Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
The Austrian Data Protection Act is strict and often exceeds the EU-harmonised minimum standard provided by the EU Data Protection Directive (95/46/EC). It is thus considered to be more discriminating and stringent than generally accepted international data protection principles and procedures. For example, the act provides for additional requirements and procedures with regard to:
- formal notification and approval;
- preconditions of international data transfer; and
- consent declarations.
Unlike the directive and similar laws in most other European jurisdictions, the act also covers the personal data of legal persons (ie, entities) to the same extent as that of natural persons.
Are any changes to existing data protection legislation proposed or expected in the near future?
The EU General Data Protection Regulation, which will apply by 2018, will establish a new set of data protection provisions applicable across the European Union. However, in certain cases EU member states will be able to uphold their own rules and deviate from or supplement the new EU data protection regime. At present, the Austrian government’s plans for the extent to which existing deviations will be kept (where possible) remain unclear (eg, whether the personal data of legal entities will continue to be covered).
What legislation governs the collection, storage and use of personal data?
The Data Protection Act 2000 is based on the EU Data Protection Directive (95/46/EC) and governs the collection, storage and use of personal data.
The Telecommunications Act 2003, which implemented the EU E-Privacy Directive (2002/58/EC), also includes provisions on data protection.
Scope and jurisdiction
Who falls within the scope of the legislation?
Austrian data protection law applies to the processing of personal data in Austria, irrespective of where the data controller (a natural or legal person that processes personal data for its own purposes) has its seat. It also applies to data that is processed outside the European Union for an Austrian data controller.
However, within the European Union the residence principle applies – that is, irrespective of the actual location of data processing, the national data protection law of the EU member state where the data controller is seated applies.
In light of the abovementioned rules, the Data Protection Act is territorially applicable to all data controllers located in Austria and therefore to all:
- Austrian entities;
- subsidiaries or branches established in Austria; and
- data controllers situated outside the European Union, but conducting data processing in Austria.
What kind of data falls within the scope of the legislation?
The Data Protection Act covers ‘personal data’, which is defined as any information relating to an identified or identifiable natural person or legal entity. Thus, the act protects the personal data of both legal entities and individuals. This is significant in practice, as relevant consent regimes apply equally to business-to-business models.
The Data Protection Act distinguishes between non-sensitive and sensitive data. Sensitive data relates to a natural person’s racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, health or sex life. All other data is deemed non-sensitive. In practice, data relevant for criminal prosecution is subject to a similar (ie, stricter) protection regime as that for sensitive data.
Since the law refers to ‘personal’ data, totally anonymous data (ie, information that does not relate to an identifiable person or entity) is not covered by the Data Protection Act.
The Data Protection Act also establishes a special regime for ‘indirect personal data’, which covers data relating to a data subject in such a manner that only the data controller – not the processor or any other recipient – can identify the data subject by legal means. Indirect personal data is protected, but subject to a less stringent regime. In particular, if indirect personal data is processed or transferred to another data controller, no specific justification need be provided; notification and approval requirements also do not apply.
The Data Protection Act does not apply to personal data that has already been validly published. Thus, there are no restrictions on the use of publicly available data, even if it directly relates to an identified person.
Are data owners required to register with the relevant authority before processing data?
Yes. In general, data controllers must notify the Data Protection Authority (DSB) before processing data. The notification must contain detailed, exhaustive information on:
- the purpose of the data processing;
- the data subjects involved;
- the categories of data to be processed;
- the statutory justification for the processing;
- any data recipients; and
- the statutory justification for data transfer.
Relevant documentation must also be provided if the data controller refers to existing consent declarations, contracts, plant agreements (with its works council) or other documents.
However, the Austrian Standard and Model Decree provides certain standardised exceptions. As long as personal data and potential recipients are explicitly covered by such standards, no notification is required for processing or transfer.
Provided that no sensitive data, potential criminal data or closed-circuit television footage is involved, processing can commence on the date of filing the notification online. Otherwise, the notification is subject to a two-month review period by the DSB.
