Fining practice
Trend: Have the national data protection authorities in Austria focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The Austrian data protection authority (“Datenschutzbehörde" – “DPA”) conducted in the last year in-depth audits of corporations in the financial sector. In this regard the focus of the authority was especially on the usage and processing of personal data for marketing activities. In this regard the authority especially examined the legal basis of the data processing, the storage and the international data transfer. Further, the DPA focused its’ audits on the position of the Data protection officer (“DPO”) within financial institutes.
One of the highest fines in 2023 of EUR 20,000.00 has been imposed on a company that unlawfully filmed employees at the place of business that was according to the DPA not reasonable for the aims pursed and could also not be based on a legal basis according to Art 6 para. 1 GDPR. Further the company did not maintain records of the processing activities according to Art 30 GDPR. (see DSB 07.12.2023, 2023-0.583.644).
Generally, the DPA conducts annual official audits in certain sectors (e.g. banks, hospitals, insurance companies, etc.). While the specific sector of the 2024’s official audits is not publicly available, the legal focus, according to the DPA, will be on the right of access by the data subject.
Another examination in 2023 of the DPA focused on the usage of Google Fonts on websites and whether personal data is transferred to the US or not. The authority found that the data transfer depends on different factors, such as the location of the user and whether Google Fonts is embedded in the local server or not. Thus, a case-by-case analysis has to be conducted in the case of a complaint.
Overall, what was the most significant fine in Austria to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
As already introduced in the last year the DPA imposed a fine of EUR 18 million the Austrian Postal Service (“Österreichische Post AG") in October 2019. This penalty was not final, as the Austrian Postal Service appealed the decision, and the Austrian Federal Administrative Court overturned the penalty sentence due to a formal error. The DSB lodged an official appeal against this decision (case number Ra 2020/04/0187) with the Austrian Supreme Administrative Court (“VwGH”). These proceedings were then paused by the VwGH as it wanted to await the decision of the ECJ in the case of Deutsche Wohnen SE and the liability of legal persons under the GDPR. In the meantime, the ECJ's decision stated that legal entities are also liable for infringements, even if no management bodies or managing directors are responsible for the infringement but "any" employee. However, culpable conduct by the person is also required in such a case.
Based on this ECJ decision the VwGH found that the Federal Administrative Court should not have quashed the penalty simply due to the fact that the DPA could not name the individual that is responsible for the damage. As a result, the decision of the Federal Administrative Court is unlawful and was annulled by the VwGH. The Federal Administrative Court will therefore have to decide on the appeal again. The decision of the Federal Administrative Court is still pending.
Organisation of authorities and course of fine proceedings in Austria
How is the data protection authority organised in Austria? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
There is only one DPA responsible for enforcing the GDPR and the Austrian Data Protection Act (“Datenschutzgesetz" – “DSG") in Austria.
The DPA is a federal authority assigned to the Ministry of Justice. With some 60 employees, this authority may be considered a small to medium-sized authority compared to other authorities in Austria. The DPA has an annual budget of around EUR 4,7 million.
How does a fine procedure work in Austria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
The DPA may directly impose fines as part of administrative criminal proceedings. Administrative criminal proceedings are governed by the Austrian Administrative Penal Act (“Verwaltungsstrafgesetz" – “VStG”).
The procedure usually starts with a formal notification issued to the party concerning the opening of penal proceedings (often as a result of ongoing general administrative proceedings in which the data protection authority has requested and received information from the controller/processor). The affected party has the right to comment on factual and legal aspects of the case before the data protection authority issues the penalty notice (“Strafbescheid”).
When the authority has completed the necessary investigations, the proceedings conclude either with a penalty notice, a discontinuation or an admonition. The proceedings are not open to the public.
The party concerned can lodge an appeal against the penalty notice, which must be submitted to the DPA itself. The DPA may issue a preliminary appeal-decision within two months of receiving the objection, i.e. the data protection authority may amend the decision it has issued or may reject or dismiss the appeal. If the data protection authority does not issue a preliminary decision, it shall submit the appeal along with the files pertaining to the proceedings to the Austrian Federal Administrative Court.
If the data protection authority issues a preliminary decision on the appeal, the party may, within two weeks of receiving the decision, request that the appeal be submitted to the Austrian Federal Administrative Court.
A party may lodge an appeal against decisions made by the Federal Administrative Court with the VwGH or with the Constitutional Court (“Verfassungsgerichtshof”), with the latter court only if the party believes that the decision violates constitutional rights.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
The fines are transferred to the federal treasury.
Is there a common, official calculation methodology for fines in Austria (such as the fining models in the Netherlands or Germany)?
No, there is no official calculation method for fines in Austria that is publicly available. However, the DPA has internal guidelines for calculating fines. This internal guideline will now also be based on the European guidelines of the European Data Protection Board (“EDPB”).
On May 16, 2022 the EDPB published for consultation its guidelines on the calculation of fines under the GDPR. The guidelines include five steps for the calculation of fines: (1) Identifying the processing operations in the case and evaluating the application of Art 83 para 3 GDPR; (2) Finding the starting point for further calculation; (3) Evaluating aggravating and mitigating circumstances related to past or present behaviour of the data controller/processor and increasing or decreasing the fine accordingly; (4) Identifying the relevant legal maximums for the different processing operations, whereby increases applied in previous or next steps cannot exceed this amount; (5) Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, as required by Art 83 para 1 GDPR, and increasing or decreasing the fine accordingly.
