Home / Publications / Data Law Navigator | Austria

Data Law Navigator | Austria

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection 

Last reviewed March 2020

Risk scale

Risk Scale Red

Laws and Regulations

  • General Data Protection Regulation (GDPR)
  • Austrian Data Protection Act 2018 (DPA 2018)
  • Austrian Telecommunications Act 2003 (TCA 2003)
  • Austrian Act on Health Telematics (Gesundheitstelematikgesetz 2012) – GTelG 2012
  • Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018)
  • Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018)
  • Regulation of the Austrian Data Protection Authority on the requirements for accreditation of a monitoring body pursuant to Art 41 (1) GDPR (Federal Law Gazette II No. 264/2019)

Authority

Austrian Data Protection Authority

If applicable: Stage of legislative implementation of GDPR 

GDPR was fully implemented by Austrian Data Protection Act 2018. 

If applicable: local derogations as permitted by GDPR

The following derogations exist:

  • publicly available data is only protected under the Data Protection Act 2018, if it is not used for historical research purposes or statistical purposes (Section 7 DPA);
  • providing addresses to inform and interview data subject requires no consent of data subjects, if an infringement of the data subject’s interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview (Section 8 DPA);
  • specific provisions regarding the data protection officer according to Section 5 DPA, such as the obligation of the Austrian ministries to appoint at least one Data Protection Officer (Art 37 GDPR);
  • children’s age to lawfully consent is lowered to 14 years (Section 4 (4) DPA);
  • specific CCTV regulations laid down in Section 12 and 13 DPA;
  • if necessary to reconcile the right to the protection of personal data with the freedom of expression and information, in particular with regard to the processing of personal data for journalistic purposes as referred to in the Austrian Media Act, GDPR does not apply (Section 9 DPA);
  • Section 10 DPA allows for processing of personal data in case of emergency;
  • Special administrative penalty provisions laid down in Section 62 DPA;
  • Administrative penalty on processing data with the intention to make a profit or to cause harm laid down in Section 62 DPA;
  • Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018):
    • lays down a catalogue of criteria concerning processing operations for which the controller needs to conduct a data protection impact assessment
    • implementation act pursuant to Art 35 (4) GDPR
  • Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018):
    • lays down a list of processing operations for which no data protection impact assessment is required
    • implementation act pursuant to Art 35(5) GDPR

Scope

  • Automated and non-automated data processing operations;
  • Information relating to data subjects who are identified or identifiable (natural persons; the fundamental right to data protection established in the constitutional provision of Section 1 DPA continues to protect legal persons (this relates to political difficulties at the time of the adoption of the DPA: constitutional provision could not be amended due to the absence of the required 2/3 majority in the parliament);
  • The party, determining the purposes and means of processing of personal data established in Austria (“data controller”);
  • The party, processing the data on behalf of the data controller, if the data controller is subject to DPA (“data processor”);
  • Data controllers established outside Austria but within an EU member state, that use personal data for an establishment of the controller in Austria;
  • Data controllers not established in any EU Member State which use personal data in Austria;

Penalties/enforcement

Sanctions under the DPA:

Non-compliance with DPA may result in complaints, data protection authority audits and/or orders, administrative fines, seizure of equipment or data and civil actions and/or criminal proceedings.

The Austrian Data Protection Authority may issue administrative fines of up to EUR 50,000 for non-compliance with DPA. The fines under DPA will only be imposed if an offence does not constitute an offence under Art 83 GDPR ("catch-all clause").

Fines may be imposed on legal persons

  • because of an executive's violation; or
  • for monitoring or control failures.

A legal person is responsible for breaches, if an executive does not comply with surveillance duties or does not enact organisational matters, thus, enabling an offence to be committed by a person working for the company. Moreover, fines may be imposed on a responsible person in accordance with Section 9 Administrative Penal Act 1991.

Registration/notification 

DPA does not provide for any obligations to notify data applications to the data protection authority (data processing register).

