Home / Insight / e-Privacy


The e-Privacy Regulation

Back to e-Privacy

What is the E-Privacy Regulation?

The E-Privacy Regulation (ePR) is an addition to the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. The aim of both the GDBR and the E-Privacy Regulation is to ensure that personal data within the EU are protected. The E-Privacy Regulation is a set of rules proposed by the European Union focusing specifically on the field of electronic telecommunications.

The E-Privacy Regulation is intended to ensure confidentiality in electronic communications throughout Europe and to regulate how both personal and non-personal data are handled online.

Protecting privacy in the digital world

The E-Privacy Regulation sets outs new rules to protect users and their data on the Internet, for example simplifying rules for handling cookies and increasing data security for communications services such as WhatsApp. The E-Privacy Regulation also has consequences for privacy in the area of online marketing.

Data Law Nav­ig­at­or | Aus­tria
<link xlink:href="ez­loca­tion://414164" xlink:show="none"><< back to Over­view</link>The con­tent will be peri­od­ic­ally up­dated by our law­yers but, giv­en the con­stantly evolving laws in this area, we can­not guar­an­tee the con­tent is com­plete and ac­cur­ate.Jump dir­ectly to <link xlink:href="#CS" xlink:show="none" xlink:title="">Cy­ber Se­cur­ity >></link> <an­chor xml:id="re­write_Data_Pro­tec­tion"/>Data Pro­tec­tion Last re­viewed March 2020Risk scaleme­di­umLaws and Reg­u­la­tionsGen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR)Aus­tri­an Data Pro­tec­tion Act 2018 (DPA 2018)Aus­tri­an Tele­com­mu­nic­a­tions Act 2003 (TCA 2003)Aus­tri­an Act on Health Telemat­ics (Ge­sund­heit­stelematikge­setz 2012) – GTelG 2012Reg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on pro­cessing op­er­a­tions for which a Data Pro­tec­tion Im­pact As­sess­ment is to be car­ried out (Fed­er­al Law Gaz­ette II No. 278/2018)Reg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on ex­emp­tions of the Data Pro­tec­tion Im­pact As­sess­ment (Fed­er­al Law Gaz­ette II No. 108/2018)Reg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on the re­quire­ments for ac­cred­it­a­tion of a mon­it­or­ing body pur­su­ant to Art 41 (1) GDPR (Fed­er­al Law Gaz­ette II No. 264/2019)Au­thor­ityAus­tri­an Data Pro­tec­tion Au­thor­ityIf ap­plic­able: Stage of le­gis­lat­ive im­ple­ment­a­tion of GDPR GDPR was fully im­ple­men­ted by Aus­tri­an Data Pro­tec­tion Act 2018. If ap­plic­able: loc­al derog­a­tions as per­mit­ted by GDPRThe fol­low­ing derog­a­tions ex­ist:pub­licly avail­able data is only pro­tec­ted un­der the Data Pro­tec­tion Act 2018, if it is not used for his­tor­ic­al re­search pur­poses or stat­ist­ic­al pur­poses (Sec­tion 7 DPA);provid­ing ad­dresses to in­form and in­ter­view data sub­ject re­quires no con­sent of data sub­jects, if an in­fringe­ment of the data sub­ject’s in­terests in con­fid­en­ti­al­ity is un­likely, con­sid­er­ing the se­lec­tion cri­ter­ia for the group of data sub­jects and the sub­ject of the in­form­a­tion or in­ter­view (Sec­tion 8 DPA);spe­cif­ic pro­vi­sions re­gard­ing the data pro­tec­tion of­ficer ac­cord­ing to Sec­tion 5 DPA, such as the ob­lig­a­tion of the Aus­tri­an min­is­tries to ap­point at least one Data Pro­tec­tion Of­ficer (Art 37 GDPR);chil­dren’s age to law­fully con­sent is lowered to 14 years (Sec­tion 4 (4) DPA);spe­cif­ic CCTV reg­u­la­tions laid down in Sec­tion 12 and 13 