In 2018, along with the (new) DSG, three collective amending laws, which together amended more than 230 sector-specific laws, were adopted (Materien-Datenschutz-Anpassungsgesetz 2018, BGBl I 2018/32; 2. Materien-Datenschutz-Anpassungsgesetz 2018, BGBl I 2018/37; and Datenschutz-Anpassungsgesetz 2018 — Wissenschaft und Forschung, BGBl I 2018/31). Sector-specific laws in fields such as arts and media, family and youth, public services, labour and social law, consumer protection, education, science and research, law enforcement, justice, financial market, healthcare and more were harmonised with the GDPR.

Additionally, for instance, specific data protection provisions apply to the insurance sector (sections 11a to 11d Versicherungsvertragsgesetz; VersVG) or the telecom sector (Austrian Telecommunications Act; TKG 2021). The usage of cookies (section 165(3) TKG 2021) and unsolicited electronic communications (section 174 TKG 2021) are regulated by the TKG 2021 but need to be observed by all controllers. 

Austria is a federal state. Further data protection provisions can be found in the laws of the nine provinces (Bundesländer).

The data protection laws apply to data controllers and processors. The terms “controller” and “processor” are defined in the GDPR.

A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) GDPR).

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) GDPR).
Depending on the nature of the controller and the purposes of the processing, either the GDPR and its implementing laws or the third Chapter of the DSG — which transposes the Police and Justice Data Protection Directive (EU) 2016/680 — apply.

The provisions of the third Chapter of the DSG also apply to the processing of personal data for the purposes of national security, intelligence, and the protection of military facilities by the armed forces.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. It also applies to controllers and processors outside the EU if they: (i) offer goods or services to data subjects in the EU; or (ii) monitor data subjects in the EU.

The (new) DSG was amended for the first time in January 2019 (BGBl I 2019/14). The previous provision on the territorial scope of the DSG was omitted by this amendment because the territorial scope is governed directly by the GDPR (ErläutRV 301 BlgNR 26. GP 7).

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system (Article 2(1) GDPR).

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) GDPR).

This list is non-exhaustive. For example, the oral disclosure of personal data falls within the meaning of processing as well (CJEU 07.03.2024, C-740/22, Endemol Shine Finland, paragraphs 29–32).

The GDPR is only applicable if the processing is carried out by automated means or if the personal data forms part of a filing system or is intended to form part of a filing system. The Austrian fundamental right to data protection applies to personal data outside of a filing system and regardless of the means used for processing as well.

Pursuant to Article 4(1) GDPR, personal data is any information relating to an identified or identifiable natural person.

Personal data also includes information relating to inner states of mind, such as opinions, motives, wishes, convictions, value judgments and statistical probability statements that do not represent mere forecast or planning values but provide subjective and/or objective assessments of an identified person. Whether those assessments are correct is irrelevant for the qualification of the statement as personal data (VwGH 14.12.2021, Ro 2021/04/0007; VwGH 17.05.2024, Ra 2023/04/0005).

Moreover, commercial data of legal persons can qualify as personal data (VfGH 12.03.2024, E3436/2023 ; BVwG 30.07.2024, W287 2254678-1). This also includes data associated with a legal person, for instance business data of a legal person, from which economic management conclusions can be drawn.

Under the GDPR, the processing of special categories of personal data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, health data, or data concerning a natural person’s sex life or sexual orientation) is subject to enhanced protection (Article 9 GDPR). Additional conditions apply to collecting a child’s consent in relation to information society services (Article 8 GDPR).

The processing of personal data relating to criminal convictions and offences must be authorised by EU or Member State law (Article 10 GDPR). The DSG allows the processing of such data under specific requirements, including if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (section 4(3) DSG.

Sector-specific regulations may include additional requirements for processing special categories of personal data. For instance, insurance companies must comply both with GDPR and national insurance laws when processing health data of policyholders.

The Gesundheitstelematikgesetz 2012 (Austrian Health Telematics Act 2012; “GTelG 2012”) provides for specific regulations enhancing data security for the processing of health data and genetic data in the health sector.