Art 37 GDPR requires the controller or processor to publish contact details of the data protection officer and to communicate contact details to Austrian Data Protection Authority.

Main obligations and processing requirements

Information requirements

  • a data controller collecting personal data must provide data subjects with information on: the data controller’s identity (name, address, contact details); the processing purposes and legal basis; the data categories; the data recipients (solely if the data is subject to a controller-to-controller transfer); if consent is needed, the possibility to revoke the consent at any time shall be indicated; and the data subject’s rights.

Consent requirements

  • if consent is needed, electronic and paper consent is permissible and deemed effective if it is properly structured and documented. The data subject has to be provided with information on: the data controller’s identity; the processed data categories; the recipients (if they are data controllers as well); the processing purposes; and the right to revoke consent at any time.

Outsourcing requirements

Where processing is carried out by a processor on behalf of a controller, the controller shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art 28 GDPR).

Data subject rights

Chapter III GDPR expressly foresees the following data subject rights:

  • Right of access by the data subject (Art 15 GDPR),
  • Right to rectification (Art 16 GDPR),
  • Right to erasure (Art 17 GDPR),
  • Right to restriction of processing (Art 18),
  • Right to data portability (Art 20 GDPR),
  • Right to object (Art 21 GDPR),
  • Right, not to be subject to a decision based solely on automated processing, including profiling.

GDPR provides for additional rights of the data subject, such as the right to be informed (Art 13 and 14 GDPR), the right to lodge a complaint with the Austrian Data Protection Authority (Art 77 GDPR in conjunction with Section 24 DPA) or to the right to an effective judicial remedy (Art 78 and 79 GDPR).

Transfers out of country

Transfer to third countries is essentially forbidden.

However, GDPR foresees several mechanisms in order to transfer data to third countries, such as:

  • Adequacy decision of European Commission according to Art 45 GDPR (e.g. Privacy Shield),
  • Internal data protection regulations (Binding Corporate Rules) according to Art 46 GDPR,
  • Standard contract clauses (SCCs) according to Art 46 GDPR,
  • Code of conducts and certification mechanisms as transfer tools according to Art 46 GDPR,
  • Data transfers on the basis of Art 28 GDPR.

For further transfer mechanisms or tools, please see Art 44 – 49 GDPR.

Data Protection Officer

Controllers and processors must appoint a Data Protection Officer in case where

  • Processing is carried out by a public authority or public body,
  • core data processing activities consist of extensive regular and systematic monitoring,
  • core data processing activities consist of processing of special categories of data on a large scale or of processing criminal data.

Austrian ministries are obliged to appoint at least one Data Protection Officer according to Section 5 (4) DPA.

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Breach notification

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.

No general additional requirements under local law apply.

To notify the Austrian Data Protection Authority, you may use the data breach notification form and send it to [email protected].

Direct marketing

Direct Marketing

  • The GDPR and Austrian Data Protection Act (DPA) apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person (Art 4 para 1 GDPR).
  • This is the main legislation that marketers / Ad tech companies will need to comply with in terms of security measures and notifying personal data breaches.
  • Administrative fines under GDPR and DPA are imposed by the Austrian Data Protection Authority (link here).
  • Actions for damages (“Schadenersatzklagen”) and injunctions (“Unterlassungsklagen”) as well as interim injunctions (“einstweilige Verfügungen”) under GDPR and DPA are imposed by the courts.
  • Please find a copy of the Austrian Data Protection Act via the following link: Austrian Data Protection Act
  • In addition, provisions of the Austrian Telecommunications Act (TKG 2003) (which implements the EU ePrivacy Directive 2002/58/EC) apply to specific marketing and advertising purposes e.g. imposing additional requirements on the way organisations can carry out unsolicited direct electronic marketing.
  • The Austrian Data Protection Authority enforces violations of data subject rights under TKG 2003 by issuing administrative fines, since the Telecommunications Act 2003 is a lex specialis to the GDPR.
  • Please find a copy of the Austrian Telecommunications Act via the following link: Austrian Telecommunications Act

Cookies

With regard to the use of cookies, the Austrian Telecommunication Act 2003 is considered the lex specialis to the GDPR. Data subjects must be informed about the use of cookies within the meaning of Section 96 Austrian Telecommunication Act 2003. Austrian website operators are obliged to inform affected users comprehensively and to obtain their consent. Violation of the regulation could result in an administrative fine of up to EUR 37,000.

