GDPR Enforcement in Austria

Trend: Have the national data protection authorities in Austria focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

Last year the Austrian data protection authority (“Datenschutzbehörde" – “DPA”) conducted in-depth audits of corporations in the telecoms sector. The focus of the authority was especially on compliance with general obligations for the processing of personal data, the security of data processing and the transfer of personal data to third countries. Further, the DPA focused its audits on the position of the data protection officer (“DPO”) within the telecommunications industry.

One of the highest fines in 2024 of EUR 15,200.00 was imposed on a media company that did not respond to repeated requests from the DPA to comment on complaints. The company violated the obligation to cooperate under Article 31 GDPR. The media company lodged an appeal before the Federal Administrative Court. The decision is still pending, but the Federal Administrative Court has already confirmed the criminal liability under Article 31 GDPR on multiple occasions due to a lack of cooperation (see DSB 02.01.2024, 2023-0.849.065).

The Austrian Data Protection Authority (DPA) regularly conducts annual audits targeting specific sectors such as banks, hospitals or insurance companies, each year focusing on selected GDPR provisions — for example, in 2024, the right of access. For 2025, the DPA announced that its focus will be on the regional police directorates, reviewing compliance with the GDPR and Chapter 3 of the Austrian Data Protection Act, which implements Directive (EU) 2016/680. The investigations began with requests for records of processing activities and detailed questionnaires addressing both general and law enforcement–specific data protection practices. These procedures may include oral hearings and on-site inspections. A particular emphasis is placed on the right to erasure under Article 17 GDPR and on the modalities for exercising data subject rights, guided by a coordinated questionnaire developed within the framework of the European Data Protection Board’s Coordinated Enforcement Framework (CEF).

Another examination by the DPA in 2024 concerned a company that appointed a managing director as data protection officer at the same time. The authority found that this meant that the data protection officer was unable to carry out independent monitoring. The company had therefore appointed an unsuitable person as data protection officer and thus violated Art. 38 (6) GDPR. A fine of EUR 5,000 was imposed.

Overall, what was the most significant fine in Austria to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

As cited last year the DPA imposed a fine of EUR 18 million on the Austrian Postal Service (“Österreichische Post AG”) in October 2019. This penalty was not final, as the Austrian Postal Service appealed the decision and the Austrian Federal Administrative Court overturned the penalty sentence due to a formal error. The DPA lodged an official appeal against this decision (case number Ra 2020/04/0187) with the Austrian Supreme Administrative Court (“VwGH”). These proceedings were then paused by the VwGH as it wanted to await the decision of the ECJ in the case of Deutsche Wohnen SE and the liability of legal persons under the GDPR. In the meantime, the ECJ's decision stated that legal entities are also liable for infringements if “any” employee is responsible for the infringement, even if this person is not a managing director or does not belong to a management body. However, culpable conduct by the person is also required in such a case.

Based on this ECJ decision the VwGH found that the Federal Administrative Court should not have quashed the penalty simply because the DPA could not name the natural person responsible for the damage. As a result, the decision of the Federal Administrative Court was ruled unlawful and annulled by the VwGH. On 27 December 2024, the Federal Administrative Court decided again on this appeal and imposed a fine of EUR 16 million on the Austrian Postal Service. This decision is not final, as the Austrian Postal Service has already lodged an official appeal against this decision with the VwGH and a complaint with the Constitutional Court (“VfGH”).

How is the data protection authority organised in Austria? Budget, staff, assignment to a ministry?

There is only one DPA responsible for enforcing the GDPR and the Austrian Data Protection Act (“Datenschutzgesetz” – “DSG”) in Austria.

The DPA is a federal authority assigned to the Ministry of Justice. With some 70 employees, this authority may be considered a small to medium-sized authority compared to other authorities in Austria. The DPA fielded a budget of around EUR 6.1 million in 2025, which has been reduced to EUR 5.9 million in 2026.

How does a fine procedure work in Austria? Can the authority impose fines itself? Procedural steps? Legal remedies?