DPA;if ne­ces­sary to re­con­cile the right to the pro­tec­tion of per­son­al data with the free­dom of ex­pres­sion and in­form­a­tion, in par­tic­u­lar with re­gard to the pro­cessing of per­son­al data for journ­al­ist­ic pur­poses as re­ferred to in the Aus­tri­an Me­dia Act, GDPR does not ap­ply (Sec­tion 9 DPA);Sec­tion 10 DPA al­lows for pro­cessing of per­son­al data in case of emer­gency;Spe­cial ad­min­is­trat­ive pen­alty pro­vi­sions laid down in Sec­tion 62 DPA;Ad­min­is­trat­ive pen­alty on pro­cessing data with the in­ten­tion to make a profit or to cause harm laid down in Sec­tion 62 DPA;Reg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on pro­cessing op­er­a­tions for which a Data Pro­tec­tion Im­pact As­sess­ment is to be car­ried out (Fed­er­al Law Gaz­ette II No. 278/2018):lays down a cata­logue of cri­ter­ia con­cern­ing pro­cessing op­er­a­tions for which the con­trol­ler needs to con­duct a data pro­tec­tion im­pact as­sess­mentim­ple­ment­a­tion act pur­su­ant to Art 35 (4) GDPRReg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on ex­emp­tions of the Data Pro­tec­tion Im­pact As­sess­ment (Fed­er­al Law Gaz­ette II No. 108/2018):lays down a list of pro­cessing op­er­a­tions for which no data pro­tec­tion im­pact as­sess­ment is re­quiredim­ple­ment­a­tion act pur­su­ant to Art 35(5) GDPRScopeAuto­mated and non-auto­mated data pro­cessing op­er­a­tions;In­form­a­tion re­lat­ing to data sub­jects who are iden­ti­fied or iden­ti­fi­able (nat­ur­al per­sons; the fun­da­ment­al right to data pro­tec­tion es­tab­lished in the con­sti­tu­tion­al pro­vi­sion of Sec­tion 1 DPA con­tin­ues to pro­tect leg­al per­sons (this relates to polit­ic­al dif­fi­culties at the time of the ad­op­tion of the DPA: con­sti­tu­tion­al pro­vi­sion could not be amended due to the ab­sence of the re­quired 2/3 ma­jor­ity in the par­lia­ment);The party, de­term­in­ing the pur­poses and means of pro­cessing of per­son­al data es­tab­lished in Aus­tria (“data con­trol­ler”);The party, pro­cessing the data on be­half of the data con­trol­ler, if the data con­trol­ler is sub­ject to DPA (“data pro­cessor”);Data con­trol­lers es­tab­lished out­side Aus­tria but with­in an EU mem­ber state, that use per­son­al data for an es­tab­lish­ment of the con­trol­ler in Aus­tria;Data con­trol­lers not es­tab­lished in any EU Mem­ber State which use per­son­al data in Aus­tria;Pen­al­ties/en­force­mentSanc­tions un­der the DPA:Non-com­pli­ance with DPA may res­ult in com­plaints, data pro­tec­tion au­thor­ity audits and/or or­ders, ad­min­is­trat­ive fines, seizure of equip­ment or data and civil ac­tions and/or crim­in­al pro­ceed­ings.The Aus­tri­an Data Pro­tec­tion Au­thor­ity may is­sue ad­min­is­trat­ive fines of up to EUR 50,000 for non-com­pli­ance with DPA. The fines un­der DPA will only be im­posed if an of­fence does not con­sti­tute an of­fence un­der Art 83 GDPR ("catch-all clause").Fines may be im­posed on leg­al per­sonsbe­cause of an ex­ec­ut­ive's vi­ol­a­tion; orfor mon­it­or­ing or con­trol fail­ures.A leg­al per­son is re­spons­ible for breaches, if an ex­ec­ut­ive does not com­ply with sur­veil­lance du­ties or does not en­act or­gan­isa­tion­al mat­ters, thus, en­abling an of­fence to be com­mit­ted by a per­son work­ing for the com­pany. Moreover, fines may be im­posed on a re­spons­ible per­son in ac­cord­ance with Sec­tion 9 Ad­min­is­trat­ive Pen­al Act 1991.Re­gis­tra­tion/no­ti­fic­a­tion DPA does not provide for any ob­lig­a­tions to no­ti­fy data