The guidelines are meant to harmonize the methodology of calculating fines for GDPR-breaches and to increase transparency across the European Economic Area. With regard to the legal nature of the guidelines issued by the EDPB, it should be noted that they are considered “soft law”. Accordingly, they do not have any legally binding effect. However, national data protection authorities shall take decisions in compliance with the guidelines adopted at EDPB level, since the considerations set out in the guidelines, were developed and adopted in cooperation with all members of the EDPB (thus, including all European data protection authorities). In Austria the DPA referred in decisions made in December 2023 to the EDPB guidelines for the calculation of the fines imposed. Nevertheless, the authority pointed out that the exact determination of the amount of the penalty remains a discretionary decision under the Austrian Administrative Penal Act.
Can public authorities be fined in Austria? If they can: Where does this money go?
According to Sec 30 para 5 Austrian Data Protection Act, administrative fines cannot be imposed on authorities and public entities, such as, in particular, entities established in a manner set out under public law as well as private law, entities acting on the basis of a statutory mandate, and public-law corporations.
In Austria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
The DPA does not publish all fines imposed, nor the related procedural steps. A selection of the decisions made by the DPA can be accessed via the Federal Legal Information System (“Rechtsinformationssystem” – “RIS”), a database covering federal and state law as well as case law. The decisions are anonymised.
In addition, the DPA publishes a newsletter which addresses landmark cases and trends, on an anonymised basis.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
The DPA publishes a "Data Protection Report" every year. In this report, the DPA provides information on the number of different proceedings conducted by it (i.e., individual complaint handling procedures (national/cross-border), data breach notification proceedings, approval of code of conducts, etc.). In addition, the DPA provides executive summaries of the, in its own view, most important decisions.
In 2021, 267 fining procedures were completed, with proceedings against natural persons constituting the majority of cases. 36 proceedings resulted in fines (11 against legal entities, 25 against natural persons), 7 proceedings resulted in warnings. In total, the DPA imposed approximately EUR 24,7 million in fines for the year 2021.
In 2022, 122 fining procedures were completed, with proceedings against individuals constituting the only cases. In total 28 fines have been imposed and 7 warnings. In total, the DPA imposed around EUR 50,000 in fines for the year of 2022. This is due to preliminary ruling proceedings at the ECJ since 21.12.2021 (C-807/21, Deutsche Wohnen SE), which deal with the question of the liability of legal entities. In this regard administrative procedures have been postponed until the ECJ ruled in this matter, which it has on 5.12.2023. Thus, more fining procedures of legal entities are again to be expected in 2024.
Other legal consequences of non-compliance in Austria
Does Austria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
Austrian data protection law does not provide for any model declaratory proceedings/class actions. However, consumer protection associations are able to assert the rights held by consumers in court. It is unclear whether these consumer protection associations are also able to take on data protection law issues. The ECJ was due to rule in preliminary ruling proceedings (C-701/20, Avis Autovermietung Gesellschaft mbH) further to a request from the Austrian Supreme Court of Justice (“OGH”) (OGH 25.11.2020, 6 Ob77/20x) as to whether such consumer protection associations may litigate cases on the basis of the GDPR and national data protection laws.
In May of 2022, the OGH withdrew their request for a preliminary ruling after the ECJ ruled in favour of a right of actions for consumer protection associations in a similar case originating in Germany (C-319/20, Meta Platforms Ireland Limited). According to the ECJ, authorizing such associations with the litigation of cases to protect consumer interests contributes to strengthening the rights of data subjects and ensures a high level of protection. Additionally, the filing of class actions by these associations is likely to prove more effective than numerous individual lawsuits filed by individual data subjects.
In line with the above ruling, the OGH has consistently held in recent decisions that consumer protection associations are entitled to bring actions to enforce consumers' rights in relation to alleged breaches of the GDPR, for example in relation to General Terms and Conditions.
What is more relevant in Austria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
Under Austrian tort law, any damage must be adequately caused and proven. Austrian law does not provide for punitive damages. Civil courts may impose injunctions and rule on damage compensation claims. Such damage compensation claims may involve immaterial damages as well. Immaterial damages are not related to an actual calculable damage. To date, the civil courts have imposed rather low compensation for immaterial damage.
To date, the fines imposed by the DPA seem to exceed the damage compensations awarded by civil courts, as these only assess the actual damages caused by the violation. Nevertheless, we expect the number of lawsuits brought before civil courts to continue to increase in coming years.
In January 2022, a claimant was awarded EUR 100.00 in damages by the Munich Regional Court after visiting a website using Google Fonts. The court based its decision on the fact that by dynamically implementing Google Fonts on a website, personal data (namely the IP address) of website users is transferred to the USA, which is considered a third country with inadequate level of data protection under the GDPR. An Austrian lawyer took the aforementioned decision of the Munich Regional Court as an opportunity to send thousands of threatening legal letters with similar demands to website operators in Austria that had integrated Google Fonts on their websites. The letters' stated that the filing of a lawsuit and further legal action would be waived if a payment of EUR 100.00 from the website operators to the claimed data subject, who demanded compensation for the alleged breach of the GDPR, was accepted as a settlement. Two court proceedings concerning this matter were pending in Austria, one of which has been interrupted due to a case before the ECJ (C-300/21, Österreichische Post AG). In October 2023, a court of first instance in Vienna reached a decision in this regard. It held that these warning letters regarding the use of Google fonts on websites were an abuse of rights and did not award the amount demanded. However, these proceedings are not yet over, as the opposing party has announced its intention to appeal.
Moreover, in January 2023, a private lawsuit was filed against the Austrian organization responsible for collecting the national broadcasting fee ("Gebühren Info Service GmbH" – “GIS"), for a data leak that occurred in 2020 and was not sanctioned by the DPA because it is considered a public entity against which the Austrian DPA by law cannot impose fines. This procedure is still ongoing.
Irrespective of the outcome of these cases, there is undoubtedly a trend towards data protection-based litigation before civil courts in Austria. The recent case law of the European Court of Justice providing clarity on damages is also expected to further increase the number of data protection cases before civil courts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.