Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

The Data Protection Act 2000 is strict and often exceeds the EU-harmonised minimum standard provided by the EU Data Protection Directive (95/46/EC). It is thus considered to be more stringent than generally accepted international and EU data protection principles and procedures. For example, the data protection law provides for additional requirements and procedures with regard to:

  • formal notification and approval by the Austrian data protection authority;
  • strict preconditions for international data transfers; and
  • consent declarations.

Unlike the Data Protection Directive and similar laws in most other European jurisdictions, the Data Protection Act 2000 also covers personal data of legal entities to the same extent as that of natural persons.

Are any changes to existing data protection legislation proposed or expected in the near future?

The EU General Data Protection Regulation, which will apply by May 25 2018, will establish a new set of data protection provisions applicable across the European Union. However, in certain cases EU member states will be able to uphold their own rules and deviate from or supplement the new EU data protection regime.  

In June 2017 the Data Protection Act 2018 implementing the EU General Data Protection Regulation was adapted by the Austrian legislature. The amendment will become applicable together with the regulation on May 25 2018. Overall, the national implementation act is quite minimalistic and just uses a limited number of the possibilities offered by the regulation to implement more stringent or deviating provisions. However, the legislature reserved the right to render additional regulations for specific areas based on the opening clauses of the regulation in separate, specific laws (eg, as regards HR data). Further, some local special provisions for certain data processing activities (eg, as regards video surveillance or data processing for purposes of research) are upheld. Regarding data security and cybercrime, the new Data Protection Act 2018 does not provide any additional provisions to the EU General Data Protection Regulation nor are any such provisions based on the regulations framework anticipated.

Further, the EU Directive on Security of Network and Information Systems (NIS Directive, 2016/1148) provides for additional security measures in order to increase the level of cybersecurity in the European Union. This directive will have to be adopted and implemented into national Austrian laws by May 10 2018. At present, the Austrian legislature has not published any new acts or drafts in this regard.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The Data Protection Act 2000 is based on the EU Data Protection Directive (95/46/EC) and governs the collection, storage and use of personal data. Together with the EU General Data Protection Regulation, the new Data Protection Act 2018 will apply by May 25 2018, which does not. However, make excessive use of the opening clauses of the regulation.

The Telecommunications Act 2003, which implemented the EU E-Privacy Directive (2002/58/EC), also includes provisions on data protection.

Scope and jurisdiction

Who falls within the scope of the legislation?

Austrian data protection law applies to the processing of personal data in Austria, irrespective of where the data controller (a natural or legal person that processes personal data for its own purposes) has its seat. It also applies to data that is processed outside the European Union for an Austrian data controller.

However, within the European Union the residence principle applies until May 25 2018. Thus, irrespective of the actual location of data processing, the national data protection law of the EU member state where the data controller is seated is applicable.

In light of the abovementioned rules, the Data Protection Act 2000 is territorially applicable to all data controllers located in Austria and therefore to all:

  • Austrian entities;
  • subsidiaries or branches established in Austria; and
  • data controllers situated outside the European Union, but conducting data processing activities in Austria.

On May 25 2018 the applicability of data protection law follows Articles 2 and 3 of the EU General Data Protection Regulation. Thus, Austrian laws will apply to the processing of personal data by:

  • a controller or processor established in Austria; and
  • controllers or processors outside of Austria offering goods and services to local data subjects or monitoring their behaviour. 

What kind of data falls within the scope of the legislation?

The Data Protection Act 2000 covers ‘personal data’, which is defined as any information relating to an identified or identifiable natural person or legal entity. Thus, the act protects the personal data of both legal entities and natural persons. This is significant in practice, as relevant consent regimes apply equally to business-to-business models.

Due to the EU General Data Protection Regulation, personal data of legal entities will no longer be covered by Austrian data protection laws as of May 25 2018, although the new Data Protection Act 2018 still contains a broad wording of the base right for data protection in Section 1 that also covers legal entities. However, this is due only to political reasons. The base right for data protection is a constitutional provision and could not be changed due to lack of the required majority in Parliament. However, the protection of legal entities is not supported in the remaining provisions as recently adjusted.

