Data Law Navigator | Austria
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last reviewed 8 October 2018
- General Data Protection Regulation (GDPR)
- Austrian Data Protection Act 2018 (DPA 2018)
- Austrian Telecommunications Act 2003 (TCA 2003)
- Austrian Act on Health Telematics (Gesundheitstelematikgesetz 2012) – GTelG 2012
Austrian Data Protection Authority: https://www.dsb.gv.at/
Stage of legislative implementation of GDPR
The Austrian Parliament has already passed the Austrian Data Protection Act 2018 (DPA 2018) that became effective on 25 May 2018. DPA 2018 applies to personal data relating to natural persons.
If applicable: local derogations as permitted by GDPR
The following derogations exist:
- publicly available data is only protected under the Data Protection Act 2018 if it is not used for historical research purposes or statistical purposes;
- right to deletion (Art 17 GDPR) – personal data that cannot be erased immediately will be blocked;
- children’s age to lawfully consent is lowered to 14 years (Art 4(4) DPA 2018);
- obligation of the Austrian ministries to appoint at least one Data Protection Officer (Art 37 GDPR);
- the Data Protection Authority is authorised to issue fines (Art 30 & 62 DPA 2018).
- CCTV regulations (Art 12 DPA 2018);
- the operation of whistleblowing hotlines is permissible under certain circumstances (Art 10 GDPR).
DPA 2018 applies to:
- automated and non-automated data processing operations;
- information relating to data subjects who are identified or identifiable (natural persons);
- the party responsible for the purpose and the manner that the personal
- data (“data controller”) established in Austria
- the party processing the data on behalf of the data controller (“data processor”) if the data controller is subject to DPA 2018.
- data controllers established outside Austria but within an EU member state, that use personal data for an establishment that the data controller has in Austria;
- data controllers not established in any EU Member State which use personal data in Austria.
Sanctions under the GDPR:
Financial penalties are the primary sanction against the controller and the processor, thus, against the company.
- up to € 10 million or up to 2% of total global sales for companies (in case of invalid consent of children, violation of privacy by design, etc.);
- up to € 20 million or up to 4% of total global sales for companies (in case of violation of principles (including consent), inadmissible transfer to third countries, etc.).
Sanctions under the DPA 2018:
Non-compliance with DPA 2018 may result in complaints, Data Authority audits and/or orders, administrative fines, seizure of equipment or data and civil actions and/or criminal proceedings.
The Austrian Data Protection Authority may issue administrative fines of up to EUR 50,000 for non-compliance with DPA 2018. The fine under DPA 2018 will only be imposed if an offence does not constitute an offence under Article 83 DSGVO ("catch-all clause").
The Austrian Data Protection Authority shall issue a pre-warning before imposing a fine according to GDPR and/or DPA 2018.
Fines may imposed on legal persons
- because of an executive's violation or
- for monitoring or control failures.
A legal person is responsible for breaches if an executive does not comply with surveillance duties or does not enact organizational matters, thus, enabling an offence to be committed by a person working for the company. Moreover, fines may be imposed against a responsible person in accordance with § 9 VStG.
Registration / notification
DPA 2018 does not provide for any obligation to notify data applications to the data protection authority (data processing register) nor does it provide for the same authorization procedures as the previous law.
In case of video surveillance, there is a notification requirement anymore.
Main obligations and processing requirements
- Information requirements - a data controller that collects personal data must provide data subjects with information on: the data controller’s identity (name, address, contact details); the processing purposes and legal basis; the data categories; the data recipients (solely if the data is subject to a controller-to-controller transfer); if consent is needed, the possibility to revoke the consent at any time shall be indicated; and the data subject’s rights.
- Consent requirements - if consent is needed, electronic and paper consent is permissible and deemed effective if it is properly structured and evidenced. The data subject has to be provided with information on: the data controller’s identity; the processed data categories; the recipients (if they are data controllers as well); the processing purposes; and the right to revoke consent at any time.
