Fining practice
Trend: to date, have the national data protection authorities in Austria focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?
The Austrian data protection authority ("Datenschutzbehörde", “DPA”) still focuses on the processing of consumer personal data by major players, in the context of customer loyalty programmes. In 2021, the consent obtained from data subjects for such customer loyalty programmes and for profiling purposes was deemed insufficient in three separate cases and resulted in large fines, totalling EUR 11,200,000.00, imposed on the respective data controllers. The most significant penalties were imposed in areas in which a very large number of data subjects were affected (commerce sector, finance sector).
Proceedings against natural persons mostly deal with unlawful operations of video surveillance systems including dash cams in cars which are generally deemed illegal in Austria.
Generally, the DPA conducts annual official audits in certain sectors (e.g. banks, hospitals, insurance companies, etc.). However, information on which sector is specifically audited each year is not publicly available.
Overall, what was the most significant fine in Austria to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?
The most significant fine imposed by the Austrian Data Protection Authority was a fine of EUR 18 million on the Austrian Postal Service ("Österreichische Post AG") in October 2019. The DPA fined the Austrian Postal Service for processing the likely political affiliations of Austrian citizens without their consent. The Austrian Postal Service based itself mainly on Section 151 of the Austrian Business Code of 1994 ("Gewerbeordnung 1994", "GewO") which regulates address brokers. The national law does not differentiate between different types of data but limits the use solely to marketing purposes. The Austrian Postal Service took the view that predictions on the political affiliation of a data subject do not in and of themselves constitute "special data categories" under Article 9 GDPR. This penalty was not final, as the Austrian Postal Service appealed the decision and the Austrian Federal Administrative Court overturned the penalty sentence due to a formal error.
In September 2021, the DPA fined the Austrian Postal Service EUR 9.5 million for allegedly not allowing data protection requests to be made by data subjects via email. The DPA found that in addition to the contact options used by Austrian Postal Service by way of post, a web contact form and customer service, data protection-related requests must also be permitted via e-mail. The Austrian Postal Service filed an appeal. The decision is not final.
In 2022, the Austrian DPA fined REWE International AG EUR 8 million. Not too long before that, in the summer of 2021, the subsidiary 'Unser Ö-Bonus Club GmbH' received a fine of EUR 2 million. The fines were based on various violations of the GDPR, in particular in connection with allegedly failing to obtain valid consent under GDPR. Further details on these cases are not publicly available at the moment. The decisions were both appealed and are not final.
Organisation of authorities, procedure and publicising of fine proceedings
How is the data protection authority organised in Austria? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
There is only one data protection authority responsible for enforcing the GDPR and the Austrian Data Protection Act ("Datenschutzgesetz" – "DSG") in Austria.
The data protection authority is a federal authority assigned to the Ministry of Justice. With some 48 employees, this authority may be considered a small to medium-sized authority compared to other authorities in Austria.
How does a fine procedure work in Austria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
The data protection authority may directly impose fines as part of administrative criminal proceedings. Administrative criminal proceedings are governed by the Austrian Administrative Penal Act (“Verwaltungsstrafgesetz" – "VStG”).
The procedure usually starts with a formal notification issued to the party concerning the opening of penal proceedings (often as a result of ongoing general administrative proceedings in which the data protection authority has requested and received information from the controller/processor). The affected party has the right to comment on factual and legal aspects of the case before the data protection authority issues the penalty notice (“Strafbescheid”).
When the authority has completed the necessary investigations, the proceedings conclude either with a penalty notice, a discontinuation or an admonition. The proceedings are not open to the public.
The party concerned may lodge an appeal against the penalty notice, which must be submitted to the data protection authority itself. The data protection authority may issue a preliminary appeal-decision within two months of receiving the objection, i.e. the data protection authority may amend the decision it has issued or may reject or dismiss the appeal. If the data protection authority does not issue a preliminary decision, it shall submit the appeal along with the files pertaining to the proceedings to the Austrian Federal Administrative Court.
If the data protection authority issues a preliminary decision on the appeal, the party may, within two weeks of receiving the decision, request that the appeal be submitted to the Austrian Federal Administrative Court.
A party may lodge an appeal against decisions made by the Federal Administrative Court with the Administrative High Court (“Verwaltungsgerichtshof”) or with the Constitutional Court (“Verfassungsgerichtshof”) if the party believes that the decision violates constitutional rights.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?
The fines are transferred to the federal treasury.
Is there a common, official calculation methodology for fines in Austria (such as the fining models in the Netherlands or Germany)?
No, there is no official calculation method for fines in Austria that is publicly available. However, the DPA has internal guidelines for calculating fines. This internal guideline will now also be based on the European guidelines of the European Data Protection Board (“EDPB”).
On 16 May 2022 the EDPB published for consultation its guidelines on the calculation of fines under the GDPR. The guidelines include five steps for the calculation of fines: (1) Identifying the processing operations in the case and evaluating the application of Art 83(3) GDPR; (2) Finding the starting point for further calculation; (3) Evaluating aggravating and mitigating circumstances related to past or present behaviour of the data controller/processor and increasing or decreasing the fine accordingly; (4) Identifying the relevant legal maximums for the different processing operations, whereby increases applied in previous or next steps cannot exceed this amount; (5) Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Art 83(1) GDPR, and increasing or decreasing the fine accordingly.