To mitigate potential gaps as to the lapse of protection of legal entities under the data protection regime, business know-how and trade secrets shall be protected by the national implementation of the EU Trade Secrets Directive (2016/943). This directive will have to be adopted and implemented into national Austrian laws by June 9 2018. At present, the Austrian legislature has not yet published its implementation act.

Further, the Data Protection Act 2000 distinguishes between non-sensitive and sensitive data. Sensitive data relates to a natural person’s racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, health or sex life. All other data is deemed non-sensitive. In practice, data relevant for criminal prosecution is subject to a similar (ie, stricter) protection regime as that for sensitive data. On May 25 2018 genetic and biometric data will also be categorised as sensitive data.

Since the law refers to ‘personal’ data, totally anonymous data (ie, information that does not relate to an identifiable person or entity) is not covered by the Data Protection Act 2000, the Data Protection Act 2018 or by the EU General Data Protection Regulation.

The Data Protection Act 2000 also establishes a special regime for ‘indirect personal data’, which covers data relating to a data subject in such a manner that only the data controller – not the processor or any other recipient – can identify the data subject by legal means. Indirect personal data is protected, but subject to a less stringent regime. In particular, if indirect personal data is processed or transferred to another data controller, no specific justification need be provided; notification and approval requirements also do not apply. These principles on indirect personal data will no longer be upheld when the EU General Data Protection Regulation and the Data Protection Act 2018 become applicable in May 2018. However, pseudonymisation as a measure of safeguarding data (personal data cannot be attributed to a specific data subject without the use of additional information which is kept separately) might serve as a similar justification under the regulation (especially for the processing of personal data for other purposes than initially collected).

The Data Protection Act does not apply to personal data that has already been validly published. Thus, there are no restrictions on the use of publicly available data, even if it directly relates to an identified person. This principle will, of course, be upheld on May 25 2018.

Are data owners required to register with the relevant authority before processing data?

Yes, until May 25 2018. In general, data controllers must notify the Data Protection Authority (DSB) before processing personal data. The notification must contain detailed, exhaustive information on:

  • the purpose of the data processing;
  • the data subjects involved;
  • the categories of data to be processed;
  • the statutory justification for the processing;
  • any data recipients; and
  • the statutory justification for data transfer.

Relevant documentation must also be provided if the data controller refers to existing consent declarations, contracts, plant agreements (with its works council) or other documents.

However, the Austrian Standard and Model Decree provides certain standardised exceptions from this general notification obligation. As long as personal data and potential recipients are explicitly covered by such standards, no notification is required for processing or transfer.

Provided that no sensitive data, potential criminal data or closed-circuit television footage is involved, processing can commence on the date of filing the notification online. Otherwise, the notification is subject to a two-month review period by the DSB.

This general notification obligation will no longer apply when the EU General Data Protection Regulation and the Data Protection Act 2018 become applicable in May 2018. Instead, data controllers must maintain an internal record of processing activities. In practice, this can be based for already existing processes on notifications made under the old regime supplemented by additional information as required by the regulation.

Is information regarding registered data owners publicly available?

Yes. The Austrian Data Processing Register is publicly available at https://dvr.dsb.gv.at/at.gv.bka.dvr.public/DVRRecherche.aspx until the end of December 2019. Thus, anyone can verify registered controllers and their data processing activities and entities can retrieve their registrations to use it as basis for the establishment of their internal record of processing activities under the EU General Data Protection Regulation.

Is there a requirement to appoint a data protection officer?

No. There is no requirement under the Data Protection Act 2000 to appoint a data protection officer. However, this will change with the EU General Data Protection Regulation in May 2018. According to Article 37 of the regulation, data controllers as well as processors must designate a data protection officer in case their core activities:

  • are qualified as regular and systematic monitoring of data subjects; or
  • consist of processing of special categories of data (sensitive data) or data relating to criminal convictions and offences.