ap­plic­a­tions to the data pro­tec­tion au­thor­ity (data pro­cessing re­gister).Art 37 GDPR re­quires the con­trol­ler or pro­cessor to pub­lish con­tact de­tails of the data pro­tec­tion of­ficer and to com­mu­nic­ate con­tact de­tails to Aus­tri­an Data Pro­tec­tion Au­thor­ity.Main ob­lig­a­tions and pro­cessing re­quire­mentsIn­form­a­tion re­quire­mentsa data con­trol­ler col­lect­ing per­son­al data must provide data sub­jects with in­form­a­tion on: the data con­trol­ler’s iden­tity (name, ad­dress, con­tact de­tails); the pro­cessing pur­poses and leg­al basis; the data cat­egor­ies; the data re­cip­i­ents (solely if the data is sub­ject to a con­trol­ler-to-con­trol­ler trans­fer); if con­sent is needed, the pos­sib­il­ity to re­voke the con­sent at any time shall be in­dic­ated; and the data sub­ject’s rights.Con­sent re­quire­mentsif con­sent is needed, elec­tron­ic and pa­per con­sent is per­miss­ible and deemed ef­fect­ive if it is prop­erly struc­tured and doc­u­mented. The data sub­ject has to be provided with in­form­a­tion on: the data con­trol­ler’s iden­tity; the pro­cessed data cat­egor­ies; the re­cip­i­ents (if they are data con­trol­lers as well); the pro­cessing pur­poses; and the right to re­voke con­sent at any time.Out­sourcing re­quire­mentsWhere pro­cessing is car­ried out by a pro­cessor on be­half of a con­trol­ler, the con­trol­ler shall only use pro­cessors provid­ing suf­fi­cient guar­an­tees to im­ple­ment ap­pro­pri­ate tech­nic­al and or­gan­isa­tion­al meas­ures in such a man­ner that pro­cessing will meet the re­quire­ments of this Reg­u­la­tion and en­sure the pro­tec­tion of the rights of the data sub­ject (Art 28 GDPR).Data sub­ject rightsChapter III GDPR ex­pressly fore­sees the fol­low­ing data sub­ject rights:Right of ac­cess by the data sub­ject (Art 15 GDPR),Right to rec­ti­fic­a­tion (Art 16 GDPR),Right to eras­ure (Art 17 GDPR),Right to re­stric­tion of pro­cessing (Art 18),Right to data port­ab­il­ity (Art 20 GDPR),Right to ob­ject (Art 21 GDPR),Right, not to be sub­ject to a de­cision based solely on auto­mated pro­cessing, in­clud­ing pro­fil­ing.GDPR provides for ad­di­tion­al rights of the data sub­ject, such as the right to be in­formed (Art 13 and 14 GDPR), the right to lodge a com­plaint with the Aus­tri­an Data Pro­tec­tion Au­thor­ity (Art 77 GDPR in con­junc­tion with Sec­tion 24 DPA) or to the right to an ef­fect­ive ju­di­cial rem­edy (Art 78 and 79 GDPR).Trans­fers out of coun­tryTrans­fer to third coun­tries is es­sen­tially for­bid­den.However, GDPR fore­sees sev­er­al mech­an­isms in or­der to trans­fer data to third coun­tries, such as:Ad­equacy de­cision of European Com­mis­sion ac­cord­ing to Art 45 GDPR (e.g. Pri­vacy Shield),In­tern­al data pro­tec­tion reg­u­la­tions (Bind­ing Cor­por­ate Rules) ac­cord­ing to Art 46 GDPR,Stand­ard con­tract clauses (SCCs) ac­cord­ing to Art 46 GDPR,Code of con­ducts and cer­ti­fic­a­tion mech­an­isms as trans­fer tools ac­cord­ing to Art 46 GDPR,Data trans­fers on the basis of Art 28 GDPR.For fur­ther trans­fer mech­an­isms or tools, please see Art 44 – 49 GDPR.Data Pro­tec­tion Of­ficerCon­trol­lers and pro­cessors must ap­point a Data Pro­tec­tion Of­ficer in case wherePro­cessing is car­ried out by a pub­lic au­thor­ity or pub­lic body,core data pro­cessing activ­it­ies con­sist of ex­tens­ive reg­u­lar and sys­tem­at­ic mon­it­or­ing,core data pro­cessing activ­it­ies con­sist of pro­cessing of spe­cial cat­egor­ies of data on a large scale or of pro­cessing