Is information regarding registered data owners publicly available?
Yes. The Austrian Data Processing Register is publicly available at https://dvr.dsb.gv.at/at.gv.bka.dvr.public/DVRRecherche.aspx. Thus, anyone can verify the registered controller of data processing activities.
Is there a requirement to appoint a data protection officer?
No. There is no requirement under Austrian data protection law to appoint a data protection officer, other than for foreign data processors with no seat in Austria. However, this will change with the entry into force of the EU General Data Protection Regulation.
Which body is responsible for enforcing data protection legislation and what are its powers?
In general, the DSB is competent for the enforcement of Austrian data protection law. Anyone may submit a claim to the DSB for a violation of privacy or data protection law by a data controller or processor. The DSB may conduct onsite audits (although these are uncommon) or request clarification from the data controller or processor in order to verify the concerns (the most common course of action). To ensure compliance with the Data Protection Act, the DSB may issue recommendations to remedy the violation within a reasonable period. If a DSB recommendation is not met within this period, the DSB may:
- report a possible criminal offence to the competent court; or
- bring a civil action before the competent court.
Based on publicly available information, it appears that neither action has yet been taken.
If there is a significant, immediate threat to the privacy of the persons concerned (ie, imminent danger), the DSB may also prohibit use of the relevant data application.
Decisions of the DSB may be appealed to the Federal Administrative Court. Its decisions may in turn be appealed to the final-instance Higher Administrative Court, unless certain restrictions apply.
Further, the district administrative authorities may impose administrative penalties of up to €25,000 for violations of data protection law.
Aside from these administrative procedures, the regional courts are competent for the enforcement of claims:
- for infringement of the right to secrecy;
- to correct outdated or inaccurate data;
- to delete data; and
- for damages, omission or publication of the judgment.
Competitors may also file claims with the civil courts for damages, omission or publication of the judgment based on unfair competition law.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
In general, personal data must be:
- processed fairly and lawfully;
- accurate and, where necessary, up to date;
- collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes;
- adequate, relevant and proportionate in relation to the purposes for which it is collected or processed; and
- kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed.
When determining the permissibility of data processing activities, a detailed review of the justification for processing is of utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed:
- the existence of an explicit legal right or obligation;
- the data subject's freely given consent, based on full disclosure;
- vital interests of the data subject which necessitate the processing; or
- overriding legitimate interests of the data controller (or a third person).
In practice, the overriding legitimate interests of the data controller and the consent of the data subject are most relevant. For example, overriding interests may justify data processing in order to execute a contract. However, the Data Protection Act does not accept general or mere business interests – such as processing for marketing purposes or within a group of companies – under the overriding interest regime. Thus, such data use may be conducted only with the data subject's consent.
There is also no privilege for intragroup data transfers. As the overriding legitimate interests exemption under the Data Protection Act is seldom accepted, consent requirements apply. This is particularly true when processing employee data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity is allowed to review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided by human resources tools. As a result, the data subject's consent is often the only valid justification for the processing, especially with regard to data processing for advertising purposes and intragroup data transfers.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The Data Protection Act does not set a maximum retention period for personal data. In general, personal data may be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.
Aside from these vague limits set out under the Data Protection Act, the Austrian Standard and Model Decree stipulates maximum retention periods for different data groups. In general, data may be retained until:
- termination of the business relationship;
- expiration of any warranty or guarantee claims (usually two years);
- expiration of a specific legal retention period (usually seven years for accounting data); or
- conclusion of any legal dispute in which the data is needed as evidence.
Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Data subjects may exercise their right to information against the data controller, which must disclose the following on request:
- the data being processed and the purposes for which it is processed;
- the origin of the personal data (ie, where and why it was collected);
- the categories of data concerned; and
- the recipients of the relevant data.
The data subject must demand disclosure in writing and prove its identity (in the case of an individual, this is usually done by submitting a copy of his or her passport). Data controllers must then provide all relevant data – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within eight weeks.
