July 2016, the Commission adopted the EU-US Privacy Shield, which is a Safe Harbor replacement negotiated between the Commission and the US. The ECJ did not have to deal with the EU-US Privacy Shield yet. It remains to be seen whether the ECJ will approve of it or whether it will invalidate it as it has done with Safe Harbor before.
Further exceptions exist for certain cases, for example, published or indirectly personal data and for a data processing that constitutes a standard process as defined in the Standard and Sample Regulation (see Question 7).
Permission must be granted if an adequate level of data protection is provided. This certification can be based on contractual warranties.
In the case of mandate transmissions (see Question 4) to processors outside of Austria, the processor must, in addition, agree to observe the general duties of a processor (see Question 16) unless the processing is based on certain legal obligations.
There is no general obligation to store personal data (see Question 18). Throughout the legal system, there are a few scattered provisions requiring a data controller to store certain data even beyond the time that the data is needed for the data application it was processed for (for example, an entrepreneur's obligation to retain his books and records for a period of seven years, the obligation of an operator of a public communications network or service to store traffic data for the purposes of retail or wholesale billing until three months after payment, and so on).
Data transfer agreements
The Austrian legislator has not released or officially approved any standard contractual clauses. However, the standard contractual clauses as defined by the EU (Commission Decision 2001/497/EC, Commission Decision 2004/915/EC and 2010/87/EU) are generally accepted by the DSB as sufficient evidence that the standard level of data protection is safeguarded.
Data transfer agreements are sufficient to ensure that the standard level of data protection is safeguarded. However, this is merely one aspect of the legitimacy of data processing. The other conditions (see Question 8) must be fulfilled as well, and one requirement might be the consent of the data subject (see Question 9). The DSB only gives its permission to transfer data to recipients outside Austria if all conditions for the legitimate processing of personal data are met.
If data is transmitted to a recipient outside the EU the data processing, including the data transfer agreement, needs to be approved by the DSB (see Question 19). If the EU standard contractual clauses are used precisely, the DSB is compelled to accept them.
The proceedings to receive permission for the data transmission (permission proceedings) are initiated by an application to the DSB. There are no formal requirements for the application. To enable the DSB to evaluate the application, the applicant must specify:
The type of data to be transmitted.
The purpose of the processing.
The names of the recipients.
The countries of the recipients.
The application for permission is independent of the notification process.
Enforcement and sanctions
Anyone can file a complaint with the DSB about an alleged infringement of data protection rights. There is no charge to file a complaint, and there are no formal requirements.
If there is substantial evidence of an infringement of data protection rights, the DSB can check the data processing complained about. The DSB can ask the controller or processor for information and examine the relevant documents. Data processing subject to prior approval (see Question 7) can be checked by the DSB even without substantial evidence. The DSB can do all of the following:
Enter the premises of the data controller or processor.
Use the data processing equipment.
Carry out the processing procedure.
Make copies of all relevant documents.
The controller/processor is obligated to co-operate with and support the DSB in its investigations.
In addition, the DSB can make recommendations to the controller/processor and set a time limit for the controller/processor to comply with these recommendations. If the controller/processor does not comply within the time limit, the DSB can:
Initiate proceedings to check the registration, which can result in the cancellation of the registration.
File a criminal complaint, if criminal provisions are applicable.
If the data subject is a private (natural or legal) person, file an action for a declaratory judgment against the controller/processor before civil courts.
If the data subject is a public entity, inform the competent supervisory authority.
The DSB is competent to rule on a complaint regarding an infringement of the right of information (see Question 13). For complaints regarding an infringement of the right to correction or deletion, the DSB is only competent if the controller/processor is a public entity (except legislative or judicial bodies). For all other cases, the DSB is not competent: the claims must be filed with the civil courts instead.
In cases of infringement of the right of data protection or the right to correction or deletion, the data subject can claim for an injunction and cessation of the infringement. The court can grant an interim injunction in this regard. These claims must be brought before the civil courts.
In addition, the data subject can file an action for damages with the civil courts (both for financial damages and, under certain conditions and capped at EUR20,000, also for immaterial damage).
The controller and processor are liable for the actions of their personnel. They can be discharged from liability if they can prove that neither they nor any of their personnel are liable for the infringement.
The Penal Code (Strafgesetzbuch)(StGB) contains several provisions which might apply in cases of data protection infringement. For example, the illegal access to a computer system, the abusive tapping of electronic data, as well as manipulation of an electronic processing with the intention of unjustified enrichment, are prohibited. The penalty is a fine or up to six months' imprisonment.
The DSG also contains criminal sanctions. The wilful infringement of data protection with the intention of unjustified enrichment or to harm another person is prohibited under penalty of up to one year's imprisonment. The DSG also contains administrative penalties of up to EUR25000.
Finally, an infringement of data protection laws might give rise to claims based on competition law.
In general, active enforcement of data protection laws is increasing, because data protection has received increasing public attention in recent years.
The regulatory authority
Austrian Data Protection Authority (Österreichische Datenschutzbehörde) (DSB)
Main areas of responsibility: Surveillance and enforcement of compliance with data protection legislation, and administration of the data protection register.
Description. The website for the Law Information System operated by the Federal Chancellery where the original language text of the legislation/case law/rules (where applicable) referred to in the article can be obtained.
Description. The official website of the national regulatory authority where an English-language translation of the DSG and contracts like the EU standard contractual clauses can be obtained.
Dr Ferdinand Graf, Founding Partner
Graf & Pitkowitz attorneys at law
Professional qualifications. New York, 1994; Austria, 1993
Areas of practice. Mergers and acquisitions/transactions; cartel law and competition law; corporate law; IT; intellectual property; data protection.
Recent transactions. Heads the M&A, competition and cartel law practice groups, often handling cross-border transactions, such as recent company acquisitions in Italy, Moldova and Bosnia.
Represented the Austrian public statistics office in a data protection dispute before the Highest Austrian Administrative Court.
He has spoken on data protection issues on various occasions, such as the:
- ABA Data Breach Panel in San Francisco in August 2013.
- NYSBA International Section Seasonal Meeting 2014 on Privacy Post Snowden Disclosures in October 2014.
- Bloomberg Webinar on the right to be forgotten in August 2015.
- Conventions of kraftwerk, Austria's leading creative agency, in April and June 2016.
Together with the Federation of Austrian Industries and the Vienna University of Economics and Business he co-hosted a conference on data protection challenges for business under the new General Data Protection Regulation in May 2016, where he spoke about the handling of employee data.
Languages. German, English
Professional associations/memberships. Austrian Bar Association; American Bar Association; New York State Bar Association; International Bar Association; Centre for International Studies, Salzburg ; Austrian Fullbright Alumni Association (Verein der österreichischen Fulbrighter), Wien
- New ECJ Judgment on Ad-Words, Wirtschaftsblatt, 2012, (Co-Author).
- What constitute breach of secrecy under Austrian Law, Wikileaks, Wirtschaftsblatt 2011.
- Whistleblowing-Hotline: Decision of the Austrian Data Protection Authority- Individual Issues, 2008.
Mag Marija Križanac, Associate
Graf & Pitkowitz attorneys at law
Professional qualifications. Austria, Associate (not yet admitted to the Austrian Bar association)
Areas of practice. Mergers and acquisitions/ transactions; cartel law and competition law; corporate law; IT; intellectual property; data protection.
Languages. German, English, Croatian
- Co-Author of the International Law Office Newsletter for Austria in the field of intellectual property, since 2013.
- Program logic in the field of intellectual property: protectability under Austrian law, Oxford Journal of Intellectual Property Law & Practice 2014, 16 September 2014 (Co-Author).