Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
In May 2018 the EU General Data Protection Regulation (GDPR) and the amended Austrian Data Protection Act implementing the GDPR entered into force. Overall, the national implementation act is minimalistic and uses a limited number of the possibilities offered by the GDPR to implement more stringent or deviating provisions. However, the legislature reserved the right to render additional regulations for specific areas based on the opening clauses of the GDPR in separate, specific laws (eg, regarding the financial and insurance sectors as well as HR data). Further, some local special provisions for certain data processing activities (eg, video surveillance and data processing for research purposes) are upheld in the Data Protection Act.
Regarding data security and cybercrime, the new Data Protection Act provides no additional provisions to the GDPR. However, other laws contain specific provisions on data security and cybercrime for certain areas (eg, the healthcare sector). In addition, the Austrian authorities sometimes issue guidelines on data security and cybercrime for specific sectors (eg, in the insurance and banking field). Overall, the Austrian data protection laws and best practice are ahead of the international curve due to:
- some specific statutory requirements; and
- the Data Protection Authority’s rather strict approach.
Are any changes to existing data protection legislation proposed or expected in the near future?
The EU Directive on Security of Network and Information Systems (NIS Directive 2016/1148) provides for additional security measures in order to increase the level of cybersecurity in the European Union. This directive should have been adopted and implemented into national Austrian law in May 2018. At present, the Austrian legislature has published no new acts or drafts in this regard.
Further, the Austrian legislature announced that it would render additional data protection regulations for specific areas in separate, specific laws (eg, for the financial and insurance sectors as well as HR data). Thus, it is expected that additional data protection, data security and cybercrime prevention may follow in future.
What legislation governs the collection, storage and use of personal data?
Together with the EU General Data Protection Regulation (GDPR), the new Austrian Data Protection Act governs the collection, storage and use of personal data.
Further, the Telecommunications Act 2003, which implemented the EU ePrivacy Directive (2002/58/EC), contains provisions on data protection.
Scope and jurisdiction
Who falls within the scope of the legislation?
As the EU General Data Protection Regulation (GDPR) directly applies in Austria, it regulates the processing of personal data by:
- controllers and processors established in Austria; and
- controllers and processors outside Austria that offer goods and services to local data subjects or monitor their behaviour.
Further, specific provisions of the Data Protection Act apply to the processing of personal data in Austria, irrespective of where the data controller (ie, a natural or legal person that processes personal data for its own purposes) has its seat. In addition, it applies to personal data that is processed in the European Union for an Austrian data controller.
What kind of data falls within the scope of the legislation?
In accordance with the GDPR, legal entities’ personal data is no longer covered by data protection laws as of 25 May 2018. However, Section 1 of the Data Protection Act still contains broad wording regarding the base right to data protection which also covers legal entities. This is due only to political reasons; the base right to data protection is a constitutional right and cannot be changed due to a lack of the required majority in Parliament. However, the protection of legal entities is not supported in the remaining provisions of the most recent version of the Data Protection Act.
To mitigate potential gaps caused by the lapse of protection for legal entities under the data protection regime, business know-how and trade secrets will be protected by the national implementation of the EU Trade Secrets Directive (2016/943). This directive should have been adopted and implemented into national law by 9 June 2018. At present, the Austrian legislature has not yet published its implementation act.
In addition, Section 6 of the Data Protection Act contains provisions on data secrecy in connection with employment relationships. According to these, data obtained within the course of an employment relationship must be kept secret by employees, unless the employer explicitly instructs otherwise. Further, the employer must commit its employees to data secrecy. Additionally, Section 11 of the Unfair Competition Act penalises the disclosure of trade and company secrets with up to three months’ imprisonment.
The GDPR distinguishes between non-sensitive and sensitive personal data. ‘Sensitive data’ (ie, special categories of personal data) means all information that reveals a natural person’s racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, health (including genetic and biometric data) or sex life (Article 9 of the GDPR). All other data is deemed non-sensitive. In practice, data relevant for criminal prosecution is subject to a similar (stricter) protection regime as that for sensitive data.
Since the law refers to ‘personal’ data, anonymous data (ie, information that does not relate to an identifiable natural person) is not covered by the Data Protection Act or the GDPR.