The Data Protection Act 2018 implementing the EU General Data Protection Regulation does not provide for additional regulations in this regard. Thus, the conditions set forth in the regulation, which are vague and open to interpretation, are the only legal basis for the required assessment if a data protection officer is required. 

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

In general, the Data Protection Authority (DSB) is competent for the enforcement of Austrian data protection law. Anyone may submit a claim to the DSB for a violation of privacy or data protection law by a data controller or processor. The DSB may conduct onsite audits (although these are uncommon) or request clarification from the data controller or processor in order to verify the concerns (the most common course of action). To ensure compliance with the Data Protection Act, the DSB may issue recommendations to remedy the violation within a reasonable period. If a DSB recommendation is not met within this period, the DSB may:

  • report a possible criminal offence to the competent court; or
  • bring a civil action before the competent court.

If there is a significant, immediate threat to the privacy of the persons concerned (ie, imminent danger), the DSB may also prohibit use of the relevant data application.

Decisions of the DSB may be appealed to the Federal Administrative Courts. Its decisions may in turn be appealed to the final-instance Higher Administrative Court, unless certain restrictions apply.

Further, the district administrative authorities may impose administrative penalties of up to €25,000 for violations of data protection law.

Aside from these administrative procedures, the regional courts are competent for the enforcement of claims:

  • for infringement of the right to secrecy;
  • to correct outdated or inaccurate data;
  • to delete data; and
  • for damages, omission or publication of the judgment.

Competitors may also file claims with the civil courts for damages, omission or publication of the judgment based on unfair competition law.

This regime will change in May 2018. Besides the DSB's control rights, the authority will also be competent to impose the administrative fines as stipulated in the EU General Data Protection Regulation of up to €20 million or 4% of the total worldwide annual turnover. The new, high fines shall primarily be imposed directly against the responsible controller or processor as legal entity. The authority is still entitled to punish natural persons in charge (managing directors or representatives appointed under administrative law, not the Data Protection Officer). However, generally the company shall be directly liable. Additional fines to individuals will be imposed only under special circumstances. The Data Protection Act 2018 provides for a catch-all administrative penalty of up to €50,000, applicable to less intensive infringements of data protection provisions not fined under the regulation. This penalty especially covers violations of the national specifics of the Data Protection Act 2018.

In addition, every data subject has a right to file a complaint with the DSB. The regional civil courts will still be competent for damage claims.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

In general, personal data must be:

  • processed fairly and lawfully, as well as in a transparent manner;
  • accurate and, where necessary, up to date;
  • collected for specified, explicit and legitimate purposes and not subject to further processing in a way that is incompatible with such purposes (pupose limitation);
  • adequate, relevant and proportionate in relation to as well as limited to the purposes for which it is collected or processed (data minimisation); and
  • kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is collected or processed (storage limitation).

When determining the permissibility of data processing activities, a detailed review of the justification for processing is of utmost importance. Data may be processed only if the legitimate confidentiality interests of involved data subjects are not infringed. For non-sensitive personal data, the following justifications are usually employed:

  • the existence of an explicit statutiry right or obligation;
  • the data subject's freely given consent, based on full disclosure and prior information;
  • the processing is necessary for the performance of a contract to which the data subject is a party;
  • vital interests of the data subject which necessitate the processing; or
  • overriding legitimate interests of the data controller (or a third person).

In practice, the overriding legitimate interests of the data controller, performance of a contract and the consent of the data subject are most relevant. However, the Data Protection Act does not accept general or mere business interests – such as processing for marketing purposes or within a group of companies – under the overriding interest regime. Thus, such data use may be conducted only with the data subject's consent.