- Outsourcing requirements - Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art 28 GDPR).
Data subject rights
Data subjects have the right:
- Right of access (Art. 15 GDPR)
- Right to Rectification (Art 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art 21 GDPR)
- Right to lodge a complaint to the supervising authority (Art. 13 (2) lit d GDPR)
Transfers outside of country
- Transfer to third countries is essentially forbidden; Exceptions: Consent, performance of contract, justified legal interests
- Commission has established that third country has a suitable level of data protection
- Standard data protection clauses (Commission or controlling authority)
- Internal data protection regulations (binding corporate rules)
- Privacy Shield certified recipients in the US
- Code of conduct and certification mechanisms
- If “appropriate safeguards” exist, no approval of the authority is required for the transfer to a third country
- If authorization has already been given by the supervising authority, then this remains in place
Data Protection Officer
Mandatory for controllers and processors, if:
- authority or public body or
- core activity consists of extensive regular and systematic monitoring or
- the core activity is the extensive processing of special categories of data or criminal data.
Austrian ministries are legally obliged to appoint at least one Data Protection Officer (Art 5(4) DPA 2018).
Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Data Breach notification
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.
- the user is informed in detail in advance;
- the consent was given voluntarily, without doubt and by an active act.
Last reviewed 8 October 2018
Laws and regulations
There is no specific law dealing with cyber security.
In 2015, an implementation report was submitted to the Federal Government. It was based on an implementation plan with clearly defined responsibilities. The execution of the implementation plan is controlled and checked by the Cyber Security Steering Group. Key processes and activities are:
- the Cyber Security Steering Group (CSS) began its operations in 2013.
- to deepen cooperation with industry, representatives from the energy, finance, health, transport and communication sectors were integrated into the CSS as part of the Cyber Security Platform.
- a Cyber Crisis Management body has been established to address cyber crises
- The inter-ministerial Working Group (Ordnungspolitischer Rahmen) prepared a report on the need to create additional legal bases, regulatory measures and non-legal commitments to ensure cyber security in Austria
- The EU NIS Directive, together with the results of the Working Group, form the basis of the future Federal Cybersecurity Law (working title). a draft has not yet been released.
The Office of the Federal Chancellor is currently coordinating the Working Group, which deals with drafting the Federal Cybersecurity Law.
According to its website the Office of the Federal Chancellor will be the Authority once the law has been passed. https://www.digital.austria.gv.at/cyber-security
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. GovCERT and CERT.at of the Energy Sector (Austrian Energy CERT) already have CSIRTs.
GovCERT Austria is the national CERT of the public administration. As an Austrian Cyber Security Point-of-Contact, GovCERT is connected with international organisations, including the European GovCERT Group and the Central European Cyber Security Platform. Located in the Federal Chancellery, the GovCERT works closely with the Austrian CERT (CERT.at).
CERT.at provides the resources for the performance of GovCERT’s operational tasks and, as a result, also carries out preventive measures such as early detection, public relations and consultancy, and support for requests.
Is there a national incident management structure for responding to cyber security incidents?
Yes – a Cyber Crisis Management body addresses cyber crises.
Other cyber security initiatives
The Office of the Federal Chancellor also implements a series of measures and activities to increase cyber security in Austria, especially in the strategic area, but also concerning national and international cooperation.
The Office of the Federal Chancellor has been the strategic coordination office for cyber security in Austria for many years. It coordinates the creation, preparation and implementation of cyber security strategies in Austria, making it one of the driving forces behind the establishment of a robust national cyber security architecture.
The Office of the Federal Chancellor presides over the National Cyber Security Steering Group where key national cyber security issues are discussed.
- Computer Emergency Response Team Austria: https://www.cert.at/
- Cyber Security Platform: https://www.digitales.oesterreich.gv.at/cyber-sicherheit-plattform