crim­in­al data.Aus­tri­an min­is­tries are ob­liged to ap­point at least one Data Pro­tec­tion Of­ficer ac­cord­ing to Sec­tion 5 (4) DPA.Se­cur­ityTak­ing in­to ac­count the state of the art, the costs of im­ple­ment­a­tion and the nature, scope, con­text and pur­poses of pro­cessing as well as the risk of vary­ing like­li­hood and sever­ity for the rights and freedoms of nat­ur­al per­sons, the con­trol­ler and the pro­cessor shall im­ple­ment ap­pro­pri­ate tech­nic­al and or­gan­isa­tion­al meas­ures to en­sure a level of se­cur­ity ap­pro­pri­ate to the risk, in­clud­ing inter alia as ap­pro­pri­ate:the pseud­onymisa­tion and en­cryp­tion of per­son­al data;the abil­ity to en­sure the on­go­ing con­fid­en­ti­al­ity, in­teg­rity, avail­ab­il­ity and re­si­li­ence of pro­cessing sys­tems and ser­vices;the abil­ity to re­store the avail­ab­il­ity and ac­cess to per­son­al data in a timely man­ner in the event of a phys­ic­al or tech­nic­al in­cid­ent; anda pro­cess for reg­u­larly test­ing, as­sess­ing and eval­u­at­ing the ef­fect­ive­ness of tech­nic­al and or­gan­isa­tion­al meas­ures for en­sur­ing the se­cur­ity of the pro­cessing.Breach no­ti­fic­a­tionIn the case of a per­son­al data breach, the con­trol­ler shall without un­due delay and, where feas­ible, not later than 72 hours after hav­ing be­come aware of it, no­ti­fy the per­son­al data breach to the su­per­vis­ory au­thor­ity com­pet­ent in ac­cord­ance with Art 55 GDPR, un­less the per­son­al data breach is un­likely to res­ult in a risk to the rights and freedoms of nat­ur­al per­sons. Where the no­ti­fic­a­tion to the su­per­vis­ory au­thor­ity is not made with­in 72 hours, it shall be ac­com­pan­ied by reas­ons for the delay.When the per­son­al data breach is likely to res­ult in a high risk to the rights and freedoms of nat­ur­al per­sons, the con­trol­ler shall com­mu­nic­ate the data breach to the data sub­ject without un­due delay.No gen­er­al ad­di­tion­al re­quire­ments un­der loc­al law ap­ply.To no­ti­fy the Aus­tri­an Data Pro­tec­tion Au­thor­ity, you may use the data breach no­ti­fic­a­tion form and send it to [email protected].Dir­ect mar­ket­ingDir­ect Mar­ket­ingThe GDPR and Aus­tri­an Data Pro­tec­tion Act (DPA) ap­ply to all mar­ket­ing and ad­vert­ising activ­it­ies in­volving per­son­al data. Per­son­al data means any in­form­a­tion re­lat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (Art 4 para 1 GDPR).This is the main le­gis­la­tion that mar­keters / Ad tech com­pan­ies will need to com­ply with in terms of se­cur­ity meas­ures and no­ti­fy­ing per­son­al data breaches.Ad­min­is­trat­ive fines un­der GDPR and DPA are im­posed by the Aus­tri­an Data Pro­tec­tion Au­thor­ity (link here).Ac­tions for dam­ages (“Schaden­er­satzk­la­gen”) and in­junc­tions (“Un­ter­las­sung­sk­la­gen”) as well as in­ter­im in­junc­tions (“einst­wei­lige Ver­fü­gun­gen”) un­der GDPR and DPA are im­posed by the courts.Please find a copy of the Aus­tri­an Data Pro­tec­tion Act via the fol­low­ing link: Aus­tri­an Data Pro­tec­tion ActIn ad­di­tion, pro­vi­sions of the Aus­tri­an Tele­com­mu­nic­a­tions Act (TKG 2003) (which im­ple­ments the EU ePri­vacy Dir­ect­ive 2002/58/EC) ap­ply to spe­cif­ic mar­ket­ing and ad­vert­ising pur­poses e.g. im­pos­ing ad­di­tion­al re­quire­ments on the way or­gan­isa­tions can carry out un­so­li­cited dir­ect elec­tron­ic mar­ket­ing.The Aus­tri­an Data Pro­tec­tion Au­thor­ity en­forces vi­ol­a­tions of data sub­ject rights un­der TKG 2003 by is­su­ing