Until now, there is also no privilege for intragroup data transfers. As the overriding legitimate interests exemption under the Data Protection Act is seldom accepted, consent requirements apply. This is particularly true when processing employee data that is not directly required by law. For instance, the Data Protection Authority is likely to argue that an Austrian entity is allowed to review its employees' performance on a frequent basis, but that there is no need to transfer performance ratings to other group entities (or to permit their access), as often provided by human resources tools. As a result, the data subject's consent is often the only valid justification for the processing, especially with regard to data processing for advertising purposes and intragroup data transfers.

This general principle will be slightly amended by the EU General Data Protection Regulation since its recitals outline that transmitting personal data within a group of undertakings for internal administrative purposes, as well as processing personal data for direct marketing purposes, might be permitted based on overriding legitimate interests of the data controller. However, as regards marketing, the implications of the Telecommunications Act 2003 and the EU ePrivacy Regulation must be considered. According to these provisions, electronic marketing generally requires the prior consent of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Data Protection Act 2000 does not set a maximum retention period for personal data. In general, personal data may be retained only for as long as needed to fulfil the purpose of the data processing. A longer retention period may be justified by specific legal provisions (eg, seven years for tax, accounting and other commercial documents). Essentially, the maximum retention period differs based on the nature of the personal data involved and the purposes of its processing.

Aside from these vague limits set out under the Data Protection Act, the Austrian Standard and Model Decree stipulates maximum retention periods for different data groups. In general, data may be retained until:

  • termination of the business relationship;
  • expiration of any warranty or guarantee claims (usually two years);
  • expiration of a specific legal retention period (usually seven years for accounting data); or
  • conclusion of any legal dispute in which the data is needed as evidence.

Data must be deleted as soon as it is no longer needed for its stated purpose. Thus, data must be erased on expiration of the maximum data retention period. As an alternative to deletion, the data can be irreversibly anonymised and stored as non-personally identifiable information, in which case no maximum retention period applies.

This principle of storage limitation will be upheld by the EU General Data Protection Regulation and the Data Protection Act 2018.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. Data subjects may exercise their right to information against the data controller, which must disclose the following on request:

  • the data being processed and the purposes for which it is processed;
  • the source of the personal data (ie, where and why it was collected);
  • the categories of data concerned; and
  • the recipients of the relevant data.

The data subject must demand disclosure in writing and prove its identity (in the case of an individual, this is usually done by submitting a copy of his or her passport). Data controllers must then provide all relevant data – or at least confirm that no personal data has been processed (ie, an ‘empty’ notification) – within eight weeks.

This right to information will be expanded by the EU General Data Protection Regulation. In addition to the above items, the data subject must be informed of:

  • the applicable data retention periods;
  • the rights to rectification, erasure and objection of personal data; and
  • the right to file a complaint with the data protection authority.

Further, the controller shall provide the data subject on request, with a copy of the personal data that is being processed (in a legible format).

Do individuals have a right to request deletion of their data?

Yes. Data subjects have the right to request correction (in case the data is inaccurate or incomplete) or deletion (especially in case data is no longer necessary for the controller or data subject withdraws its consent declaration) of their personal data and may object at any time to the processing of their data. In such case, the data controller must delete the relevant data within eight weeks (one month according to the EU General Data Protection Regulation – in exceptional cases even two months) and refrain from any future data processing or transfers.

Consent obligations

Is consent required before processing personal data?

A consent declaration is required if there is no other legal justification for data processing.

In order for consent to be valid, the data subject must be well aware of the data processing’s scope and content. For evidence purposes, a detailed written consent declaration is recommended (especially since the EU General Data Protection Regulation requires that the controller is able to demonstrate consent declarations). Such a declaration can also be made online by clicking on a checkbox indicating consent or by other electronic means. In any case, the consent declaration and provided information must be easily understandable and transparent (clear and plain language). In particular, the data subject must be informed about: 

  • the categories of processed or transferred data must be listed exhaustively;
  • the purpose of the processing or transfer must be described in detail; and
  • the data controller and any data recipients must be named (including their full addresses).