The DPA may directly impose fines as part of administrative criminal proceedings. Administrative criminal proceedings are governed by the Austrian Administrative Penal Act (“Verwaltungsstrafgesetz" – “VStG”).

The procedure usually starts with a formal notification issued to the party concerning the opening of penal proceedings (often as a result of ongoing general administrative proceedings in which the data protection authority has requested and received information from the controller/processor). The affected party has the right to comment on factual and legal aspects of the case before the data protection authority issues the penalty notice (“Strafbescheid”).

When the authority has completed the necessary investigations, the proceedings conclude either with a penalty notice, a discontinuation or an admonition. The proceedings are not open to the public.

The party concerned can lodge an appeal against the penalty notice, which must be submitted to the DPA itself. The DPA may issue a preliminary appeal-decision within two months of receiving the objection, i.e. the data protection authority may amend the decision it has issued or may reject or dismiss the appeal. If the data protection authority does not issue a preliminary decision, it must submit the appeal along with the files pertaining to the proceedings to the Austrian Federal Administrative Court.

If the data protection authority issues a preliminary decision on the appeal, the party may, within two weeks of receiving the decision, request that the appeal be submitted to the Austrian Federal Administrative Court.

A party may lodge an appeal against decisions made by the Federal Administrative Court with the VwGH or with the Constitutional Court (“Verfassungsgerichtshof”), but only with the latter court if the party believes that the decision violates constitutional rights.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

The fines are transferred to the federal treasury.

Is there an official calculation methodology for fines in Austria?

No, there is no official calculation method for fines in Austria that is publicly available. However, the DPA has internal guidelines for calculating fines. These internal guidelines will now also be based on the European guidelines of the European Data Protection Board (“EDPB”).

On 16 May 2022 the EDPB published its guidelines on the calculation of fines under the GDPR for consultation. The guidelines include five steps for calculating fines: (1) Identifying the processing operations in the case and evaluating the application of Article 83 (3) GDPR; (2) Finding the starting point for further calculations; (3) Evaluating aggravating and mitigating circumstances related to the past or present behaviour of the data controller/processor and increasing or decreasing the fine accordingly; (4) Identifying the relevant legal maximums for the different processing operations, which increases applied in previous or subsequent steps cannot exceed; (5) Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality as required by Article 83 (1) GDPR and increasing or decreasing the fine accordingly.

The guidelines are meant to harmonise the methodology of calculating fines for GDPR breaches and to increase transparency across the European Economic Area. With regard to the legal nature of the guidelines issued by the EDPB, it should be noted that they are considered “soft law”. Accordingly, they do not have any legally binding effect. However, national data protection authorities are to take decisions in compliance with the guidelines adopted at EDPB level, since the considerations set out in the guidelines were developed and adopted in cooperation with all members of the EDPB (and thus with all European data protection authorities). In Austria the DPA refers in its decisions to the EDPB guidelines for calculating the fines imposed. Nevertheless, the authority points out that exactly determining the amount of the penalty remains a discretionary decision under the Austrian Administrative Penal Act. Although the calculation of fines imposed by the DPA is based on the EDPB guidelines, many of the fines imposed by the DPA have been significantly reduced by the Austrian Federal Administrative Court in 2024. In order to protect the general preventive effect of fines, the DPA refers selected cases to the VwGH as part of an official appeal.

Can public authorities be fined in Austria? If yes: Where does this money go?

According to section 30 (5) Austrian Data Protection Act, administrative fines cannot be imposed on authorities and public entities, such as, in particular, entities established in a manner set out under public law as well as private law, entities acting on the basis of a statutory mandate and public-law corporations.

However, civil liability for damages remains a possibility. In a notable case, the Regional Court of Wiener Neustadt ordered the City of Baden to pay damages for a data breach in March 2022. This ruling was recently confirmed by the Higher Regional Court of Vienna. The incident involved the early release of new Baden-Card features, despite incomplete IT configuration, which resulted in 33,000 data records — including personal and payment information — being accessible online for several days. Although no actual misuse or theft was proven, the court found that the fear and stress experienced by affected individuals justified compensation.