Are data owners required to register with the relevant authority before processing data?
No. The previously applicable general notification obligation no longer applies following the implementation of the GDPR and the amended Data Protection Act in May 2018.
Instead, data controllers and data processors must maintain an internal record of processing activities (Article 30 of the GDPR). Further, more sensitive data processing activities that might result in an elevated risk for affected data subjects require the data controller or processor to conduct a data protection impact assessment (Article 35 of the GDPR).
Is information regarding registered data owners publicly available?
Since May 2018 no notification obligation exists. However, the old Austrian Data Processing Register is still publicly available at https://dvr.dsb.gv.at/at.gv.bka.dvr.public/DVRRecherche.aspx until the end of December 2019. Nevertheless, since May 2018, no new data processing activities could be registered.
Is there a requirement to appoint a data protection officer?
Yes, in particular cases. According to Article 37 of the GDPR, data controllers and processors must designate a data protection officer if:
- they are to be qualified as a public authority or public body; or
- their core activities:
- qualify as regular and systematic monitoring of data subjects; or
- consist of processing special categories of data (sensitive data) or data relating to criminal convictions and offences.
The Data Protection Act implementing the GDPR does not provide for additional regulations or stricter requirements to appoint a data protection officer. Thus, the conditions set out in the GDPR, which are vague and open to interpretation, are the legal basis for assessment only if a data protection officer is required.
Which body is responsible for enforcing data protection legislation and what are its powers?
In general, the Data Protection Authority enforces the Data Protection Act and the GDPR.
Anyone may lodge a complaint with the Data Protection Authority following a violation of privacy or data protection laws by a data controller or processor. Further, the Data Protection Authority may conduct onsite audits or request clarifications from a data controller or processor to verify the concerns (the most common course of action). To ensure compliance with data protection provisions, the Data Protection Authority may also issue recommendations to remedy the violation within a reasonable period. If there is a significant, immediate threat to the privacy of the persons concerned (ie, imminent danger), the Data Protection Authority may also prohibit data processing activity.
Data Protection Authority decisions may be appealed to the federal administrative courts. Its decisions may in turn be appealed to the final-instance higher administrative court, unless certain restrictions apply.
In addition to the Data Protection Authority's control rights, the authority is competent to impose administrative fines of up to €20 million or 4% of the total worldwide annual turnover (Article 83 of the GDPR). These high fines will primarily be imposed directly against the responsible data controller or processor as the legal entity. However, the authority can punish natural persons in charge (managing directors or representatives appointed under administrative law, but not the data protection officer).
The Data Protection Act provides for a catch-all administrative penalty of up to €50,000 (Section 62) applicable to less severe infringements of data protection provisions not fined under the GDPR. This penalty covers violations of the national requirements set out in the Data Protection Act.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
In general, according to Article 5 of the EU General Dara Protection Regulation (GDPR), personal data must be:
- processed fairly and lawfully, as well as in a transparent manner;
- collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes (purpose limitation);
- accurate and, where necessary, up to date;
- adequate, relevant and proportionate in relation to as well as limited to the purposes for which it is collected or processed (data minimisation);
- accurate and, where necessary, kept up to date;
- kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed (storage limitation); and
- processed in a manner that ensures appropriate security of the personal data.
When determining the permissibility of data processing activities, a detailed review of the justification for processing is of the utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed (Article 6 of the GDPR):
- the existence of an explicit statutory right or obligation;
- the data subject's freely given consent based on full disclosure and prior information;
- the processing is necessary for the performance of a contract to which the data subject is a party; or
- the processing is necessary based on the legitimate interests of the data controller (or a third person).
In practice, the legitimate interests of the data controller, performance of a contract and consent of the data subject are most relevant. However, the Data Protection Authority often has a strict approach as regards legitimate interests. Thus, the legal basis of all data processing activities based on legitimate interests should be documented in detail while clearly outlining the main argumentation.
There is also no privilege for intragroup data transfers. Such data transfers may be justified by legitimate interests. However, the Data Protection Authority is rather strict and reluctant to accept legitimate interest when processing employees' data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity can review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided for by human resources tools.