In addition, data subjects must be informed of their right to withdraw consent at any time. If consent is withdrawn, the data controller must refrain from further processing of the relevant personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

In establishing the permissibility of data processing, a detailed review of the justification for the processing is of utmost importance. Aside from the data subject's freely given consent based on full disclosure, the following justifications are available:

  • the existence of an explicit statutory right or obligation;
  • the vital interests of the data subject;
  • the processing is necessary for the performance of a contract to which the data subject is a party; or
  • the overriding legitimate interests of the data controller (or a third person).

In practice, the performance of a contract as well as overriding legitimate interests of the data controller are the second most relevant justification after the data subject’s consent.

What information must be provided to individuals when personal data is collected?

The data controller must inform individuals of:

  • the data controller's name and address;
  • the data that is collected, processed or transferred;
  • the legal basis on which it is collected, processed or transferred;
  • the purposes (and possible recipients) for which it is collected, processed or transferred; and
  • the retention period for the data.

This right to information will be expanded according to Art 13 of the EU General Data Protection Regulation. In addition, the data subject must be informed about:

  • the name and contact details of the Data Protection Officer;
  • the intention to transfer data to a third country not providing an adequate level of data protection;
  • the rights to rectification, erasure and objection of personal data;
  • the right to file a complaint with the data protection authority;
  • the information that any consent provided can be withdrawn at any time;
  • the fact if and to what extent data collection is mandatory or required by law; and
  • information on any automated profiling.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. The Data Protection Act 2000 sets out technical and organisational measures that data controllers must undertake to secure personal data against:

  • unauthorised access;
  • accidental or unlawful destruction, manipulation, disclosure and transfer; and
  • other unlawful processing.

Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations.

The Data Protection Act does not expressly stipulate which data security measures must be taken, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for lack of sufficient data security seldom arises when good industry practices are followed.

Further, Art 32 of the EU General Data Protection Regulation also provides for general data security obligations. Appropriate technical and organisational measures that have to be implemented may include:

  • pseudonymisation and encryption of personal data;
  • ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Since the EU General Data Protection Regulation does not stipulate concrete security measures, best practices are still crucial in determining the necessary data security standard. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. The data controller must inform the data subjects concerned in an appropriate manner as soon as it becomes aware that data under its control has been systematically and seriously misused and such misuse may cause the data subjects to suffer damages. The disclosure obligation does not apply if only minor damage is likely to occur and the costs of disclosure would require disproportionate effort.

This data breach notification duty will be significantly tightened on applicability of the EU General Data Protection Regulation. According to the new regime, any personal data breach has to be notified by the controller to the data protection authority within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted counter-measures.

In case a high risk for data subjects applies, the controller shall also communicate the data breach to the data subjects concerned without undue delay.

Are data owners/processors required to notify the regulator in the event of a breach?

Not under the Data Protection Act 2000. The data controller must inform only the natural and legal persons whose data is affected by the breach; there is no general obligation to notify the Data Protection Authority. However, telecommunications operators are already obliged to directly inform the Data Protection Authority in such event.

However, the new EU General Data Protection Regulation will significantly change regulations and establish an obligation to report data breaches to the data protection authority.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Yes. Austrian law sets strict requirements for consent declarations to use personal data for marketing purposes (based on the EU E-Privacy Directive (2002/58/EC), implemented by Section 107 of the Austrian Telecommunications Act).

Electronic messages (eg, email and text messages) that are sent for direct marketing purposes require the recipient’s prior consent (ie, opt-in). A mere opt-out is theoretically sufficient if the following conditions are met:

  • The sender has a pre-existing relationship with the customer and initially (ie, at the time of data collection) allowed the customer to refuse further messages. The Supreme Court is strict in enforcing this requirement.
  • The communication is transmitted for the purpose of direct marketing of products or services similar to those originally purchased by the customer.
  • The customer (whether a natural or legal person) has a clear, distinct opportunity to object – free of charge and in an easy manner – to such use of advertisements in every email.
  • A Robinson List is adhered to. This lists the email addresses of persons that do not wish to receive unsolicited marketing emails. The list is provided by the telecoms regulator at www.rtr.at/ecg.