The Higher Regional Court reaffirmed that under the GDPR, liability for non-material damage does not require proof of actual harm — the mere risk of exposure and resulting emotional distress is sufficient. The court also clarified that the City of Baden could not transfer responsibility to its IT contractor, as it had knowingly launched a system with security gaps. This position aligns with the 2023 ECJ decision in case C-340/21, which confirmed that public bodies and companies can be held liable for data breaches even without concrete harm. While individual damages were set at EUR 500, the financial impact could be substantial if all 33,000 affected individuals pursued claims — totalling up to EUR 16.5 million.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

The DPA does not publish all fines imposed, nor the related procedural steps. A selection of the decisions made by the DPA can be accessed via the Federal Legal Information System (“Rechtsinformationssystem” – “RIS”), a database covering federal and state law as well as case law. The decisions are anonymised.

In addition, the DPA publishes a newsletter which addresses landmark cases and trends on an anonymised basis.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

The DPA publishes a "Data Protection Report" every year. In this report, the DPA provides information on the number of different proceedings conducted by it (i.e. individual complaint handling procedures (national/cross-border), data breach notification proceedings, approval of code of conducts, etc.). In addition, the DPA provides executive summaries of, what it considers to be, the most important decisions.

In 2021, 267 fining procedures were completed, with proceedings against natural persons constituting the majority of cases. 36 cases resulted in fines (11 against legal entities, 25 against natural persons), 7 cases resulted in warnings. In total, the DPA imposed approximately EUR 24.7 million in fines for the year 2021.

In 2022, 122 fining procedures were completed, with proceedings against natural persons constituting the only cases. In total 28 fines and 7 warnings were issued. In total the DPA imposed around EUR 50,000 in fines for the year 2022. This is due to preliminary ruling proceedings at the ECJ since 21 December 2021 (C-807/21, Deutsche Wohnen SE), which deal with the question of the liability of legal entities. In this regard administrative procedures have been postponed until the ECJ has ruled in this matter.

On 5 December 2023, the ECJ stated in its decision that it is possible to impose the administrative fines provided for in Article 83 GDPR directly on legal entities (ECJ of 5 December 2023, C-807/21 Rs Deutsche Wohnen SE, margin no. 44). Therefore, many of the postponed procedures of legal entities were continued and decided in 2024. The figures from 2023 regarding imposed fines are therefore not truly indicative, as they are distorted by the high number of postponed procedures.

In 2024, a total of 214 fining procedures were completed. 62 cases ended in fines. In total, the Data Protection Authority imposed fines of around EUR 1.7 million in 2024.

Does Austria have model declaratory proceedings/class actions in data protection law?

Austrian data protection law does not provide for any model declaratory proceedings/class actions. However, consumer protection associations are able to assert the rights held by consumers in court. It is unclear whether these consumer protection associations are also able to take on data protection law issues. The ECJ was due to rule in preliminary ruling proceedings (C-701/20, Avis Autovermietung Gesellschaft mbH) further to a request from the Austrian Supreme Court of Justice (“OGH”) (OGH 25 November 2020, 6 Ob77/20x) as to whether such consumer protection associations may litigate cases on the basis of the GDPR and national data protection laws.

In May of 2022, the OGH withdrew its request for a preliminary ruling after the ECJ ruled in favour of a right of actions for consumer protection associations in a similar case originating in Germany (C-319/20, Meta Platforms Ireland Limited). According to the ECJ, authorising such associations with the litigation of cases to protect consumer interests contributes to strengthening the rights of data subjects and ensures a high level of protection. Additionally, the filing of class actions by these associations is likely to prove more effective than numerous individual lawsuits filed by individual data subjects.

In line with the above ruling, the OGH has consistently held in recent decisions that consumer protection associations are entitled to bring actions to enforce consumers' rights in relation to alleged breaches of the GDPR, for example in relation to general terms and conditions.