Do individuals have a right to request deletion of their data?
Yes. Data subjects have the right to request correction or deletion of their personal data and may object at any time to the processing of their data. In such case, the data controller must delete the relevant data within eight weeks and refrain from any future data transfers.
Is consent required before processing personal data?
A consent declaration is required if there is no other legal justification for data processing.
In order for consent to be valid, the data subject must be well aware of the data’s scope and content. For evidence purposes, a detailed written consent declaration is recommended. Such a declaration can also be made online by clicking on a box indicating consent or by other electronic means. In any case, the consent declaration must be easily understandable and transparent – in particular:
- the categories of processed or transferred data must be listed exhaustively;
- the purpose of the processing or transfer must be described in detail; and
- the data controller and any data recipients must be named (including their full addresses).
In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.
If consent is not provided, are there other circumstances in which data processing is permitted?
In establishing the permissibility of data processing, a detailed review of the justification for the processing is of utmost importance. Aside from the data subject's freely given consent based on full disclosure, the following justifications are available:
- the existence of an explicit legal right or obligation;
- the vital interests of the data subject; or
- the overriding legitimate interests of the data controller (or a third person).
In practice, the overriding legitimate interests of the data controller is the second most relevant justification after the data subject’s consent.
What information must be provided to individuals when personal data is collected?
The data controller must inform individuals of:
- the data that is collected, processed or transferred;
- the legal basis on which it is collected, processed or transferred;
- the purposes for which it is collected, processed or transferred; and
- the retention period for the data.
Data security and breach notification
Are there specific security obligations that must be complied with?
Yes. The Data Protection Act sets out technical and organisational measures that data controllers must undertake to secure personal data against:
- unauthorised access;
- accidental or unlawful destruction, manipulation, disclosure and transfer; and
- other unlawful processing.
Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations.
The Data Protection Act does not expressly stipulate which data security measures must be taken, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for lack of sufficient data security seldom arises when good industry practices are followed.
Are data owners/processors required to notify individuals in the event of a breach?
Yes. The data controller must inform the data subjects concerned in an appropriate manner as soon as it becomes aware that data under its control has been systematically and seriously misused and such misuse may cause the data subjects to suffer damages. The disclosure obligation does not apply if only minor damage is likely to occur and the costs of disclosure would require disproportionate effort.
Are data owners/processors required to notify the regulator in the event of a breach?
No. The data controller must inform only the natural and legal persons whose data is affected by the breach; there is no general obligation to notify the Data Protection Authority. However, telecommunications operators are obliged to directly inform the Data Protection Authority in such event.
However, the new EU General Data Protection Regulation will significantly change regulations and establish an obligation to report data breaches to the Data Protection Authority.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes. Austrian law sets strict requirements for consent declarations to use personal data for marketing purposes (based on the EU E-Privacy Directive (2002/58/EC), implemented by Section 107 of the Austrian Telecommunications Act).
Electronic messages (eg, email and text messages) that are sent for direct marketing purposes require the recipient’s prior consent (ie, opt-in). A mere opt-out is theoretically sufficient if the following conditions are met:
- The sender has a pre-existing relationship with the customer and initially (ie, at the time of data collection) allowed the customer to refuse further messages. The Supreme Court is strict in enforcing this requirement.
- The communication is transmitted for the purpose of direct marketing of products or services similar to those originally purchased by the customer.
- The customer (whether a natural or legal person) has a clear, distinct opportunity to object – free of charge and in an easy manner – to such use of advertisements in every email.
- A Robinson List is adhered to. This lists the email addresses of persons that do not wish to receive unsolicited marketing emails. The list is provided by the telecoms regulator at www.rtr.at/ecg.