Further, the draft EU ePrivacy Regulation will also provide new regulations for electronic communication and marketing. The draft contains similar provisions for unsolicited electronic marketing as outlined above and foresees same (high) fines as provided by Article 83 of the EU General Data Protection Regulation  as applicable.

Cookies

Are there rules governing the use of cookies?

Yes. All website operators must inform users before collecting personal data through cookies. If personal data is collected, prior consent (an opt-in) is required (usually obtained via a banner at the top of the website). Consent must be based on clear, comprehensive disclosure of:

  • the data that will be collected, processed and transferred;
  • the legal basis for collection, processing and transfer;
  • the purposes for collection, processing and transfer; and
  • the retention period for the data.

However, the current draft of the EU ePrivacy Regulation provides that website visitors might consent to cookies through their browser settings. This would lead to facilitation for placing cookies compared to the current consent requirement. As a consequence, banners would no longer be required.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

The Data Protection Act 2000 distinguishes between data transfer to another data controller (C2C) and transfer to a data processor (C2P). A C2C data transfer is established when the recipient of personal data uses it for its own or other purposes and thus also acts as data controller. A C2P data transfer is established when data is sent to a third person that acts merely on the data controller’s behalf.

Notification The Data Protection Authority must generally be notified of a C2C data transfer (there are only a few standardised exemptions to this requirement in the Austrian Standard and Model Decree). A C2P data transfer triggers no notification duty, as long as the underlying data processing either is notified or falls within the scope of the Austrian Standard and Model Decree.

Data processing agreement All data controllers are generally allowed to engage data processors (C2P data transfer). Data processors must limit processing to the extent necessary to fulfil the purposes of the data controller and comply with data security rules. As such, a written data processing agreement must be concluded. Provided that the data processor is located in the European Economic Area or in a third country providing an adequate level of data protection, a brief model contract will be sufficient. If the recipient data processor is located in a third country without an adequate level of data protection (eg, the United States or India), a more detailed data processing agreement (and approval) will be required.

Approval Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located in a third country without an adequate level of data protection (eg, the United States, India and Singapore). The approval procedure must be initiated separately for each recipient and be based on either signed EU standard contractual clauses or binding corporate rules. Such C2C and C2P data transfers can commence only on receipt of formal approval. However, no approval is required if:

  • merely indirect personal data is to be transferred;
  • the data subject has provided its explicit consent; or
  • the data transfer is explicitly mentioned in a standard application.

New regime as of May 2018 When the EU General Data Protection Regulation becomes applicable in May 2018, there will be no notification or approval obligations for international data transfers anymore. Both formal acts will be replaced by the data controller's internal record of processing activities, as well as a mandatory privacy impact assessment for more sensitive processing activities.

As regards data transfer to a mere processor (C2P), Article 28 of the EU General Data Protection Regulation requires the conclusion of a written data processing agreement with a prescribed minimum content. Since the new regime requires a more detailed agreement, already existing data processing agreements will have to be amended in order to comply with the regulation.

Further, C2C data transfers to recipients outside the European Economic Area will be possible based on executed EU standard contractual clauses or binding corporate rules with – compared to the current legal situation in Austria – no additional further approval requirement by the data protection authority for the individual transfer.

Are there restrictions on the geographic transfer of data?

Yes. Austrian data protection law requires prior approval for any C2C or C2P data transfer to a recipient located outside the European Economic Area in a third country without an adequate level of data protection (eg, the United States, India and Singapore).

This approval requirement will no longer be upheld under the EU General Data Protection Regulation and the Data Protection Act 2018 as of May 2018.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Yes. There is some facilitation for C2P data transfers. C2P transfers usually require no notification, but do require a data processing agreement in writing. The Data Protection Authority’s approval is required only if data is transferred outside the European Economic Area.