The recitals of the GDPR outline that transmitting personal data within a group of undertakings for internal administrative purposes, as well as processing personal data for direct marketing purposes, may be permitted based on the data controller’s overriding legitimate interests. However, as regards marketing, the implications of the Telecommunications Act 2003 and the EU ePrivacy Regulation must be considered. According to these provisions, electronic marketing generally requires the data subject’s prior consent.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The GDPR does not set a maximum retention period for personal data. In general, personal data can be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.
Aside from the vague limits set out under the GDPR, the Austrian Standard and Model Decree 2004 stipulated maximum retention periods for different data groups. Although this decree expired on 25 May 2018, the retention periods still apply as best practice in Austria. In general, data may be retained until:
- termination of the business relationship;
- expiration of any warranty or guarantee claims (usually two years);
- expiration of a specific legal retention period (usually seven years for accounting data); or
- conclusion of any legal dispute in which the data is needed as evidence.
Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Pursuant to Article 15 of the GDPR, data subjects may exercise their right to information against the data controller, which must disclose the following on request:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data has been or will be disclosed – in particular, recipients in third countries or international organisations;
- the envisaged retention period; if this cannot be provided, the criteria used to determine that period;
- the rights to rectification, erasure and objection of personal data;
- the right to file a complaint with the Data Protection Authority;
- the existence of automated decision making, including profiling; and
- the significance and envisaged consequences of such processing for the data subject.
The data subject must demand disclosure in writing and prove its identity if the controller has reasonable doubts concerning the identity of the person making the request (this is usually done by submitting a copy of their passport). Data controllers must then provide all relevant information – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within one month of receipt of the request.
Further, on request, the controller must provide the data subject with a copy of the personal data that is being processed (in a legible format).
Do individuals have a right to request deletion of their data?
Yes. Pursuant to Articles 16 and 17 of the GDPR, data subjects have the right to request rectification (where the data is inaccurate or incomplete) or erasure (especially where the controller no longer requires the data or the data subject withdraws its consent declaration) of their personal data and may object at any time to the processing of their data on grounds relating to their particular situation. In such cases, the data controller must delete the relevant data within one month and refrain from any future data processing or transfers.
Is consent required before processing personal data?
A consent declaration is required if there is no other legal justification for the data processing (ie, the data is unnecessary to perform the contract or ensure legitimate interests of the controller and there is no statutory obligation to process the data).
In order for consent to be valid, the data subject must be well aware of the data processing’s scope and content. For evidence purposes, a detailed written consent declaration is recommended (especially since the GDPR requires that the controller demonstrate that consent has been given). Such declarations can also be made online by clicking on a checkbox indicating consent or by other electronic means. In any case, the consent declaration and provided information must be easily understandable and transparent (clear and plain language). In particular, the data subject must be informed – in detail – about:
- the categories of processed or transferred data;
- the purpose of the processing or transfer; and
- the data controller and any data recipients (including their full addresses).
In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.
If consent is not provided, are there other circumstances in which data processing is permitted?
In establishing the permissibility of data processing, a detailed review of the justification therein is of the utmost importance. Apart from the data subject's freely given consent based on full disclosure, the following justifications are available and relevant in practice (Article 6 of the GDPR):
- the existence of an explicit statutory right or obligation;
- the vital interests of the data subject;
- the processing is necessary for the performance of a contract to which the data subject is a party; or
- the processing is necessary to ensure legitimate interests of the data controller (or a third person).
In practice, the performance of a contract as well as overriding legitimate interests of the data controller are the second most relevant justification after the data subject’s consent.
What information must be provided to individuals when personal data is collected?
According to Articles 13 and 14 of the GDPR, the data controller must inform individuals about:
- the data controller's name and contact details;
- the contact details of the data protection officer (if designated);
- the purposes and legal basis for the processing;
- the legitimate interests pursued by the controller or a third party, if applicable;
- the recipients or categories of recipient;
- the controller's intention to transfer personal data to a third country and reference to the appropriate or suitable safeguards and means, if applicable;
- the retention period or at least criteria used to determine that period;
- the information about the data subject's rights;
- whether the provision of personal data is a statutory or contractual requirement; and
- the existence of automated decision-making, including profiling.
