Data protection and cybersecurity laws in Austria

Data protection

1. Local data protection laws and scope

  • General Data Protection Regulation (GDPR)
  • Austrian Data Protection Act 2018 (DPA 2018)
  • Austrian Telecommunications Act 2003 (TCA 2003)
  • Austrian Act on Health Telematics (Gesundheitstelematikgesetz 2012) – GTelG 2012
  • Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018)
  • Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018)
  • Regulation of the Austrian Data Protection Authority on the requirements for accreditation of a monitoring body pursuant to Art 41 (1) GDPR (Federal Law Gazette II No. 264/2019)

2. Data protection authority

Austrian Data Protection Authority: https://www.dsb.gv.at

3. Anticipated changes to local laws

GDPR was fully implemented by Austrian Data Protection Act 2018.

Existing derogations:
  • publicly available data is only protected under the Data Protection Act 2018, if it is not used for historical research purposes or statistical purposes (Section 7 DPA);
  • providing addresses to inform and interview data subject requires no consent of data subjects, if an infringement of the data subject’s interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview (Section 8 DPA);
  • specific provisions regarding the data protection officer according to Section 5 DPA, such as the obligation of the Austrian ministries to appoint at least one Data Protection Officer (Art 37 GDPR);
  • children’s age to lawfully consent is lowered to 14 years (Section 4 (4) DPA);
  • specific CCTV regulations laid down in Section 12 and 13 DPA;
  • if necessary to reconcile the right to the protection of personal data with the freedom of expression and information, in particular with regard to the processing of personal data for journalistic purposes as referred to in the Austrian Media Act, GDPR does not apply (Section 9 DPA);
  • Section 10 DPA allows for processing of personal data in case of emergency;
  • Special administrative penalty provisions laid down in Section 62 DPA;
  • Administrative penalty on processing data with the intention to make a profit or to cause harm laid down in Section 62 DPA;
  • Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018):
    • lays down a catalogue of criteria concerning processing operations for which the controller needs to conduct a data protection impact assessment
    • implementation act pursuant to Art 35 (4) GDPR
  • Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018):
    • lays down a list of processing operations for which no data protection impact assessment is required
    • implementation act pursuant to Art 35(5) GDPR
Scope:
  • Automated and non-automated data processing operations;
  • Information relating to data subjects who are identified or identifiable (natural persons; the fundamental right to data protection established in the constitutional provision of Section 1 DPA continues to protect legal persons (this relates to political difficulties at the time of adoption of the DPA: constitutional provision could not be amended due to the absence of the required two-thirds majority in parliament);
  • The party, determining the purposes and means of processing of personal data established in Austria (“data controller”);
  • The party, processing data on behalf of the data controller, if the data controller is subject to DPA (“data processor”);
  • Data controllers established outside Austria but within an EU member state, that use personal data to establish the controller in Austria;
  • Data controllers not established in any EU Member State that use personal data in Austria;

4. Sanctions & non-compliance

Sanctions under the DPA:
  • Non-compliance with the DPA may result in complaints, data protection authority audits and/or orders, administrative fines, seizure of equipment or data and civil actions and/or criminal proceedings.
Administrative sanctions:
  • The Austrian Data Protection Authority may issue administrative fines of up to EUR 50,000 for non-compliance with DPA. The fines under DPA will only be imposed if an offence does not constitute an offence under Art 83 GDPR ("catch-all clause").
  • Fines may be imposed on legal persons
    • because of an executive's violation; or
    • for monitoring or control failures.
  • A legal person is responsible for breaches, if an executive does not comply with surveillance duties or does not enact organisational matters, thus, enabling an offence to be committed by a person working for the company. Moreover, fines may be imposed on a responsible person in accordance with Section 9 Administrative Penal Act 1991.
Criminal sanctions:

None

5. Registration / notification / authorisation

The GDPR was fully implemented by the Austrian Data Protection Act 2018.

Art 37 GDPR requires the controller or processor to publish contact details of the data protection officer and to communicate contact details to the Austrian Data Protection Authority.

6. Main obligations and processing requirements

Information requirements:
  • a data controller collecting personal data must provide data subjects with information on: the data controller’s identity (name, address, contact details); the processing purposes and legal basis; the data categories; the data recipients (solely if the data is subject to a controller-to-controller transfer); if consent is needed, the possibility to revoke the consent at any time shall be indicated; and the data subject’s rights.
Consent requirements:
  • if consent is needed, electronic and paper consent is permissible and deemed effective if it is properly structured and documented. The data subject has to be provided with information on: the data controller’s identity; the processed data categories; the recipients (if they are data controllers as well); the processing purposes; and the right to revoke consent at any time.
Outsourcing requirements:
  • where processing is carried out by a processor on behalf of a controller, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art 28 GDPR).