The formal notification and approval requirements will no longer be upheld under the EU General Data Protection Regulation and the Data Protection Act 2018 as of May 2018.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Non-compliance with Austrian data protection provisions can incur the following penalties:

  • claims by data subjects based on the right to data protection – compensation for damages (unlikely), omission or publication of judgment (both likely);
  • claims by competitors for omission based on unfair competition law – compensation for damages (very unlikely), omission or publication of judgment (both likely);
  • an administrative penalty of up to €10,000 (the first penalty is usually only a fraction of the highest possible penalty);
  • an administrative penalty of up to €25,000 for transferring data without the Data Protection Authority’s approval (again, the first penalty is usually low);
  • control proceedings by the Data Protection Authority (ie, onsite audits) resulting in prohibition from further processing or transfer of personal data; and
  • a damaged reputation in the media.

This regime will change drastically as of May 2018. Besides the DSB's control rights, the authority will also become competent to impose administrative fines of up to €20 million or 4% of the total worldwide annual turnover. The new, high fines will primarily be imposed directly against the responsible legal entity as data controller or processor. The authority is still entitled to punish natural persons in charge (managing directors or representatives appointed under administrative law, not the Data Protection Officer). Primarily, the company shall be directly liable. Additional fines to individuals shall be imposed only under special circumstances. The Data Protection Act 2018 provides for a catch-all administrative penalty of up to €50,000 applicable to less severe infringements of data protection provisions not subject to fines under the EU General Data Protection Regulation (Section 62 of the act). These penalties will especially cover violations of national specifics under the act.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Yes. Individuals may claim damages against data controllers and processors for violations of the Data Protection Act 2000, the EU General Data Protection Regulation and the Data Protection Act 2018.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

The Ministry of the Interior is attempting to enact a Cybercrime and IT Security Act. It is expected to be similar to the German IT Security Act.

The following IT security issues are currently regulated under Austrian law:

  • Criminalisation of cybercrime activities – the Criminal Code penalises (through both fines and prison terms) certain cybercrimes, including:
    • unlawful access to a computer system (hacking);
    • breach of the privacy of telecommunications;
    • abusive interception of data;
    • data corruption;
    • disturbance of the functionality of a computer system;
    • abuse of computer programs or access data; and
    • data falsification.
  • Data security provisions – the Data Protection Act establishes several data security measures to ensure IT security.
  • Good industry practices – the Data Protection Act does not expressly stipulate which IT security measures must be implemented, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the required IT security actions and levels. Good industry practices are especially relevant for courts in examining the potential liability of responsible persons (eg, managing directors). Liability seldom arises when good industry practices are followed.

Further, the EU Directive on Security of Network and Information Systems (NIS Directive, 2016/1148) provides for additional security measures in order to increase the level of cyber security in the European Union. This directive must be adopted and implemented into national Austrian laws by May 10 2018. At present, the Austrian legislature has not yet published any implementation act. However, it is expected that the NIS Directive will be implemented by the Cybercrime and IT Security Act.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The provisions on criminalisation of cybercrimes mainly implement the Council of Europe Convention on Cybercrime. Further international standards have not been directly implemented into Austrian law.

However, due to the relevance of good industry practices, international certifications and guidelines are increasingly important. In particular, the International Organisation for Standardisation (ISO) international standards and certifications and the Austrian Standards (ÖNORM) are acknowledged guidelines for IT security (eg, ISO/IEC 27001 – Information security and ISO/IEC 27032 – Guidelines for cybersecurity). In addition, it is often recommended to refer to the Austrian Information Security Manual (www.sicherheitshandbuch.gv.at) or the German IT Baseline Protection Catalogue, both of which provide a catalogue of recommended measures for companies to reliably protect their IT systems and data against cyberattack. Moreover, the Austrian Chamber of Commerce provides guidelines, checklists and risk analysis tools on IT security (www.wko.at/Content.Node/it-safe/it-sicherheit.html). 

Which cyber activities are criminalised in your jurisdiction?