Data security and breach notification
Are there specific security obligations that must be complied with?
Article 32 of the EU General Data Protection Regulation (GDPR) provides for general data security obligations – especially to secure personal data against:
- unauthorised access;
- accidental or unlawful destruction, manipulation, disclosure and transfer; and
- other unlawful processing.
Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations (Section 6 of the Austrian Data Protection Act).
The GDPR does not expressly stipulate which data security measures must be taken but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices are crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for insufficient data security seldom arises when good industry practices are followed.
Appropriate technical and organisational measures that must be implemented may include:
- pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Are data owners/processors required to notify individuals in the event of a breach?
Yes. Pursuant to Article 33 of the GDPR, the controller must notify the Data Protection Authority of any personal data breach within 72 hours, unless the breach is unlikely to result in a risk to data subjects. Such data breach notification must contain a sufficient and detailed description of:
- the nature of the personal data breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the data breach; and
- the measures taken or proposed to be taken by the controller to address the data breach, including measures to mitigate its possible adverse effects.
In addition to notifying the Data Protection Authority, the controller must communicate the data breach to the data subjects without undue delay when the data breach is likely to result in a greater risk for data subjects (Article 34 of the GDPR). This communication must:
- describe in clear and plain language the nature of the personal data breach; and
- at least contain:
- the name and contact details of the data protection officer or a different contact point;
- the likely consequences of the breach; and
- the measures taken or proposed to address the breach and mitigate its possible adverse effects.
Are data owners/processors required to notify the regulator in the event of a breach?
The GDPR establishes an obligation to report data breaches to the Data Protection Authority. Pursuant to Article 33 of the GDPR, the controller must notify the Data Protection Authority of any personal data breach within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted countermeasures.
If the data breach is likely to result in an elevated risk for data subjects, the controller must also communicate the data breach to the data subjects concerned without undue delay (Article 34 of the GDPR).
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Yes. Austrian law sets strict requirements for consent declarations to use personal data for marketing purposes (based on the EU ePrivacy Directive (2002/58/EC), implemented by Section 107 of the Austrian Telecommunications Act).
Electronic messages (eg, email and text messages) that are sent for direct marketing purposes require the recipient’s prior consent (ie, opt-in). A mere opt-out is theoretically sufficient if the following conditions are met:
- The sender has a pre-existing relationship with the customer and initially (ie, at the time of data collection) allowed the customer to refuse further messages. The Supreme Court is strict in enforcing this requirement.
- The communication is transmitted to directly market products or services similar to those originally purchased by the customer.
- The customer (whether a natural or legal person) has a clear, distinct opportunity to object – free of charge and in an easy manner – to such use of advertisements in every email.
- A Robinson List is adhered to. This lists the email addresses of persons that do not wish to receive unsolicited marketing emails. The list is provided by the telecoms regulator at .
Further, the draft EU ePrivacy Regulation will also provide new regulations for electronic communication and marketing. The draft contains similar provisions for unsolicited electronic marketing as outlined above and foresees same (high) fines as provided by Article 83 of the EU General Data Protection Regulation, as applicable.
Yes. All website operators must inform their visitors before collecting personal data through cookies, unless those cookies are absolutely necessary for the functioning of the website.
Further, if personal data is processed or collected through non-functional cookies (especially marketing, tracking or analytics cookies), prior consent (opt-in) is required (usually obtained via a banner on the website). This cookie consent must be based on clear, comprehensive disclosure of:
- the data that will be collected, processed and transferred;
- the legal basis for collection, processing and transfer;
- the purposes for collection, processing and transfer; and
- the retention period for the data.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
The transfer of personal data to recipients outside the European Union is governed by Articles 44 to 50 of the EU General Data Protection Regulation (GDPR). Since May 2018, no notification or approval obligation exists for international data transfers. Formal acts have been replaced by the data controller's internal record of processing activities, as well as a mandatory privacy impact assessment for more sensitive processing activities.
As regards data transfers to a processor (controller-to-processor), Article 28 of the GDPR requires that a written data processing agreement containing prescribed minimum content be signed.
