Vienna's plans and data protection problem
Study and findings


In 2008, more than 50% of the world's population lived in towns or cities. It is expected that by 2030, this number will increase to about 5 billion (60% of the population). But after many decades of giving priority to car traffic, cities are on the brink of a traffic collapse. Congestion, poor air quality, noise and little space for people plague many cities and urban neighbourhoods. The transformation of areas available exclusively for motor vehicle traffic into multifunctional, generally accessible public space and green areas is a prerequisite for both climate-friendly urban mobility and a high quality of life, as well as for reducing traffic problems in growing metropolitan areas.

This goal can be achieved by various measures, such as investing in e-mobility, expanding public transport, and encouraging "multimodality"(1) and car sharing models. Another option, however, is to restrict car access to certain areas, mainly city centres and other densely populated districts, unless business activities (eg, delivery of goods) or residents are concerned.

Vienna is planning to ban most cars from entering the first district to reduce traffic and increase living standards in the city centre. But how can the city control who is allowed to enter without causing major traffic jams at the entrance points?

Vienna's plans and data protection problem

As early as 2018, the councilwoman for transportation, together with the district's superintendent, proposed to restrict the access of motorised traffic to the first district. However, after the election of a new Vienna city government, the governing parties and their responsibilities changed, and the plans were put on hold. In January 2022, the new councilwoman for transportation went ahead and announced that a feasibility study had been commissioned to examine the viability of allowing access only for:

  • district residents;
  • users of public garages;
  • suppliers;
  • emergency vehicles;
  • public services (eg, garbage collection workers); and
  • people leaving the district after 30 minutes.

Further, the study would also examine the monitoring of such access and the duration of stay with the help of camera surveillance at the access points. In response to the announcement, six environmental, privacy and human rights organisations wrote an open letter in which they claimed, among other things, that the concept was not compatible with data protection principles in a city of millions of inhabitants. As the city of Vienna plans to install video cameras at almost all of the 38 entrances from the Ringstraße into the first district, which then automatically record the licence plates of all cars entering and leaving, it was claimed that it would be inevitable that pedestrians and cyclists, as well as participants in demonstrations, would also be subject to the planned video surveillance. This could create a "chilling effect"(2) and, in the worst scenario, even lead to people making less use of their constitutional right to assemble.

Critics of the plan also expect that, in the future, other authorities, such as the police or intelligence services, may gain access to the processed data. This is because Austrian law already enables the Ministry of the Interior to obtain real-time data from video surveillance without initial suspicion and without prior judicial review.(3)

The Austrian federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology commissioned a study by Dr Nikolaus Forgó from the University of Vienna to address whether it is permissible under Austrian data protection law to set up and operate a video surveillance access system and, if so, under what conditions.

Study and findings

The study was published in July 2022(4) and concluded that, under certain conditions, it may be possible to implement video-surveilled automated zone access management in Austrian cities in compliance with data protection requirements. To be lawful, however, not only must the constitutional and EU General Data Protection (GDPR) requirements be closely followed, but the underlying legal basis must be updated. For example, the provisions of the Federal Road Traffic Regulation must be amended to also reflect the envisaged video-surveilled automated zone access management (such as it was for the purpose of installing section control and road traffic radar tools).

According to the study, the following points must be considered for the surveillance measure to be lawful:

