Austria

Summary

Law: Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2023) (DSG) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Austrian data protection authority (DSB)

Summary: In Austria, the DSG implements the GDPR. In particular, both the DSG and the GDPR are applicable in Austria with the DSG complementing the GDPR and tailoring its provisions to the particular national context, providing the legal basis for the structure and powers of the DSB. Notably, the DSG derogates from the GDPR by providing 14 years as the age of valid consent for a child. Importantly, the DSG lays down specific grounds for processing images. Additionally, the DSG requires controllers to get prior approval from the DSB for processing data for scientific or historical research purposes.

The DSB is an active authority and has issued substantial fines, including, for example, a fine of €18 million against the Austrian postal service for violating the GDPR. The DSB and the Austrian Chamber of Commerce (WKO) regularly issue guidance on privacy issues, including data subject access requests, cookies, direct marketing, and the right to be forgotten. The DSB has also issued a list of activities processing activities that are exempt from Data Protection Impact Assessments.

Alongside the GDPR and the DSG, Austria also ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the Convention 108).

Browse more content in Austria

All Guidance Notes

All News

All Insights

News

08 November 2024

Austria: DSB joins Digitalization Network

23 October 2024

International: DSB holds meeting with authorities from Czechia, Hungary, Slovenia, and Slovakia

26 September 2024

Austria: NOYB files complaint against Mozilla over new browser privacy feature

03 September 2024

Austria: DSB announces accreditation of first GDPR certification body

30 August 2024

Austria: NOYB files complaint against KSV1870 and Unsere Wasserkraft over automated credit checks

13 August 2024

Austria: DSB fines unnamed company €12,100 for failing to comply with deletion request

07 August 2024

Austria: Federal Administrative Court issues decision on right to access restriction

06 August 2024

Austria: Federal Administrative Court holds individual in organization liable as controller under GDPR

01 August 2024

Austria: DSB issues statement on Worldcoin

19 July 2024

Austria: VwGH upholds DSB decision regarding use of personal data by rating platforms

18 July 2024

Austria: DGS amendment on Federal and National Council enters into effect

12 July 2024

Austria: Supreme Court of Justice decides case against DSB

Insights

April 2024

Austria: The new Austrian Whistleblower Protection Act

Austria has now implemented the EU Whistleblowing Directive (2019/1937) in the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz) (the Whistleblowing Act), which came into force in 2023 and adds to a number of sector-specific regulations already in place. Dietmar Huemer and Katharina Spreitzhofer, from Huemer | Legal Solutions, give insights into the application of the new Whistleblowing Act.

July 2022

France: Practical do's and don'ts for cookie walls and paywalls

Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls¹. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.

January 2022

Austria: Implementation series part 5 - Best practices for data deletion and destruction policies

Although the storage limitation principle stipulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') appears – at least at first glance – to be rather straightforward, the past three years have already shown that this is not the case. Rather, the topic of data deletion and destruction is one of the most challenging to be dealt with by data controllers. Part 4 of the implementation series looked at vendor management best practices, whilst in part 5, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss best practices for data deletion and destruction policies in compliance with the GDPR and national legislation.

January 2022

Austria: Implementation series part 4 - Vendor management best practices

Managing data flows involving suppliers and vendors is one of the most challenging tasks for data controllers in practice. Preliminarily, this requires a detailed understanding of various legal obligations resulting from different laws. In addition, the development of case law on the national and EU level needs to be monitored and already implemented measures frequently adjusted on that basis. Finally, organisational and negotiation skills are an absolute must-have in order to balance business interests and commercial impacts. Part 3 of the implementation series explored data mapping, and in part 4, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss vender management best practices and its nuances.

Austria

Summary

Browse more content in Austria

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us