The processing of personal data is lawful if in compliance with the data processing principles of Article 5 GDPR and one of the six cases of Article 6 GDPR is fulfilled. The six cases of Article 6 GDRP are: (i) consent of the data subject; (ii) necessity for entering into or performing a contract: (iii) necessity for compliance with legal obligation: (iv) necessity to protect a person’s vital interests; (v) necessity to perform a task in the public interest; and (vi) necessity for pursuing legitimate interests.

Where data processing is based on a data subject’s consent, that consent must be freely given, specific, informed, and unambiguous. Consent must also be able to be withdrawn at any time. Consent may not be freely given if it is tied to the fulfilment of a contract, even though the data processing is not necessary for the performance of the contract. This so-called “coupling prohibition” means that consent is only deemed voluntary if it can be refused without any disadvantages. Such coupling has been deemed unlawful where subscribing to a newsletter was improperly linked to contract completion (OGH 24.10. 2019, 6 Ob 56/19g). In cases like “pay or consent” models, it has been ruled that consent is voluntary when an alternative, paid option is offered (DSB 30.11.2018, DSB-D122.931/0003-DSB/2018).

Section 4(4) DSG sets out that consent for the processing of a child’s personal data is lawful if the child has reached the age of 14.

There are exemptions and differing conditions for specific types of data processing under Austrian law, including processing: 

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
• of personal data for journalistic purposes; or
• of videos and images.

In the Austrian Research Organisation Act (Forschungsorganisationsgesetz, FOG) the concept of “broad consent” was adopted for research purposes (section 2d(3) FOG).

When processing personal data for the controller’s own purposes, inter alia the following obligations apply: 

• All data processing operations must be in line with the fundamental principles outlined in Article 5 GDPR (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality).
• The controller must implement appropriate technical and organisational measures: (i) to ensure an appropriate level of data security (Article 32 GDPR); and (ii) to integrate the necessary safeguards into the processing and ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed (Article 25 GDPR).
• The controller must maintain a record of all processing activities (Article 30 GDPR).
• If a data processing operation is likely to result in a high risk to the rights and freedoms of individuals, a Data Protection Impact Assessment must be carried out (Article 35 GDPR), and the Austrian Data Protection Authority (ADPA) may need to be consulted (Article 36 GDPR).
• The controller must inform the data subjects about the processing activities in accordance with Articles 13 and 14 GDPR.

When processing personal data on behalf of the controller, the processor must act in compliance with a contract or other legal act in accordance with Article 28 GDPR. A processor may act only on documented instructions by the controller and must take all required measures to ensure data confidentiality and security.

Additionally, Article 29 GDPR and section 6 DSG require that controllers and processors obligate their staff to data confidentiality and to process data only in accordance with instructions.

The GDPR grants data subjects the rights to: 

• information (Articles 13 and 14 GDPR); 
• access (Article 15 GDPR); 
• rectification; 
• completion (Article 16 GDPR); 
• erasure (Article 17 GDPR); 
• restriction of processing (Article 18 GDPR); 
• data portability (Article 20 GDPR); 
• object to data processing (Article 21 GDPR); and 
• withdraw a consent (Article 7(3) GDPR).

The right of access is excluded in relation to a controller: (i) acting with public authority if granting access would put at risk the performance of a task delegated to the controller by law; or (ii) if granting access would put at risk a trade or business secret of the controller or a third party (section 4(5) and (6) DSG).

Due to a decision by the Austrian Constitutional Court, the DSG was revised in June 2024 by inserting a new provision on processing for journalistic purposes. The rights of the data subjects are limited if data is processed for such purposes (section 9 DSG). Limitations to data subject rights can also be found in certain sector-specific laws; for instance in the health sector (e.g. section 41 Austrian Medicines Act, Arzneimittelgesetz, AMG) or in research (section 2d(6) FOG).

Data subjects have the right to lodge a complaint with the ADPA if they believe that their rights under the GDPR or the DSG have been violated. The data subject may seek a declaratory judgment on the violation of any provision of the GDPR or of its fundamental right on data protection pursuant to section 1 DSG.

Regarding an infringement of the GDPR a complaint can be filed at the ADPA, or a lawsuit can be filed at a civil court (parallelism of jurisdiction). A claim for damages or injunctive relief can only be filed at a civil court.

Postal marketing can be based on the necessity of data processing for pursuing legitimate interests (Article 6(1)(f) GDPR).

