Data Law Navigator | Austria
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last reviewed 11 July 2019
- General Data Protection Regulation (GDPR)
- Austrian Data Protection Act 2018 (DPA 2018)
- Austrian Telecommunications Act 2003 (TCA 2003)
- Austrian Act on Health Telematics (Gesundheitstelematikgesetz 2012) – GTelG 2012
- Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018)
- Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018)
Austrian Data Protection Authority: https://www.dsb.gv.at/
If applicable: Stage of legislative implementation of GDPR
The Austrian Data Protection Act 2018 (DPA 2018) became effective on 25 May 2018.
If applicable: local derogations as permitted by GDPR
The following derogations exist:
- publicly available data is only protected under the Data Protection Act 2018, if it is not used for historical research purposes or statistical purposes (§ 7 DPA 2018);
- providing addresses to inform and interview data subject requires no consent of data subjects, if an infringement of the data subject’s interests in confidentiality is unlikely, considering the selection criteria for the group of data subjects and the subject of the information or interview (§ 8 DPA 2018);
- children’s age to lawfully consent is lowered to 14 years (§ 4(4) DPA 2018);
- obligation of the Austrian ministries to appoint at least one Data Protection Officer (Art 37 GDPR);
- the Austrian Data Protection Authority is authorised to issue fines (§ 30 & 62 DPA 2018);
- CCTV regulations (§ 12 & 13 DPA 2018);
- if necessary to reconcile the right to the protection of personal data with the freedom of expression and information, in particular with regard to the processing of personal data for journalistic purposes as referred to in the Austrian Media Act, GDPR does not apply (§ 9 DPA 2018);
- § 10 DPA 2018 allows for processing of personal data in case of emergency;
- Regulation of the Austrian Data Protection Authority on processing operations for which a Data Protection Impact Assessment is to be carried out (Federal Law Gazette II No. 278/2018):
- lays down a catalogue of criteria which results in the controller’s obligation to conduct a data protection impact assessment
- implementation act pursuant to Art 35(4) GDPR
- Regulation of the Austrian Data Protection Authority on exemptions of the Data Protection Impact Assessment (Federal Law Gazette II No. 108/2018):
- lays down a list of processing operations for which no data protection impact assessment is required
- implementation act pursuant to Art 35(5) GDPR
- Automated and non-automated data processing operations;
- Information relating to data subjects who are identified or identifiable (natural persons; the fundamental right to data protection established in the constitutional provision of § 1 DPA 2018 continues to include legal persons (this relates to political difficulties at the time of the adoption of the DPA 2018: no constitutional provisions could be amended due to the absence of the required 2/3 majority in the parliament). This contradiction between DPA 2018 and GDPR will have to be interpreted in line with the constitution, so that the provisions of § 1 DPA 2018 in conjunction with § 4(1) DPA 2018 continues to protect legal persons, with the restriction, that it only covers the scope specified in § 1(2) DPA 2018);
- The party, determining the purposes and means of processing of personal
- Data established in Austria (“data controller”);
- The party, processing the data on behalf of the data controller, if the data controller is subject to DPA 2018 (“data processor”);
- Data controllers established outside Austria but within an EU member state, that use personal data for an establishment that the data controller has in Austria;
- Data controllers not established in any EU Member State which use personal data in Austria;
Sanctions under the GDPR:
Financial penalties are the primary sanction against the controller and the processor, thus, against the company.
- up to € 10 million or up to 2% of total global sales for companies (in case of invalid consent of children, violation of privacy by design, etc.);
- up to € 20 million or up to 4% of total global sales for companies (in case of violation of principles (including consent), inadmissible transfer to third countries, etc.).
Sanctions under the DPA 2018:
Non-compliance with DPA 2018 may result in complaints, data protection authority audits and/or orders, administrative fines, seizure of equipment or data and civil actions and/or criminal proceedings.
The Austrian Data Protection Authority may issue administrative fines of up to EUR 50,000 for non-compliance with DPA 2018. The fine under DPA 2018 will only be imposed if an offence does not constitute an offence under Article 83 DSGVO ("catch-all clause").
Fines may be imposed on legal persons
- because of an executive's violatio; or
- for monitoring or control failures.
A legal person is responsible for breaches, if an executive does not comply with surveillance duties or does not enact organisational matters, thus, enabling an offence to be committed by a person working for the company. Moreover, fines may be imposed against a responsible person in accordance with § 9 Administrative Penal Act 1991.
Registration / notification
DPA 2018 does not provide for any obligations to notify data applications to the data protection authority (data processing register), nor does it provide for the same authorisation procedures as the previous law.
In the case of video surveillance, there is no notification requirement anymore.