The guidelines are meant to harmonize the methodology of calculating fines for GDPR-breaches and to increase transparency across the European Economic Area. With regard to the legal nature of the guidelines issued by the EDPB, it should be noted that they are considered “soft law”. Accordingly, they do not have any legally binding effect. However, national data protection authorities shall take decisions in compliance with the guidelines adopted at EDPB level, since the considerations set out in the guidelines were developed and adopted in cooperation with all members of the EDPB (thus, including all European data protection authorities). It is too early to tell whether these guidelines on the calculation of fines will result in higher or lower fines on average. In Austria, the DPA is probably already using a very similar calculation method (which they haven’t made public however).
Can public authorities be fined in Austria? If they can: Where does this money go?
According to Section 30(5) Austrian Data Protection Act, administrative fines cannot be imposed on authorities and public entities, such as, in particular, entities established in a manner set out under public law as well as private law, entities acting on the basis of a statutory mandate and public-law corporations.
In Austria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
The DPA does not publish all fines imposed, nor the related procedural steps. A selection of the decisions made by the DPA can be accessed via the Federal Legal Information System (“Rechtsinformationssystem” – “RIS”), a database covering federal and state law as well as case law. The decisions are anonymised.
In addition, the DPA publishes a newsletter which addresses landmark cases and trends, on an anonymised basis.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?
The DPA publishes a "Data Protection Report" every year. In this report, the DPA provides information on the number of different proceedings conducted by it (i.e., individual complaint handling procedures (national/cross-border), data breach notification proceedings, approval of code of conducts, etc.). In addition, the DPA provides executive summaries of the most important decisions in its own view.
In 2020, 142 fining procedures were completed. The number of proceedings resulting in a fine is not public knowledge. There is also the possibility that the DPA ended the fine proceedings issuing a warning or discontinuing the proceedings.
In 2021, 267 fining procedures were completed, with proceedings against natural persons constituting the majority of cases. 36 proceedings resulted in fines (11 against legal entities, 25 against natural persons), 7 proceedings resulted in warnings. In total, the DPA imposed approximately EUR 24,700,000.00 in fines for the year 2021.
Other legal consequences of non-compliance
Does Austria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
Austrian data protection law does not provide for any model declaratory proceedings/class actions. However, consumer protection associations are able to assert the rights held by consumers in court. It is unclear whether these consumer protection associations are also able to take on data protection law issues. The ECJ was due to rule in preliminary ruling proceedings (C-701/20) further to a request from the Austrian Supreme Court of Justice (OGH 25.11.2020, 6 Ob77/20x) as to whether such consumer protection associations may litigate cases on the basis of the GDPR and national data protection laws.
In May of 2022, the Austrian Supreme Court withdrew their request for a preliminary ruling after the ECJ ruled in favour of a right of actions for consumer protection associations in a similar case originating in Germany (C-319/20). According to the ECJ, authorizing such associations with the litigation of cases to protect consumer interests contributes to strengthening the rights of data subjects and ensures a high level of protection. Additionally, the filing of class actions by these associations is likely to prove more effective than numerous individual lawsuits filed by individual data subjects.
The Austrian proceedings that led to the request for a preliminary ruling (6 Ob77/20x) has been continued and is still pending.
What is more relevant in Austria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
Under Austrian tort law, any damage must be adequately caused and proven. Austrian law does not provide for punitive damages. Civil courts may impose injunctions and rule on damage compensation claims. Such damage compensation claims may involve immaterial damages as well. Immaterial damages are not related to an actual calculable damage. To date, the civil courts have imposed rather low compensation for immaterial damage.
To date, the fines imposed by the DPA seem to exceed the damage compensations awarded by civil courts, as these only assess the actual damages caused by the violation. Nevertheless, we expect the number of lawsuits brought before civil courts to continue to increase in coming years.
In January 2022, a claimant was awarded EUR 100.00 in damages by the Munich Regional Court after visiting a website using Google Fonts. The court based its decision on the fact that by dynamically implementing Google Fonts on a website, personal data (namely the IP address) of website users is transferred to the USA, which is considered a third country with inadequate level of data protection under the GDPR. An Austrian lawyer took the aforementioned decision of the Munich Regional Court as an opportunity to send thousands of threatening legal letters with similar demands to website operators in Austria that had integrated Google Fonts on their websites. The letters stated that the filing of a lawsuit and further legal action would be waived if a payment of EUR 100.00 from the website operators to the alleged data subject, who demanded compensation for the alleged breach of the GDPR, was accepted as a settlement. Two court proceedings concerning this matter are currently pending in Austria, one of which has recently been interrupted due to a pending case before the ECJ (C-300/21).
Similarly, in January 2023, a private lawsuit was filed against the Austrian organization responsible for collecting the national broadcasting fee ("Gebühren Info Service GmbH" – "GIS"), for a data leak that occurred in 2020 and was not sanctioned by the DPA because it is considered a public entity against which the DPA cannot impose fines.
Regardless of the outcome of these cases (the lawyer responsible for the threatening letters is being investigated by the Austrian public prosecutor's office for fraud), a trend toward lawsuits before civil courts is undoubtedly emerging.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.