ad­min­is­trat­ive fines, since the Tele­com­mu­nic­a­tions Act 2003 is a lex spe­cial­is to the GDPR.Please find a copy of the Aus­tri­an Tele­com­mu­nic­a­tions Act via the fol­low­ing link: Aus­tri­an Tele­com­mu­nic­a­tions ActCook­iesWith re­gard to the use of cook­ies, the Aus­tri­an Tele­com­mu­nic­a­tion Act 2003 is con­sidered the lex spe­cial­is to the GDPR. Data sub­jects must be in­formed about the use of cook­ies with­in the mean­ing of Sec­tion 96 Aus­tri­an Tele­com­mu­nic­a­tion Act 2003. Aus­tri­an web­site op­er­at­ors are ob­liged to in­form af­fected users com­pre­hens­ively and to ob­tain their con­sent. Vi­ol­a­tion of the reg­u­la­tion could res­ult in an ad­min­is­trat­ive fine of up to EUR 37,000.The use of cook­ies is only per­mit­ted if:the user is in­formed in de­tail in ad­vance;con­sent has been giv­en be­fore the use of cook­ies; andthe con­sent was giv­en vol­un­tar­ily, without doubt and by an act­ive act.The Cook­ie Policy may state that the browser set­tings may be ad­jus­ted ac­cord­ingly. The pos­sib­il­ity to modi­fy the set­tings, if prop­erly in­formed, may be con­sidered as suf­fi­cient con­sent.Oth­er data pro­tec­tion ini­ti­at­ivesReg­u­la­tion of the Aus­tri­an Data Pro­tec­tion Au­thor­ity on the re­quire­ments for the ac­cred­it­a­tion of cer­ti­fic­a­tion bod­ies ac­cord­ing to Art 43 (6) GDPR, to be pub­lished in 2020.Use­ful linksGuide to GDPR, provided by the Aus­tri­an Data  Pro­tec­tion Au­thor­ity (Ger­man)Aus­tri­an Tele­com­mu­nic­a­tions ActAus­tri­an Data Pro­tec­tion Act <an­chor xml:id="re­write_Cy­ber_Se­cur­ity"/>Cy­ber Se­cur­ityLast re­viewed March 2020Risk scaleme­di­umLaws and reg­u­la­tionsNet­work and In­form­a­tion Sys­tem Se­cur­ity Act (“Net­zwerk – und In­form­a­tionssich­er­heits­ge­setz” - NISG) as the im­ple­ment­ing act of Dir­ect­ive (EU) 2016/1148 con­cern­ing meas­ures for a high com­mon level of se­cur­ity of net­work and in­form­a­tion sys­tems across the Uni­on.Ap­plic­a­tionThe NISG ap­plies to op­er­at­ors of es­sen­tial ser­vices (OES) in the fol­low­ing sec­tors:En­ergy (elec­tri­city, crude oil, nat­ur­al gas),Trans­port (air, rail, wa­ter, road),Bank­ing (cred­it in­sti­tu­tions),Fin­an­cial mar­ket in­fra­struc­tures (trad­ing ven­ues, cent­ral coun­ter­parties),Health­care (es­pe­cially hos­pit­als and private clin­ics),Drink­ing wa­ter sup­ply andDi­git­al In­fra­struc­ture (In­ter­net Ex­change Points, DNS Ser­vice Pro­viders, TLD Name Re­gis­tries).It fur­ther ap­plies topro­viders of di­git­al ser­vices (PDS) (on­line mar­ket­places, on­line search en­gines and cloud com­put­ing ser­vices); andpub­lic ad­min­is­tra­tion bod­ies.Au­thor­ityAc­cord­ing to § 26 (2) NISG the loc­al ad­min­is­trat­ive au­thor­it­ies are the com­pet­ent su­per­vis­ory au­thor­it­ies. Key Ob­lig­a­tionsSe­cur­ity meas­uresProvid­ing net­work and in­form­a­tion se­cur­ity, defined by the NISG as the abil­ity to pre­vent, de­tect, de­ter and elim­in­ate se­cur­ity in­cid­ents.Tech­nic­al and or­gan­iz­a­tion­al se­cur­ity meas­ures must be ap­pro­pri­ate, pro­por­tion­ate, com­ply with the state of the art and be ad­equate to the risk iden­ti­fied with "reas­on­able ef­fort".PDS’ must ad­di­tion­ally con­sider factors such as the se­cur­ity of sys­tems, thus im­ple­ment­a­tion of such in­form­a­tion se­cur­ity man­age­ment sys­tems.OES’ are ob­liged to es­tab­lish a com­puter emer­gency res­ponse team (CERT) for com­mu­nic­a­tion with au­thor­it­ies and com­puter emer­gency teams.Se­cur­ity in­cid­ents must