7. Data subject rights

Chapter III GDPR expressly foresees the following data subject rights:

  • Right of access by the data subject (Art 15 GDPR);
  • Right to rectification (Art 16 GDPR);
  • Right to erasure (Art 17 GDPR);
  • Right to restriction of processing (Art 18);
  • Right to data portability (Art 20 GDPR);
  • Right to object (Art 21 GDPR);
  • Right not to be subject to a decision based solely on automated processing, including profiling.

The GDPR provides for additional rights of the data subject, such as the right to be informed (Art 13 and 14 GDPR), the right to lodge a complaint with the Austrian Data Protection Authority (Art 77 GDPR in conjunction with Section 24 DPA), and the right to an effective judicial remedy (Art 78 and 79 GDPR).

8. Processing by third parties

There are no derogations from the GDPR.

9. Transfers out of country

Transfer to third countries is essentially forbidden.

However, the GDPR foresees several mechanisms in order to transfer data to third countries, such as:

  • Adequacy decision of European Commission according to Art 45 GDPR (e.g. Privacy Shield);
  • Internal data protection regulations (Binding Corporate Rules) according to Art 46 GDPR;
  • Standard contract clauses (SCCs) according to Art 46 GDPR;
  • Code of conducts and certification mechanisms as transfer tools according to Art 46 GDPR;
  • Data transfers on the basis of Art 28 GDPR.

For further transfer mechanisms or tools, please see Art 44 – 49 GDPR

10. Data Protection Officer

Controllers and processors must appoint a Data Protection Officer in case where:

  • Processing is carried out by a public authority or public body;
  • core data processing activities consist of extensive regular and systematic monitoring;
  • core data processing activities consist of processing of special categories of data on a large scale or of processing criminal data.

Austrian ministries are obliged to appoint at least one Data Protection Officer according to Section 5 (4) DPA.

11. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12. Breach notification

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.

No general additional requirements under local law apply.

To notify the Austrian Data Protection Authority, you may use the data breach notification form and send it to dsb@dsb.gv.at.

13. Direct marketing

  • The GDPR and Austrian Data Protection Act (DPA 2018) apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person (Art 4 para 1 GDPR).
  • This is the main legislation that marketers and adtech companies will need to comply with in terms of security measures and notifying personal data breaches.
  • Administrative fines under GDPR and DPA are imposed by the Austrian Data Protection Authority
  • Actions for damages (Schadenersatzklagen) and injunctions (Unterlassungsklagen) as well as interim injunctions (einstweilige Verfügungen) under the GDPR and DPA are imposed by the courts.
  • Austrian Data Protection Act (DPA 2018)
  • In addition, provisions of the Austria Telecommunications Act (TKG 2003) (which implements the EU ePrivacy Directive 2002/58/EC) apply to specific marketing and advertising purposes e.g. imposing additional requirements on the way organisations can carry out unsolicited direct electronic marketing.
  • The Austrian Data Protection Authority enforces violations of data subject rights under TKG 2003 by issuing administrative fines, since the Telecommunications Act 2003 is a lex specialis to the GDPR.
  • Austrian Telecommunications Act 2003 (TCA 2003)

14. Cookies and adtech

With regard to the use of cookies, the Austrian Telecommunication Act 2003 is considered the lex specialis to the GDPR. Data subjects must be informed about the use of cookies within the meaning of Section 96 Austrian Telecommunication Act 2003. Austrian website operators are obliged to inform affected users comprehensively and to obtain their consent. Violation of the regulation could result in an administrative fine of up to EUR 37,000.

The use of cookies is only permitted if:

  • the user is informed in detail in advance;
  • consent has been given before the use of cookies; and
  • the consent was given voluntarily, without doubt and by an active act.

The Cookie Policy may state that the browser settings may be adjusted accordingly. The possibility to modify the settings, if properly informed, may be considered as sufficient consent.

15. Risk scale

In relation to regulatory obligations and severity of enforcement, Austrian risk is medium to low.

Cybersecurity

1. Local cybersecurity laws and scope

The Network and Information System Security Act (Netzwerk – und Informationssicherheitsgesetz - NISG) is the implementing act of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.