As regards data transfers to other data controllers (controller-to-controller), the GDPR requires a specific legal justification. Thus, in practice, such data transfers are permitted where:
- there is a statutory obligation;
- the data transfer is necessary to perform the contract with the data subject;
- the data transfer is necessary to ensure the legitimate interests of the data controller; or
- the data subject consents to the data transfer.
In addition to these general requirements for controller-to-processor and controller-to-controller data transfers, data transfers to recipients outside the European Economic Area must be based on appropriate safeguards according to Article 46 of the GDPR. Thus, EU standard contractual clauses or binding corporate rules must usually be put in place. The EU-US Privacy Shield and EU Commission adequacy decisions may also justify international data transfers.
Are there restrictions on the geographic transfer of data?
Yes, there are geographic restrictions for data transfers to recipients outside the European Economic Area. According to Article 44 et seq of the GDPR, international data transfers are usually permitted where:
- they are based on an adequacy decision of the EU Commission;
- binding corporate rules are in place;
- standard data protection clauses (EU model clauses) are agreed; or
- they are based on an approved code of conduct or certification mechanism.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
There is some facilitation for controller-to-processor data transfers, as these do not require a specific legal justification. However, they do require a written data processing agreement (Article 28 of the GDPR).
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Non-compliance with Austrian data protection provisions can incur the following penalties:
- claims by data subjects based on the right to data protection – compensation for damages (unlikely), omission (likely) or publication of the judgment (likely);
- claims by competitors for omission based on unfair competition law – compensation for damages (very unlikely), omission (likely) or publication of judgment (likely);
- control proceedings by the Austrian Data Protection Authority (ie, onsite audits) resulting in prohibition from further processing or transfer of personal data; and
- a damaged reputation in the media.
In addition to the Data Protection Authority’s control rights, it is competent to impose administrative fines of up to €20 million or 4% of the total worldwide annual turnover. These high fines are primarily imposed directly against the responsible legal entity as data controller or processor. However, the authority can also punish natural persons in charge (managing directors or representatives appointed under administrative law, not the data protection officer). That said, the company will primarily be directly liable. Additional fines for individuals will be imposed only under exceptional circumstances.
Further, Section 62 of the Data Protection Act provides for a catch-all administrative penalty of up to €50,000 which applies to less severe infringements of data protection provisions not subject to fines under the EU General Data Protection Regulation (GDPR). These penalties especially cover violations of national specifics under the act.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. Individuals may claim damages against data controllers and processors for violations of the GDPR (Article 82) and the Austrian Data Protection Act 2018 (Section 29).
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
The Ministry of the Interior is attempting to enact a Cybercrime and IT Security Act. It is expected to be similar to the German IT Security Act.
The following IT security issues are currently regulated under Austrian law:
- Criminalisation of cybercrime activities – the Criminal Code penalises (through both fines and prison terms) certain cybercrimes, including:
- unlawful access to a computer system (hacking);
- breach of the privacy of telecommunications;
- abusive interception of data;
- data corruption;
- disturbance of the functionality of a computer system;
- abuse of computer programs or access data; and
- data falsification.
- Data security provisions – the Data Protection Act establishes several data security measures to ensure IT security
- Good industry practices – the Data Protection Act does not expressly stipulate which IT security measures must be implemented, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the required IT security actions and levels. Good industry practices are especially relevant for courts in examining the potential liability of responsible persons (eg, managing directors). Liability seldom arises when good industry practices are followed.
Further, the EU Directive on Security of Network and Information Systems (NIS Directive 2016/1148) provides for additional security measures in order to increase the level of cybersecurity in the European Union. This directive should have been adopted and implemented into national law by 10 May 2018. At present, the Austrian legislature has published no implementation act. However, it is expected that the Cybercrime and IT Security Act will implement the NIS Directive 2016/1148.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The Council of Europe Convention on Cybercrime has largely been implemented by the provisions on criminalisation of cybercrimes. Further international standards have not been directly implemented into Austrian law.