Class actions under the GDPR are thus gaining traction, meaning individuals are increasingly joining forces to assert their data protection rights collectively. In Austria, the consumer association VKI (Verein für Konsumenteninformation) has become active in pursuing representative actions, particularly in cases involving data breaches or unlawful data processing. These actions aim to simplify and strengthen consumer enforcement of GDPR rights. Further, the NGO noyb (None of Your Business), founded by privacy advocate Max Schrems, has been officially recognised as a ‘Qualified Entity’ under the EU Representative Actions Directive (EU) 2020/1828. This status empowers noyb to bring collective redress actions—effectively class actions—on behalf of consumers. As a result, both VKI and noyb are now using their legal standing to initiate GDPR enforcement on a broader, more impactful scale, posing increased legal risks for companies that fail to comply with data protection obligations.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Under Austrian tort law, any damage must be adequately caused and proven. Austrian law does not provide for punitive damages. Civil courts may impose injunctions and rule on damage compensation claims. Such damage compensation claims may involve immaterial damage as well. Immaterial damage is not related to an actual calculable damage. To date, the civil courts have imposed rather low compensation for immaterial damage.

To date, the fines imposed by the DPA seem to exceed the damage compensation awarded by civil courts, as this only reflects the actual damage caused by the violation. Nevertheless, we expect the number of lawsuits brought before civil courts to continue to increase in coming years.

In January 2022, a claimant was awarded EUR 100 in damages by the Munich Regional Court after visiting a website using Google Fonts. The court based its decision on the fact that by dynamically implementing Google Fonts on a website, personal data (namely the IP address) of website users is transferred to the USA, which is considered a third country with an inadequate level of data protection under the GDPR. An Austrian lawyer took the aforementioned decision of the Munich Regional Court as an opportunity to send thousands of threatening legal letters with similar demands to website operators in Austria that had integrated Google Fonts on their websites. The letters stated that the filing of a lawsuit and further legal action would be waived if a payment of EUR 100 from the website operators to the claimed data subject, who demanded compensation for the alleged breach of the GDPR, was accepted as a settlement. Two court proceedings concerning this matter were pending in Austria, one of which has been interrupted due to a case before the ECJ (C-300/21, Österreichische Post AG). In October 2023, a court of first instance in Vienna reached a decision in this regard. It held that these warning letters regarding the use of Google fonts on websites were an abuse of rights and did not award the amount demanded. However, these proceedings are not yet over, as the opposing party has filed an appeal and the proceedings are currently pending before the court of second instance.

Moreover, in January 2023, a private lawsuit was filed against the Austrian organisation responsible for collecting the national broadcasting fee ("Gebühren Info Service GmbH" – “GIS"), for a data leak that occurred in 2020 and was not sanctioned by the DPA because it is considered a public entity against which the Austrian DPA by law cannot impose fines. This procedure was decided in July 2025 (6Ob62/25y). The Austrian Supreme Court confirmed the general possibility of civil proceedings against public authorities. However, it did not do so in the case of sovereign data-related activity. Here, a tribunal’s legal protection is already sufficiently granted through the Federal Administrative Court.

In October 2025, a noteworthy ruling by the Higher Regional Court established that civil judgments must be based on the findings of previous administrative proceedings in order to ensure the consistent application of data protection legislation. 

As already mentioned above, in September 2024, the city of Baden was ordered to pay compensation in the amount of EUR 500 per person due to a data leak that occurred in 2022. 33,000 people were affected by the data breach. If they all claimed damage compensation in the amount of EUR 500, the total would be EUR 16.5 million. The Higher Regional Court stated that a proof of actual misuse of the data is not required. This decision is in line with a ruling by the ECJ on 14 December 2023 (CJEU C-340/21), according to which companies and authorities can be held liable for data leaks even without demonstrable material damage.

Irrespective of the outcome of these cases, there is undoubtedly a trend towards data protection-based litigation before civil courts in Austria. The recent case law of the European Court of Justice providing clarity on damages is also expected to further increase the number of data protection cases before civil courts. This trend is underlined by the DPA having to scale down its data protection related activity due to added responsibilities stemming from the AI Act and the recent Austrian Information Freedom Act while facing budget cuts at the same time.