2. Anticipated changes to local laws

There are no anticipated changes to local laws.

The Commission has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive)

Key elements of the Commission proposal

The new Commission proposal aims to address the deficiencies of the previous NIS Directive, to adapt it to current needs and make it future-proof.

To this end, the Commission proposal expands the scope of the current NIS Directive by adding new sectors based on how critical they are to the economy and society, and by introducing a clear size-based cap – meaning that all medium and large companies in selected sectors will be included in the scope. At the same time, it leaves some flexibility for Member States to identify smaller entities with a high-security risk profile.

The proposal also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance and divided respectively in essential and important categories with the consequence of being subjected to different supervisory regimes.

The proposal strengthens security requirements for the companies, by imposing a risk management approach providing a minimum list of basic security elements that must be applied. The proposal introduces more precise provisions on the process for incident reporting, content of the reports and timelines.

Furthermore, the Commission proposes to address security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in supply chains and supplier relationships. At the European level, the proposal strengthens supply chain cybersecurity for key information and communication technologies. Member States in cooperation with the Commission and ENISA, will carry out coordinated risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks.

The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements, and aims to harmonise sanctions regimes across Member States.

The proposal also enhances the role of the Cooperation Group in shaping strategic policy decisions on emerging technologies and new trends, and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation including on cyber crisis management.

The Commission proposal establishes a basic framework with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creating an EU registry on that operated by the European Union Agency for Cybersecurity (ENISA).

3. Application 

The NISG applies to operators of essential services (OES) in the following sectors:

  • Energy (electricity, crude oil, natural gas);
  • Transport (air, rail, water, road);
  • Banking (credit institutions);
  • Financial market infrastructures (trading venues, central counterparties);
  • Healthcare (especially hospitals and private clinics);
  • Drinking water supply; and
  • Digital Infrastructure (Internet Exchange Points, DNS Service Providers, TLD Name Registries).

It further applies to:

  • providers of digital services (PDS) (online marketplaces, online search engines and cloud computing services); and
  • public administration bodies.

4. Authority

  • Strategic NIS Authority - Federal Chancellery
  • Operational NIS Authority - Federal Ministry of the Interior
  • Administrative Offences Authority
    • According to § 26 (2) NISG, the district administrative authorities shall be competent. The local jurisdiction for administrative offences shall be determined by the principal place of business of the operator of essential services or the provider of digital services, in the absence of such in Austria by the registered office of the representative.
  • https://www.nis.gv.at

5. Key obligations 

  • Security measures
    • Providing network and information security, defined by the NISG as the ability to prevent, detect, deter and eliminate security incidents.
    • Technical and organisational security measures must be appropriate, proportionate, comply with the state of the art and be adequate to the risk identified with "reasonable effort";
  • PDSs must additionally consider factors such as the security of systems, and implementation of such information security management systems;
  • OESs must establish a computer emergency response team (CERT) for communication with authorities and computer emergency teams;
  • Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.

6. Sanctions & non-compliance 

Administrative sanctions: 

According to § 26 (2) NISG the offence is punishable by a fine of up to EUR 50,000 or up to EUR 100,000 in the case of a repeat offence.

Criminal sanctions: 

Not regulated in the NISG.

Others:

Not regulated in the NISG.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The NISG provides for a national computer emergency team to be set up to ensure the security of the network and information systems. According to § 14 NSIG the National Computer Emergency Team and Sectoral Computer Emergency Teams shall assist OESs and PDSs. The Public Administration Computer Emergency Team (GovCERT) shall assist public administration bodies in managing risks, incidents and security incidents.

8. National cybersecurity incident management structure

Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.

If a security incident occurs, it shall be reported without delay to CERT.at. The law does not provide for a certain time limit, but since a follow-up and a final report are also required and these have to be submitted “without undue further delay”, a very short time limit – a few hours to a maximum of 24 hours (depending on the severity of the incident) – has to be assumed.

9. Other cybersecurity initiatives 

The Austrian Handbook on Information Security provides a broad overview of recognised information security standards based on common international standards such as ISO/IEC 27000. It serves to implement comprehensive security concepts in public administration and private sector.

Austrian Information Security Handbook: https://www.sicherheitshandbuch.gv.at (German)

Portrait ofChristina Maria Schwaiger
Christina Maria Schwaiger
Lawyer
Vienna
Matthias Hudobnik