However, due to the relevance of good industry practices, international certifications and guidelines are increasingly important. In particular, the International Organisation for Standardisation (ISO) international standards and certifications and the Austrian standards are acknowledged guidelines for IT security (eg, ISO/IEC 27001 – Information Security and ISO/IEC 27032 – Guidelines for cybersecurity). In addition, it is often recommended to refer to the Austrian Information Security Manual (www.sicherheitshandbuch.gv.at) or the German IT Baseline Protection Catalogue, both of which provide a catalogue of recommended measures for companies to reliably protect their IT systems and data against cyberattacks. Moreover, the Austrian Chamber of Commerce provides guidelines, checklists and risk analysis tools on IT security (www.wko.at/service/innovation-technologie-digitalisierung/it-sicherheit-datensicherheit.html).
Which cyber activities are criminalised in your jurisdiction?
The Criminal Code penalises the following cybercrimes:
- unlawful access to computer systems (hacking);
- breach of the privacy of telecoms;
- abusive interception of data;
- data corruption (ie, damaging of data);
- disturbing the functionality of computer systems (eg, denial of service);
- abuse of computer programs or access data;
- fraudulent misuse of data processing;
- data falsification;
- counterfeiting non-cash payment methods; and
- capturing non-cash payment data (ie, phishing or skimming).
Criminal offences are penalised by fines and up to six months’ imprisonment. Severe violations (eg, actions conducted by criminal organisations or resulting in a high level of damage) are subject to a longer prison sentence of up to five years. Moreover, a recent amendment to the Criminal Code, which entered into force in 2016, established a stricter system by penalising minor actions undertaken without the intent to disseminate or use personal data for enrichment. The new provisions also cover cybercrimes such as phishing and skimming by penalising the capture of non-cash payment data. ‘Cybermobbing’ (ie, continued harassment through telecoms or computer systems) is also expressly stipulated as a criminal offence.
Further, Section 63 of the Data Protection Act penalises the use or publication of illegally acquired personal data with imprisonment of up to one year.
The Association Responsibility Act and the Administrative Penal Act govern corporate liability, allowing for legal entities to be held liable for cybercrime actions committed for their benefit or within their control.
Which authorities are responsible for enforcing cybersecurity rules?
The criminal courts are competent for the enforcement of the respective rules.
The Data Protection Authority is empowered to ensure compliance with data security provisions.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Cyber risk insurance is available in Austria. Small companies usually have limited or no IT security or relevant insurance coverage. However, banks and international companies in particular typically obtain insurance for cyber risks.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Based on the data security provisions of the EU General Data Protection Regulation (GDPR) (Article 33), the data controller and processor should keep logs and records to allow the performed processing steps – in particular, modifications, consultations and transmissions – to be traced to the extent necessary.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Companies need not report threats, attacks or breaches unless the EU Directive on Security of Network and Information Systems (NIS Directive 2016/1148) is incorporated into Austrian law. While the data controller must inform the natural and legal persons whose data is affected by the breach, there is no notification obligation to the Data Protection Authority. However, telecoms operators must directly inform the Data Protection Authority in the event of a breach.
According to the GDPR (Article 33), the controller must notify the Data Protection Authority of any personal data breach within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted countermeasures. If there is a considerable risk to data subjects, the controller must also communicate the data breach to them without undue delay (Article 34 of the GDPR).
Are companies required to report cybercrime threats, attacks and breaches publicly?
No. However, the data controller must immediately inform the data subjects concerned in an appropriate manner when it becomes aware that data under its control has been systematically and seriously misused and such misuse could cause the data subjects to suffer damages.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Austrian criminal law sets out fines and imprisonment of up to six months for cybercrime offences. Severe violations (eg, actions conducted by criminal organisations or resulting in a substantial damage) are subject to a longer prison sentence of up to five years (Sections 118a, 126a, 126b and 126c of the Criminal Code).
The Data Protection Act penalises the use or publication of illegally acquired personal data with imprisonment of up to one year.
What penalties may be imposed for failure to comply with cybersecurity regulations?
Under the EU General Data Protection Regulation (Article 83), administrative fines of up to €20 million or 4% of the total worldwide annual turnover might be imposed. Further, the controller or processor is liable to compensate for economic or any other losses suffered by the data subject or any other person due to personal data processing in violation of data protection laws.
Company directors or officers can be held personally liable for violations of data security provisions. Moreover, competitors may file claims for omission and damage compensation under the Unfair Competition Act and claim an unfair advantage due to the breach of data protection rules.