Yes. All website operators must inform users before collecting personal data through cookies. If personal data is collected, prior consent (an opt-in) is required (usually obtained via a banner at the top of the website). Consent must be based on clear, comprehensive disclosure of:
- the data that will be collected, processed and transferred;
- the legal basis for collection, processing and transfer;
- the purposes for collection, processing and transfer; and
- the retention period for the data.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Austrian data protection law distinguishes between data transfer to another data controller (C2C) and transfer to a data processor (C2P). A C2C data transfer is established when the recipient of personal data uses it for its own or other purposes and thus also acts as data controller. A C2P data transfer is established when data is sent to a third person that acts merely on the data controller’s behalf.
The Data Protection Authority must generally be notified of a C2C data transfer (there are only a few standardised exemptions to this requirement in the Austrian Standard and Model Decree). A C2P data transfer triggers no notification duty, as long as the underlying data processing either is notified or falls within the scope of the Austrian Standard and Model Decree.
Data processing agreement
All data controllers are generally allowed to engage data processors (C2P data transfer). Data processors must limit processing to the extent necessary to fulfil the purposes of the data controller and comply with data security rules. As such, a written data processing agreement must be concluded. Provided that the data processor is located in the European Economic Area or in a third country providing an adequate level of data protection, a brief model contract will be sufficient. If the recipient data processor is located in a third country without an adequate level of data protection (eg, the United States or India), a more detailed data processing agreement (and approval) will be required.
Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located in a third country without an adequate level of data protection (eg, the United States, India and Singapore). The approval procedure must be initiated separately for each recipient and be based on either signed EU standard contractual clauses or binding corporate rules. Such C2C and C2P data transfers can commence only on receipt of formal approval. However, no approval is required if:
- merely indirect personal data is to be transferred;
- the data subject has provided its explicit consent; or
- the data transfer is explicitly mentioned in a standard application.
Are there restrictions on the geographic transfer of data?
Yes. Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located outside the European Economic Area in a third country without an adequate level of data protection (eg, the United States, India and Singapore).
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Yes. There is some facilitation for C2P data transfers. C2P transfers usually require no notification, but do require a data processing agreement in writing. The Data Protection Authority’s approval is required only if data is transferred outside the European Economic Area.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Non-compliance with Austrian data protection provisions can incur the following penalties:
- claims by data subjects based on the right to data protection – compensation for damages (unlikely), omission or publication of judgment (both likely);
- claims by competitors for omission based on unfair competition law – compensation for damages (very unlikely), omission or publication of judgment (both likely);
- an administrative penalty of up to €10,000 (the first penalty is usually only a fraction of the highest possible penalty);
- an administrative penalty of up to €25,000 for transferring data without the Data Protection Authority’s approval (again, the first penalty is usually low);
- control proceedings by the Data Protection Authority (ie, onsite audits) resulting in prohibition from further processing or transfer of personal data; and
- a damaged reputation in the media.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. Individuals may claim damages against data controllers and processors for violations of the Data Protection Act.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
The Ministry of the Interior is attempting to enact a Cybercrime Act. It is expected to be enacted by the end of 2016 and will be similar to the German IT Security Act.
The following IT security issues are currently regulated under Austrian law:
- Criminalisation of cybercrime activities – the Criminal Code penalises (through both fines and prison terms) certain cybercrimes, including:
- unlawful access to a computer system (hacking);
- breach of the privacy of telecommunications;
- abusive interception of data;
- data corruption;
- disturbance of the functionality of a computer system;
- abuse of computer programs or access data; and
- data falsification.
- Data security provisions – the Data Protection Act establishes several data security measures to ensure IT security.
- Good industry practices – the Data Protection Act does not expressly stipulate which IT security measures must be implemented, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the required IT security actions and levels. Good industry practices are especially relevant for courts in examining the potential liability of responsible persons (eg, managing directors). Liability seldom arises when good industry practices are followed.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The provisions on criminalisation of cybercrimes mainly implement the Council of Europe Convention on Cybercrime. Further international standards have not been directly implemented into Austrian law.