be re­por­ted im­me­di­ately to the na­tion­al com­puter emer­gency team, con­tain­ing all rel­ev­ant in­form­a­tion on the se­cur­ity in­cid­ent and the tech­nic­al back­ground known at the time of the ini­tial re­port, in par­tic­u­lar the sus­pec­ted or ac­tu­al cause, the in­form­a­tion tech­no­logy in­volved and the type of fa­cil­ity or in­stall­a­tion in­volved.Pen­al­ties/en­force­mentSec­tion 29 (1) NISG provides for fin­an­cial pen­al­ties of up to EUR 100,000 in case of in­fringe­ment.Is there a na­tion­al com­puter emer­gency re­sponse team (CERT) or com­puter se­cur­ity in­cid­ent re­sponse team (CSIRT)?The NISG provides for a na­tion­al com­puter emer­gency team to be set up to en­sure the se­cur­ity of the net­work and in­form­a­tion sys­tems. The Na­tion­al Com­puter Emer­gency Team and Sec­tor­al Com­puter Emer­gency Teams shall as­sist OES and PDS. The Pub­lic Ad­min­is­tra­tion Com­puter Emer­gency Team (Gov­CERT) shall as­sist pub­lic ad­min­is­tra­tion bod­ies in man­aging risks, in­cid­ents and se­cur­ity in­cid­ents.Is there a na­tion­al in­cid­ent man­age­ment struc­ture for re­spond­ing to cy­ber se­cur­ity in­cid­ents?Se­cur­ity in­cid­ents must be re­por­ted im­me­di­ately to the na­tion­al com­puter emer­gency team, con­tain­ing all rel­ev­ant in­form­a­tion on the se­cur­ity in­cid­ent and the tech­nic­al back­ground known at the time of the ini­tial re­port, in par­tic­u­lar the sus­pec­ted or ac­tu­al cause, the in­form­a­tion tech­no­logy in­volved and the type of fa­cil­ity or in­stall­a­tion in­volved.If a se­cur­ity in­cid­ent oc­curs, it shall be re­por­ted without delay to CERT.at. The law does not provide for a cer­tain time lim­it, but since a fol­low-up and a fi­nal re­port are also re­quired and these have to be sub­mit­ted “without un­due fur­ther delay”, a very short time lim­it – a few hours to a max­im­um of 24 hours (de­pend­ing on the sever­ity of the in­cid­ent) – has to be as­sumed.A se­cur­ity in­cid­ent can be no­ti­fied by us­ing the on­line portal of CERT.at avail­able un­der ht­tps://nis.cert.at/. Fur­ther, re­port­ing can also be done by send­ing an E-mail to CERT.at at re­[email protected] When do­ing re­port­ing via E-mail you should in­clude the in­form­a­tion set out in the fol­low­ing form: ht­tps://cert.at/me­dia/files/about/con­tact/files/form_de.txt.  In ad­di­tion, please find fur­ther in­form­a­tion on the re­com­men­ded en­cryp­tion and oth­er meas­ures on the fol­low­ing web­site: ht­tps://cert.at/de/ue­ber-uns/kon­takt/Oth­er cy­ber se­cur­ity ini­ti­at­ives The "Aus­tri­an Hand­book on In­form­a­tion Se­cur­ity" provides a broad over­view of re­cog­nized in­form­a­tion se­cur­ity stand­ards based on com­mon in­ter­na­tion­al stand­ards such as ISO/IEC 27000. It serves to im­ple­ment com­pre­hens­ive se­cur­ity con­cepts in pub­lic ad­min­is­tra­tion and private sec­tor.ht­tps://www.sich­er­heit­shand­buch.gv.at/ (Link to Aus­tri­an In­form­a­tion Se­cur­ity Hand­book – Ger­man)Use­ful linksCert.at Web­siteht­tps://www.gov­cert.gv.at/nis-mel­dung/in­dex/in­dex_en.html (NIS-re­port­ing)ht­tps://cert.at/me­dia/files/about/con­tact/files/form_de.txt (Tem­plate for in­cid­ent no­ti­fic­a­tion)ht­tps://www.ris.bka.gv.at/Gel­tendeFas­sung.wxe?Ab­frage=Bundes­nor­men&Ge­set­zes­num­mer=20010536 (NISG – Ger­man)ht­tps://www.sich­er­heit­shand­buch.gv.at/ (Link to Aus­tri­an In­form­a­tion Se­cur­ity Hand­book – Ger­man) <link xlink:href="ez­loca­tion://414164" xlink:show="none"><< back to Over­view</link>