The use of cookies is only permitted if:

  • the user is informed in detail in advance;
  • consent has been given before the use of cookies; and
  • the consent was given voluntarily, without doubt and by an active act.

The Cookie Policy may state that the browser settings may be adjusted accordingly. The possibility to modify the settings, if properly informed, may be considered as sufficient consent.

Other data protection initiatives

Regulation of the Austrian Data Protection Authority on the requirements for the accreditation of certification bodies according to Art 43 (6) GDPR, to be published in 2020.

Useful links


Cyber Security

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws and regulations

Network and Information System Security Act (“Netzwerk – und Informationssicherheitsgesetz” - NISG) as the implementing act of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.

Application

The NISG applies to operators of essential services (OES) in the following sectors:

  • Energy (electricity, crude oil, natural gas),
  • Transport (air, rail, water, road),
  • Banking (credit institutions),
  • Financial market infrastructures (trading venues, central counterparties),
  • Healthcare (especially hospitals and private clinics),
  • Drinking water supply and
  • Digital Infrastructure (Internet Exchange Points, DNS Service Providers, TLD Name Registries).

It further applies to

  • providers of digital services (PDS) (online marketplaces, online search engines and cloud computing services); and
  • public administration bodies.

Authority

According to § 26 (2) NISG the local administrative authorities are the competent supervisory authorities. 

Key Obligations

  • Security measures
    • Providing network and information security, defined by the NISG as the ability to prevent, detect, deter and eliminate security incidents.
    • Technical and organizational security measures must be appropriate, proportionate, comply with the state of the art and be adequate to the risk identified with "reasonable effort".
  • PDS’ must additionally consider factors such as the security of systems, thus implementation of such information security management systems.
  • OES’ are obliged to establish a computer emergency response team (CERT) for communication with authorities and computer emergency teams.
  • Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.

Penalties/enforcement

Section 29 (1) NISG provides for financial penalties of up to EUR 100,000 in case of infringement.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

The NISG provides for a national computer emergency team to be set up to ensure the security of the network and information systems. The National Computer Emergency Team and Sectoral Computer Emergency Teams shall assist OES and PDS. The Public Administration Computer Emergency Team (GovCERT) shall assist public administration bodies in managing risks, incidents and security incidents.

Is there a national incident management structure for responding to cyber security incidents?

Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.

If a security incident occurs, it shall be reported without delay to CERT.at. The law does not provide for a certain time limit, but since a follow-up and a final report are also required and these have to be submitted “without undue further delay”, a very short time limit – a few hours to a maximum of 24 hours (depending on the severity of the incident) – has to be assumed.

A security incident can be notified by using the online portal of CERT.at available under https://nis.cert.at/.
Further, reporting can also be done by sending an E-mail to CERT.at at [email protected] When doing reporting via E-mail you should include the information set out in the following form: https://cert.at/media/files/about/contact/files/form_de.txt
In addition, please find further information on the recommended encryption and other measures on the following website: https://cert.at/de/ueber-uns/kontakt/

Other cyber security initiatives 

The "Austrian Handbook on Information Security" provides a broad overview of recognized information security standards based on common international standards such as ISO/IEC 27000. It serves to implement comprehensive security concepts in public administration and private sector.

https://www.sicherheitshandbuch.gv.at/ (Link to Austrian Information Security Handbook – German)

Useful links


<< back to Overview

Authors

Picture of Johannes Juranek
Johannes Juranek
Managing Partner
Vienna
Christina-Schwaiger-CMS-AT
Christina Maria Schwaiger
Associate
Vienna