All questions

Intellectual property and data protection

i Intellectual property

Austria does not have special rules that protect an entire business model per se. Accordingly, business models must be examined on a case-by-case basis to determine whether any intellectual property rights can be protected. The most relevant available protective rights under Austrian law include:

  1. trademarks protected under the Trademark Protection Act;
  2. designs protected under the Design Protection Act;
  3. patents protected under the Patent Act;
  4. utility patents protected under the Utility Patents Protection Act; and
  5. copyrights protected under the Copyright Act (UrhG).

Protection afforded under the above legislation is usually provided by registration in a public register and lasts up to 70 years after the death of the author.

Software protection

Software is protected as a work of literature under Section 40a UrhG if it is the result of the own intellectual and individual creation of its author or their authors and has a minimum level of creativity and complexity. This protection includes the machine-, object- and source- code of the software, as well as design material such as flowcharts or structure charts. However, graphic user interfaces of a software as well as the ideas and principles underlying the software are not protectable. The author of the software is always its creator. Legal entities are excluded as creators. It is possible to transfer derived rights of use to legal entities. For this reason, rights owners within the meaning of the UrhG are always only natural persons. In view of the complexity of today's software and its programming, co-ownership can be assumed. The UrhG may also protect databases under certain circumstances.

Unless otherwise agreed, only the employer is entitled to exercise property rights in software that was developed by an employee within the framework of an employment agreement. The employer thus effectively receives a legally required licence.

The unauthorised duplication and distribution of software can be prosecuted civilly for damages and injunctive relief as well as criminally by private prosecution.

ii Data protection

The EU General Data Protection Regulation (GDPR) has been legally binding and directly applicable throughout the EU since 25 May 2018. In Austria, the Data Protection Act (DSG) further implements certain provisions of the GDPR.

The GDPR generally applies to the processing of personal data related to identifiable natural persons. The processing of client data of fintech companies is therefore also covered within the scope of the GDPR.

Persons who deal with the processing of personal data must implement appropriate technical and organisational measures and procedures to ensure that the rights of persons concerned are adequately protected. Pursuant to Article 33 GDPR, personal data breaches of a certain nature must be reported to the Austrian Data Protection Authority (DPA) within 72 hours after having become aware of it. Moreover, the person whose rights were violated must be informed without undue delay if there is a high risk to their personal rights and freedoms.

Digital profiling of clients is covered under the GDPR. Fintech companies must take into account that, at the time the data used for profiling is collected, data subjects are entitled to certain information including the fact that the profiling is taking place, the legal justification for the profiling and the expected effects of the profiling. Furthermore, a data protection impact assessment must be carried out if a systematic and extensive evaluation of personal aspects relating to natural persons is conducted (Article 35(3) GDPR). The persons concerned have the right to object pursuant to Article 21 GDPR, according to which the person concerned may, among other things, object to profiling if profiling is based on the legal basis of the overriding legitimate interest or is carried out for the purposes of direct marketing.

Fintech companies may be required under certain circumstances to conduct a data protection impact assessment, to compile a list of processing activities and to appoint a data protection officer. The DPA may impose fines of up to €20 million or, in the case of a company, up to 4 per cent of its total annual worldwide turnover in the previous financial year.

The provision of banking secrecy pursuant to Article 38 BWG is also of significance to fintech companies. According to this provision, credit institutions, their shareholders, board members, employees and other persons working for credit institutions may not disclose or utilise secrets or sensitive information that have been entrusted to them or made accessible to them exclusively on the basis of business relations with customers. In contrast to the GDPR, the BWG protects legal entities. Even if a transfer of data is not subject to banking secrecy or is permissible under the BWG, its admissibility under the GDPR or the DSG must also be examined. In the event of a breach of banking secrecy, fintech companies may also be liable under civil, criminal and administrative laws.

Further data protection regulations are contained in the Austrian Telecommunications Act.