Without consent, marketing calls — both business-to-consumer (B2C) and business-to-business (B2B) — are prohibited (section 174(1) TKG 2021).

Without consent, the sending of electronic marketing mails, including SMS — both B2C and B2B — is, in general, prohibited (section 174(3) TKG 2021). There is, however, a narrow exemption (section 174(4) TKG 2021) if the sender has received the contact details in the context of a sale or a service to its customer, the communication is transmitted for the purpose of direct marketing of the sender’s own similar products or services, the customer is clearly and explicitly given an opportunity to refuse, easily and free of charge, such uses of electronic contact information, at the time it is collected and each time it is transmitted and the customer has not previously refused such communication by registering for the “Robinson” list referred to in Article 7(2) of the E-Commerce Act (E-Commerce-Gesetz, ECG). The “Robinson” list is a register maintained by the Austrian Telecommunications Regulator (RTR) where people and companies who do not want to receive advertising emails can register free of charge.

For sending marketing emails, consent should be obtained in a double opt-in procedure.

The GDPR does not only regulate the protection of personal data but also the free movement of such data within the EU and the European Economic Area (EEA). Thus, there are no restrictions on the transfer of personal data from Austria to other jurisdictions within the EU and the EEA.

Data transfers to jurisdictions outside of the EU/EEA (“third countries”) can be based on one of the following grounds: 

• an adequacy decision by the European Commission (“Commission”; Article 45 GDPR); 
• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules;
• standard data protection clauses adopted by the Commission;
• standard data protection clauses adopted by a supervisory authority; 
• an approved code of conduct; or
• an approved certification mechanism (Article 46(2) GDPR).

With the authorisation of the competent authority, data transfers to third countries may be based on contractual or administrative arrangements (Article 46(3) GDPR).

In specific situations, data transfers to third countries may inter alia be based on the explicit consent of the data subject or on important reasons of public interest (Article 49(1) GDPR).

Adequacy decisions by the Commission are in place for a few countries (see www.commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

The Commission has also adopted standard data protection clauses (Commission Implementing Decision (EU) 2021/914). When concluding these standard data protection clauses, a so-called transfer impact assessment needs to be carried out, assessing the laws and practices of the third country.

The main supervisory authority in Austria is the ADPA (“Österreichische Datenschutzbehörde”). Where the courts act in their judicial capacity, the courts themselves decide about data protection complaints.

In response to the judgment of the Court of Justice of the European Union (CJEU) from 16.01.2024, C-33/22, Österreichische Datenschutzbehörde, the DSG was revised in July 2024 and a new supervisory authority was established, which will be the competent authority for data protection activities of legislative bodies. The Parliamentary Data Protection Committee (Parlamentarische Datenschutzkomitee) will exercise its powers starting from January 1, 2025.

The ADPA has all powers enshrined in Article 58 GDPR. Thus, it has investigating, corrective and advisory powers. Additionally, it may issue declaratory judgments if requested by a data subject.

In practice, the most relevant powers exercised by the ADPA are its powers: (i) to order the controller to bring processing operations into compliance with the GDPR (Article 58(2)(d) GDPR); and (ii) to carry out investigations in the form of data protection audits (Article 58(1)(b) GDPR).

If, based on a data subject complaint, the ADPA finds a violation of the data subject’s right under Chapter III of the GDPR, it issues a declaratory judgment, stating that the respective right was violated, and it additionally orders the controller to comply with the data subject’s request. In case the ADPA finds that a data subject’s fundamental right to data protection was violated in the past, the ADPA issues a declaratory judgment.

Investigations in the form of data protection audits are, usually, carried out ex officio. The ADPA does not have the power to close such an investigation with a declaratory judgment.

Failure to comply with data protection rules may result in administrative sanctions, including both warnings and fines.

The ADPA may impose administrative fines pursuant to the provisions set out in Article 83 GDPR. Depending on the infringed provision, the infringement can be subject to fines: (i) up to EUR 10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(4) GDPR; or (ii) up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) and (6) GDPR).

The DSG stipulates additional administrative penalties for certain infringements of the DSG’s provisions (section 62 DSG). Further, unlawful processing with the intention to make a profit or to cause harm can amount to a criminal offence, which can be punished by a criminal court with imprisonment of up to one year (section 63 DSG).