Support Centre

Austria

Summary

Law: Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2023) (DSG) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Austrian data protection authority (DSB)

Summary: In Austria, the DSG implements the GDPR. In particular, both the DSG and the GDPR are applicable in Austria with the DSG complementing the GDPR and tailoring its provisions to the particular national context, providing the legal basis for the structure and powers of the DSB. Notably, the DSG derogates from the GDPR by providing 14 years as the age of valid consent for a child. Importantly, the DSG lays down specific grounds for processing images. Additionally, the DSG requires controllers to get prior approval from the DSB for processing data for scientific or historical research purposes.

The DSB is an active authority and has issued substantial fines, including, for example, a fine of €18 million against the Austrian postal service for violating the GDPR. The DSB and the Austrian Chamber of Commerce (WKO) regularly issue guidance on privacy issues, including data subject access requests, cookies, direct marketing, and the right to be forgotten. The DSB has also issued a list of activities processing activities that are exempt from Data Protection Impact Assessments.

Alongside the GDPR and the DSG, Austria also ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Convention 108).

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

Austria has now implemented the EU Whistleblowing Directive (2019/1937) in the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz) (the Whistleblowing Act), which came into force in 2023 and adds to a number of sector-specific regulations already in place. Dietmar Huemer and Katharina Spreitzhofer, from Huemer | Legal Solutions, give insights into the application of the new Whistleblowing Act.

Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.

Although the storage limitation principle stipulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') appears – at least at first glance – to be rather straightforward, the past three years have already shown that this is not the case. Rather, the topic of data deletion and destruction is one of the most challenging to be dealt with by data controllers. Part 4 of the implementation series looked at vendor management best practices, whilst in part 5, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss best practices for data deletion and destruction policies in compliance with the GDPR and national legislation.

Managing data flows involving suppliers and vendors is one of the most challenging tasks for data controllers in practice. Preliminarily, this requires a detailed understanding of various legal obligations resulting from different laws. In addition, the development of case law on the national and EU level needs to be monitored and already implemented measures frequently adjusted on that basis. Finally, organisational and negotiation skills are an absolute must-have in order to balance business interests and commercial impacts. Part 3 of the implementation series explored data mapping, and in part 4, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss vender management best practices and its nuances.