However, due to the relevance of good industry practices, international certifications and guidelines are increasingly important. In particular, the International Organisation for Standardisation (ISO) international standards and certifications and the Austrian Standards (ÖNORM) are acknowledged guidelines for IT security (eg, ISO/IEC 27001 – Information security and ISO/IEC 27032 – Guidelines for cybersecurity). In addition, it is often recommended to refer to the Austrian Information Security Manual (www.sicherheitshandbuch.gv.at) or the German IT Baseline Protection Catalogue, both of which provide a catalogue of recommended measures for companies to reliably protect their IT systems and data against cyberattack. Moreover, the Austrian Chamber of Commerce provides guidelines, checklists and risk analysis tools on IT security (www.wko.at/Content.Node/it-safe/it-sicherheit.html).
Which cyber activities are criminalised in your jurisdiction?
The Criminal Code penalises the following cybercrimes:
- unlawful access to a computer system (hacking);
- breach of the privacy of telecommunications;
- abusive interception of data;
- data corruption (ie, damaging of data);
- disturbance of the functionality of a computer system (eg, denial of service);
- abuse of computer programs or access data;
- fraudulent misuse of data processing;
- data falsification;
- counterfeiting of non-cash means of payment; and
- capture of non-cash payment data (ie, ‘phishing’ or ‘skimming’).
Criminal offences are penalised by fines and imprisonment for up to six months. Severe violations (eg, actions conducted by criminal organisations or resulting in a high level of damage) are subject to a longer prison sentence of up to five years. Moreover, a recent amendment to the Criminal Code which entered into force in 2016 established a stricter system by also penalising minor actions undertaken without the intent to disseminate or use personal data for enrichment. The new provisions also cover cybercrimes such as phishing and skimming by penalising the capture of non-cash payment data. ‘Cybermobbing’ (ie, continued harassment through telecommunications or computer systems) is also expressly stipulated as a criminal offence.
Further, the Data Protection Act penalises the use or publication of illegally acquired personal data with imprisonment of up to one year.
The Association Responsibility Act and the Administrative Penal Act govern corporate liability, allowing for legal entities to be held liable for cybercrime actions committed for their benefit or within their control.
Which authorities are responsible for enforcing cybersecurity rules?
The criminal courts are competent for the enforcement of the respective rules.
The Data Protection Authority is empowered to ensure compliance with data security provisions.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Cyber risk insurance is available in Austria. Small companies usually do not bother a great deal with IT security and relevant insurance coverage. However, banks and international companies in particular typically obtain insurance for cyber risks.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Based on the data security provisions of the Data Protection Act, the data controller and processor must keep logs and records to allow the performed processing steps – in particular, modifications, consultations and transmissions – to be traced to the extent necessary.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
In general, no. The data controller must inform the natural and legal persons whose data is affected by the breach and there is no notification obligation to the Data Protection Authority. However, telecommunications operators are obliged to directly inform the Data Protection Authority in such a case.
Are companies required to report cybercrime threats, attacks and breaches publicly?
No. However, the data controller must immediately inform the data subjects concerned in an appropriate manner when it becomes aware that data under its control has been systematically and seriously misused and such misuse can cause the data subjects to suffer damages.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Austrian criminal law sets out fines and imprisonment of up to six months for cybercrime offences. Severe violations (eg, actions conducted by criminal organisations or resulting in a high level of damage) are subject to a longer prison sentence of up to five years.
The Data Protection Act penalises the use or publication of illegally acquired personal data with imprisonment of up to one year.
What penalties may be imposed for failure to comply with cybersecurity regulations?
If the data controller or processor grossly neglects the required data security measures, the district administrative authority may impose an administrative penalty of up to €10,000.
Further, the controller or processor is liable to compensate for economic or any other losses suffered by the data subject or any other person due to personal data processing in violation of the Data Protection Act.
Company directors or officers can be held personally liable for violations of data security provisions. Moreover, competitors may file claims for omission and damage compensation under the Unfair Competition Act and claim an unfair advantage due to the breach of data protection rules.