  • Besides the processing of image data, the linking of the licence plate number with information on when the associated vehicle entered or left a certain area (ie, date and time) constitutes data processing that requires a legal basis. Because the data processing is performed for sovereign purposes, but not for criminal law or private purposes, only the EU GDPR is applicable.(5)
  • It is likely that data on criminal convictions and offences within the meaning of article 10 of the GDPR will be processed – namely, if the licence plate number or the image or video recording is stored for further processing in the case of suspected illegal entry or driving in specially defined areas and, if necessary, transmitted to the relevant law enforcement agency. Therefore, it is necessary to provide a legal basis for the processing of such data by the traffic police.
  • According to the European Court of Justice (ECJ), the improvement of traffic safety constitutes an objective in the general interest recognised by the European Union.(6) Therefore, member states are entitled to consider traffic safety as a task that serves the public interest pursuant to article 6(1)(e) of the GDPR. If a legal ground is provided on this basis, the video surveillance in question can arguably be based on article 6(1)(c) of the GDPR after a balancing of interests that meets the constitutional requirements of necessity and proportionality.
  • The legal basis to be created must also comply with the constitutional requirement of legal certainty. This means that this legal basis must therefore address the following issues in detail:
    • For what purpose is the data processing conducted?
    • Which authority is the data controller?
    • Which categories of data are to be processed?
    • What are the general conditions for lawful data processing in this case?
    • Which data subjects are concerned?
    • Who are the (possible) data recipients and for what purpose can they receive the data?
    • For how long will the data be stored?
    • Which processing operations and procedures are to be used?
  • Appropriate safety measures must be implemented to minimise the risk for the data subjects. These include, for example, access logging, encryption of data, special confidentiality obligations, such as data secrecy, explicit restrictions or prohibitions on use. In addition to a sufficiently clear marking of the surveillance zone, the legal basis for the "section control" measure(7) in Austria includes data use and retention regulations, such as restrictions on the collection, use and transfer of data, immediate deletion of data that does not relate to cases of infringement, as well as rendering the data of other data subjects and the licence plates of other vehicles unidentifiable, except for the driver of the vehicle concerned.(8) Also, the principles of data minimisation (eg, by only filming the lower part of the vehicle at the level of the licence plate)(9) and storage limitation (eg, filming only for limited periods of time) must be taken into consideration. The possible permission of further processing of the data for the purpose of further administrative penal proceedings must be precisely determined by law. The last point raised will probably be given particularly close attention, because in a decision on the 2018 "security package",(10) the Constitutional Court of Austria held that the collection and storage of image data stemming from traffic surveillance systems to identify vehicles and drivers for security police purposes is disproportionate and therefore inadmissible, because it allows further conclusions (eg, location data, information on which persons are together or which events or gatherings are or may be attended).(11) In the same decision, the authority to process, transmit and store data from section control systems was deemed to violate the fundamental right to data protection and privacy and was overturned as disproportionate.
  • The controller must ensure the integrity and confidentiality of the processing by using appropriate technical and organisational measures. In order to determine the level of protection that is required, a data protection impact assessment that takes into account the peculiarities of this surveillance measure must be conducted.


It remains to be seen whether the Austrian legislature will enact provisions that are in line with the constitution and data protection laws. Also, it is unclear if the legislature will follow the study's recommendations and, if it does, whether the supreme courts will concur regarding the admissibility of surveillance under the cited requirements. First, however, it will be interesting to see whether Austrian politicians decide to install such a traffic zone access management system or whether another solution will be preferred. Austria's Green Party recently presented a new proposal for traffic reduction and would have parts of the first district simply closed to car traffic. In this way, the desired goal could also be achieved, the accumulation of huge amounts of data would be prevented and potential large-scale surveillance would not be possible in the first place.

For further information on this topic please contact Florian Terharen at Schoenherr by telephone (+43 1 534 37 0) or email ([email protected]). The Schoenherr website can be accessed at


(1) "Multimodality" means the use of different means of transport. In passenger transport, this involves linking the means of transport within a route.

(2) The term "chilling effect" describes the change in people's behaviour toward the inhibition or discouragement of the legitimate exercise of natural and legal rights through (possible) surveillance and/or possible legal sanction.

(3) See section 53(5) of the Security Police Act.

(4) Forgó and Škorjanc (2022), "Ausgewählte datenschutzrechtliche Fragen eines automatisierten Zonen-Zufahrtsmanagements".

(5) If the data processing was carried out for the "purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties", the EU Data Protection Law Enforcement Directive (2016/680) would be applicable. The provisions on image processing under the Austrian Data Protection Act are not applicable because the processing at hand does not qualify as recording "for private purposes".

(6) ECJ, 22 June 2021, C-439.19 (Latvijas Republikas Saeima).

(7) The term "section control" refers to a system for monitoring speed limits in road traffic, in which the speed is not measured at a specific point, but the average speed over a longer distance.

(8) See section 98a et seq of the Road Traffic Regulations.

(9) DSB 4 July 2019, DSB-D123.652/0001-DSB/2019.

(10) Sicherheitspaket (2018).

(11) VfGH 11 December 2019, G 72-74/2019.