E-Privacy: Geographical scope

Just as is the case with the GDPR, the Regulation will apply directly in all EU Member States and therefore, unlike a Directive, does not have to be transposed into national law. It is thus a set of rules that takes account of technical and economic developments in the market and will replace the E-Privacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC) currently in place.

Not only will this serve to harmonise the legal situation in all EU Member States (which varies considerably at present), but it will also ensure that the privacy of users of electronic communications services is protected to a high degree.

E-Privacy: Current status

The original intention was for the E-Privacy Regulation to take effect at the same time as the GDPR on 25 May 2018, but the final version was not completed on time.

It is highly likely for the final text not to be adopted before the end of 2019/2020, because so-called trilogue meetings between the Commission, the Council and the EU Parliament are pending in order to reconcile the individual drafts. It is not yet clear how much time will be required for these trilogue meetings.

Once the final version of the E-Privacy Regulation is presented, an approximately two-year implementation period begins, which means that the Regulation is not expected to take effect before 2022.

What companies should do now

Since the E-Privacy Regulation sets out a drastic tightening of the fines that can be imposed and the explicit right of competitors to sue, companies (in particular their marketing departments) should monitor developments in order to be prepared for the ePR.

Companies would therefore be well advised to start evaluating their website tracking methods, reviewing privacy policies and cookie policies, and ensuring that they are in possession of valid consent for cookies and direct advertising in good time

Prepare your company for the E-Privacy Regulation in good time. Our privacy experts will be happy to advise you.

Contact us directly:



Which types of data processing are covered by the E-Privacy Regulation?

The E-Privacy Regulation applies to how communications data are processed when using electronic communications services and to information relating to the end-user’s terminal equipment.

This means that, in contrast to the GDPR, processing both personal and non-personal communications data falls under the material scope of the E-Privacy Regulation – regardless of whether the service in question is provided for a fee or not.

To whom does the E-Privacy Regulation apply?

The entire online sector is affected by the E-Privacy Regulation.

This includes a whole host of companies such as those in the advertising industry, Internet service providers, as well as third-country electronic communication providers offering their services to end users in the EU.

All over-the-top services, i.e. providers of electronic communications services offering IP-based services such as VoIP (Skype), messenger platforms (WhatsApp), webmail (Gmail) and social media (Facebook, Instagram), are covered by this regulation to the same extent as machine-to-machine communication between “smart” devices that is an increasingly common occurrence in the Internet of Things.

What are the penalties for non-compliance?

In the event that any provisions of the E-Privacy Regulation are violated, severe fines may be levied – the EU will align the penalties under the E-Privacy Regulation with those of the GDPR.

This means that the unlawfully processing communications data will be subject to an administrative fine of up to EUR 10 million or up to 2 % of a company’s total worldwide annual turnover (Article 23 para. 2 (a) of the draft). Unlawful direct marketing communications will be subject to the same administrative fine (Article 23 para. 2 (d) of the draft).

Administrative fines of up to EUR 20 million or up to 4 % of a company’s total worldwide annual turnover may be imposed for violations of the principle of confidentiality of communications, the authorised processing of electronic communications, and time limits for erasure under Articles 5, 6 and 7 of the draft (Article 23 para. 3 of the draft).

In addition to these fines, end users can claim material and non-material compensation from the infringer (Article 22 of the draft).

It is interesting to note that Article 21 para. 2 of the draft explicitly protects legitimate business interests of third parties, meaning that competitors shall have a right to initiate legal proceedings in respect of infringements of the E-Privacy Regulation.

When will the E-Privacy Regulation come into force?

The E-Privacy Regulation is not expected to take effect before 2022.

View FAQs >> Hide FAQs >>