The Criminal Code penalises the following cybercrimes:

  • unlawful access to a computer system (hacking);
  • breach of the privacy of telecommunications;
  • abusive interception of data;
  • data corruption (ie, damaging of data);
  • disturbance of the functionality of a computer system (eg, denial of service);
  • abuse of computer programs or access data;
  • fraudulent misuse of data processing;
  • data falsification;
  • counterfeiting of non-cash means of payment; and
  • capture of non-cash payment data (ie, ‘phishing’ or ‘skimming’).

Criminal offences are penalised by fines and imprisonment for up to six months. Severe violations (eg, actions conducted by criminal organisations or resulting in a high level of damage) are subject to a longer prison sentence of up to five years. Moreover, a recent amendment to the Criminal Code which entered into force in 2016 established a stricter system by also penalising minor actions undertaken without the intent to disseminate or use personal data for enrichment. The new provisions also cover cybercrimes such as phishing and skimming by penalising the capture of non-cash payment data. ‘Cybermobbing’ (ie, continued harassment through telecommunications or computer systems) is also expressly stipulated as a criminal offence.

Further, the Data Protection Act 2000 penalises the use or publication of illegally acquired personal data with imprisonment of up to one year. This criminal provision will be upheld by the amended Data Protection Act 2018.

The Association Responsibility Act and the Administrative Penal Act govern corporate liability, allowing for legal entities to be held liable for cybercrime actions committed for their benefit or within their control.

Which authorities are responsible for enforcing cybersecurity rules?

The criminal courts are competent for the enforcement of the respective rules.

The Data Protection Authority is empowered to ensure compliance with data security provisions.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Cyber risk insurance is available in Austria. Small companies usually do not bother a great deal with IT security and relevant insurance coverage. However, banks and international companies in particular typically obtain insurance for cyber risks.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Based on the data security provisions of the Data Protection Act 2000, the data controller and processor must keep logs and records to allow the performed processing steps – in particular, modifications, consultations and transmissions – to be traced to the extent necessary.

This will be upheld by the EU General Data Protection Regulation and the Data Protection Act 2018.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

As long as the EU Directive on Security of Network and Information Systems (NIS Directive, 2016/1148) is not incorporated into Austrian law, no. The data controller must inform the natural and legal persons whose data is affected by the breach and there is no notification obligation to the Data Protection Authority. However, telecommunications operators are obliged to directly inform the Data Protection Authority in such a case.

This data breach notification duty will be significantly tightened upon applicability of the EU General Data Protection Regulation. According to the new regime, any personal data breach must be notified by the controller to the data protection authority within 72 hours, unless the breach is unlikely to result in a risk for the data subjects. The notification must include a detailed description of the data breach, as well as potential consequences and adapted counter-measures. In case a high risk for data subjects applies, the controller shall also communicate the data breach to the data subjects concerned without undue delay.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No. However, the data controller must immediately inform the data subjects concerned in an appropriate manner when it becomes aware that data under its control has been systematically and seriously misused and such misuse can cause the data subjects to suffer damages.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Austrian criminal law sets out fines and imprisonment of up to six months for cybercrime offences. Severe violations (eg, actions conducted by criminal organisations or resulting in a high level of damage) are subject to a longer prison sentence of up to five years.

The Data Protection Act penalises the use or publication of illegally acquired personal data with imprisonment of up to one year.

What penalties may be imposed for failure to comply with cybersecurity regulations?

If the data controller or processor grossly neglects the required data security measures, the district administrative authority may impose an administrative penalty of up to €10,000. Under the EU General Data Protection Regulation, administrative fines of up to €20 million or 4% of the total worldwide annual turnover will apply as of May 2018.

Further, the controller or processor is liable to compensate for economic or any other losses suffered by the data subject or any other person due to personal data processing in violation of the Data Protection Act.

Company directors or officers can be held personally liable for violations of data security provisions. Moreover, competitors may file claims for omission and damage compensation under the Unfair Competition Act and claim an unfair advantage due to the breach of data protection rules.