Main obligations and processing requirements
- Information requirements - a data controller that collects personal data must provide data subjects with information on: the data controller’s identity (name, address, contact details); the processing purposes and legal basis; the data categories; the data recipients (solely if the data is subject to a controller-to-controller transfer); if consent is needed, the possibility to revoke the consent at any time shall be indicated; and the data subject’s rights.
- Consent requirements - if consent is needed, electronic and paper consent is permissible and deemed effective if it is properly structured and evidenced. The data subject has to be provided with information on: the data controller’s identity; the processed data categories; the recipients (if they are data controllers as well); the processing purposes; and the right to revoke consent at any time.
- Outsourcing requirements - Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art 28 GDPR).
Data subject rights
In Chapter III GDPR expressly foresees the following data subject rights:
- Right of access by the data subject (Art 15 GDPR)
- Right to rectification (Art 16 GDPR)
- Right to erasure (Art 17 GDPR)
- Right to restriction of processing (Art 18)
- Right to data portability (Art 20 GDPR)
- Right to object (Art 21 GDPR)
- Right, not to be subject to a decision based solely on automated processing, including profiling
GDPR contains additional rights of the data subject, as the right to be informed (Art 13 & 14 GDPR), the right to lodge a complaint with the Austrian supervisory authority (Art 77 GDPR in conjunction with § 24 DPA 2018.) or to the right to an effective judicial remedy (Art 78 & 79 GDPR).
Transfers out of country
- Transfer to third countries is essentially forbidden; Exceptions: Consent, performance of contract, justified legal interests.
- Commission has established that third country has a suitable level of data protection.
- Standard data protection clauses (Commission or controlling authority).
- Internal data protection regulations (binding corporate rules).
- Privacy Shield certified recipients in the US.
- Code of conduct and certification mechanisms.
- If “appropriate safeguards” exist, no approval of the authority is required for the transfer to a third country.
- If authorization has already been given by the supervising authority, then this remains in place.
Data Protection Officer
Mandatory for controllers and processors, if:
- authority or public body or
- core activity consists of extensive regular and systematic monitoring or
- the core activity is the extensive processing of special categories of data or criminal data.
Austrian ministries are legally obliged to appoint at least one Data Protection Officer (Art 5(4) DPA 2018).
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the data breach to the data subject without undue delay.
No general additional requirements under local law apply.
The Austrian Telecommunication Act 2003 foresees provisions regulation the use of personal data in the context of advertising and marketing (please see below under the section “Cookies”).
§ 151 Austrian Trade Regulation regulates (as lex specialis to the GDPR) the use of personal data for direct marketing purposes.
- the user is informed in detail in advance;
- the consent was given voluntarily, without doubt and by an active act.
Last reviewed 11 July 2019
Laws and regulations
Network and Information System Security Act (“Netzwerk – und Informationssicherheitsgesetz” - NISG) as the implementing act of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.
The NISG applies to operators of essential services (OES) in the following sectors:
- Energy (electricity, crude oil, natural gas)
- Transport (air, rail, water, road)
- Banking (credit institutions)
- Financial market infrastructures (trading venues, central counterparties)
- Healthcare (especially hospitals and private clinics)
- Drinking water supply
- Digital Infrastructure (Internet Exchange Points, DNS Service Providers, TLD Name Registries)
It further applies to
- providers of digital services (PDS) (online marketplaces, online search engines and cloud computing services)
- public administration bodies.
According to § 26 (2) NISG the local administrative authorities are the competent supervisory authorities.
- Security measures
- Providing network and information security, defined by the NISG as the ability to prevent, detect, deter and eliminate security incidents.
- These security measures must be technically and organisationally appropriate and proportionate, comply with the state of the art and be adequate to the risk identified with "reasonable effort".
- PDS’ must additionally consider factors such as the security of systems, thus implementation of such information security management systems.
- OES’ are obliged to establish a computer emergency response team (CERT) for communication with authorities and computer emergency teams.
- Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.
Sanctions under the NISG:
- Financial penalties of up to EUR 100,000 (§ 29 (1) NISG)
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
The NISG provides for a national computer emergency team to be set up to ensure the security of the network and information systems. The National Computer Emergency Team and Sectoral Computer Emergency Teams shall assist OES and PDS. The Public Administration Computer Emergency Team (GovCERT) shall assist public administration bodies in managing risks, incidents and security incidents.
Is there a national incident management structure for responding to cyber security incidents?
Security incidents must be reported immediately to the national computer emergency team, containing all relevant information on the security incident and the technical background known at the time of the initial report, in particular the suspected or actual cause, the information technology involved and the type of facility or installation involved.
- https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20010536 (NISG – German)
- https://www.govcert.gv.at/nis-meldung/index/index_en.html (NIS-reporting)