top of page

AUSTRIA - Data Protection and GDPR Review

History of Data Protection in Austria

The Data Protection Act of 1978

The history of data protection in Austria dates back to 1978 with the adoption of the Data Protection Act (Datenschutzgesetz or DSG 1978). Austria was one of the first countries in the world to establish a comprehensive law to protect personal data. This law was mainly a response to the rapid development and spread of computing technology during this time.

DSG 1978 established a set of principles and guidelines for data processing and storage. It was unique in that it established a Data Protection Commission, an independent supervisory authority responsible for monitoring and enforcing the law.

The Data Protection Act of 2000

In 2000, Austria revised the Data Protection Act to adapt to the European Union's 1995 Data Protection Directive. The revised law clarified and expanded the principles and obligations of data processing, reinforced the rights of data subjects, and added new provisions for international data transfers.

The General Data Protection Regulation (GDPR)

Austria, as an EU member state, adopted the GDPR, which replaced the previous data protection laws in Austria.

The GDPR introduced more stringent rules on data protection, increased penalties for non-compliance, and granted individuals greater control over their personal data. One of the main changes in Austria was the abolishment of the obligation to notify the Data Protection Authority about data processing activities, which was required under the old law.

Data Protection Act 2018

In addition to the GDPR, Austria enacted a new national data protection law, the Data Protection Act 2018 (Datenschutzgesetz or DSG 2018). This law complements the GDPR by specifying and modifying certain provisions of the GDPR within the scope permitted by the EU legislation. For instance, it sets the age of consent for data processing related to information society services at 14, whereas the GDPR allows this age to be anywhere between 13 and 16.

Austria Data Protection and GDPR

Over the past few decades, Austria has demonstrated a consistent commitment to data protection. From being one of the first countries to establish a comprehensive data protection law to its current alignment with the EU's GDPR, Austria continues to uphold a high standard of data privacy and continues to evolve its laws and regulations to keep pace with technological advances and societal changes. Comprehensive Guide to Data Protection in Relation to GDPR in Austria

As a member of the EU, Austria has implemented GDPR as well as supplementary national laws to ensure that data protection principles are maintained throughout all data processing activities.

Austrian Legal Framework for Data Protection

Austria's key legislation for data protection is the Austrian Data Protection Act 2018 (Datenschutzgesetz, DSG 2018), which complements the EU's GDPR by specifying and modifying certain provisions within the scope permitted by the EU legislation.

The Austrian Data Protection Authority (Datenschutzbehörde) is the body responsible for overseeing data protection and privacy laws in Austria.

Key GDPR Concepts and Their Application in Austria

  1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and transparently. Businesses and organizations in Austria need to provide clear information about how they use personal data and must have a valid legal basis for processing that data.

  2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes. Organizations must specify why they are collecting personal data and can only use the data for those purposes.

  3. Data Minimization: Data collection should be relevant, limited, and necessary for the intended purpose. Excessive data collection is not permitted under Austrian law.

  4. Accuracy: Personal data should be accurate and up-to-date. If data is found to be inaccurate, organizations are expected to correct or delete it.

  5. Storage Limitation: Personal data should be stored for no longer than necessary. The law requires organizations in Austria to delete personal data when it is no longer needed.

  6. Integrity and Confidentiality: Data must be handled securely. Companies are required to implement adequate security measures to protect personal data against unauthorized access, loss, or destruction.

Data Subject Rights in Austria

Under GDPR and the Austrian DSG 2018, individuals have several rights regarding their personal data:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure ('right to be forgotten')

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights related to automated decision-making, including profiling

Data Transfers

Transfers of personal data outside the European Economic Area (EEA) are only permitted if an adequate level of data protection is ensured in the recipient country. This could be through an adequacy decision by the EU Commission, the use of standard contractual clauses, or other mechanisms as set out in the GDPR.

Penalties for Non-compliance

Austria's Data Protection Authority can impose fines for non-compliance with GDPR and national data protection laws. The penalties depend on the type and severity of the violation, with the maximum fine being up to €20 million or 4% of the company's annual worldwide turnover, whichever is higher.


Companies operating in Austria need to comply with both the GDPR and the Austrian Data Protection Act 2018. Given the complexity of these laws and the severity of potential penalties, organizations should seek legal advice to ensure they are fully compliant.


bottom of page