Gdpr In Austria: What You Need To Know

The General Data Protection Regulation (GDPR) is a set of laws that govern how personal data is processed and protected in the European Union (EU). It gives individuals more control over their personal data and imposes strict rules on how companies can collect, store, and use this data. As an EU member state, Austria has implemented the GDPR through the Data Protection Act (Datenschutzgesetz, DSG). This act aligns Austrian data protection laws with the requirements of the GDPR, ensuring that the processing of personal data in Austria complies with EU regulations. The DSG includes regulations on video surveillance, data processing standards for specific purposes, and the age of consent for a child's data processing, among other provisions.

Austrian data protection law vs GDPR

Austria has passed and updated several laws to ensure compliance with the GDPR, including the Data Protection Act 2000 (Datenschutzgesetz – DSG 2000) and the Data Protection Act (Datenschutzgesetz – DSG).

The Austrian Data Protection Act (DSG) sets out several regulations that differ from the GDPR. For instance, the DSG states that a child's consent to an offer from information society services is lawful if they have reached the age of 14, whereas the age of consent under the GDPR is 16. Additionally, the DSG includes regulations on video surveillance and data processing standards for specific purposes, such as processing in the public interest for archiving, scientific, or historical research.

Another significant difference between the DSG and the GDPR is in the area of data erasure. The DSG states that immediate erasure is not necessary if economic or technical reasons make it possible only at certain times. In such cases, the processing of personal data shall be restricted until that time, which aligns with the effects stipulated in Art. 18 (2) GDPR. However, it is unclear how the ECJ will assess this provision and whether it is fully compatible with the GDPR.

Austria has also amended the Research Organisational Act (Forschungsorganisationsgesetz – FOG) to include waivers from GDPR for research purposes under Article 89. The compatibility of this law with the GDPR and the Austrian Constitution is questionable.

Furthermore, Austria has implemented the ePrivacy Directive in its Telecoms Act (Telekommunikationsgesetz 2013, TKG), regulating cookies and spam emails.

In terms of data protection authority, Austria has established the Datenschutzbehörde (DSB) as the national data protection authority, which resides in Vienna and is responsible for all public and private entities in the country.

While Austria has made significant strides in updating its data protection laws to comply with the GDPR, there are still some differences and derogations in specific areas. These include the age of consent, data erasure, video surveillance, and research waivers. The compatibility of certain Austrian laws with the GDPR and the Constitution is still under question and may be subject to further assessment and legal challenges.

Austrian Data Protection Act (DSG)

The Austrian Data Protection Act (DSG) is an Austrian law that supplements the General Data Protection Regulation (GDPR) and helps implement the Directive (EU) 2016/680 of the European Parliament. The DSG contains provisions that regulate the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences, as well as national security and military self-defence.

Austria has traditionally not differentiated structurally between public and private data processing. Austrian law has covered not just natural persons but also legal entities as data subjects. The Austrian Data Protection Act (DSG) entered into force on 25 May 2018, the same day as the GDPR, and it extensively modified the previous version of the law, the "Datenschutzgesetz 2000" (DSG 2000).

The DSG 1978 introduced the Constitutional Right to Data Protection in § 1 DSG, and Austria gave the ECHR constitutional status, establishing the Right to Privacy in Article 8 ECHR. The Austrian government has passed numerous laws to update data protection rules and terminology in many other national provisions.

Under the DSG, the age of consent in Austria for data processing is 14, in line with Austrian civil law provisions. Austria has also exempted any processing of personal data by media for journalistic purposes from the GDPR in § 9(1) DSG. This broad exception has been questioned as it may violate the Austrian Constitution, GDPR, and/or the CFR.

The DSG further states that processing data for research, artistic, and literary purposes must be balanced with the right to freedom of expression and the right to information. Austria has amended the Research Organisational Act (FOG) to include waivers from GDPR for research purposes under Article 89. The constitutionality of this law has been questioned.

Data protection for children

The General Data Protection Regulation (GDPR) applies to Austria, and the country has passed several laws to update data protection rules and terminology in its national provisions.

Austria, as an EU Member State, has an age threshold of between 13 and 16 years for obtaining parental consent to process a child's personal data. This applies to social networking sites, music downloading platforms, and online game purchasing platforms. For a child below the age of 16, parental consent or authorisation by the holder of parental responsibility is required for lawful processing. Companies must make reasonable efforts to verify parental consent, and this may include implementing age-verification measures such as asking questions that an average child would not be able to answer or requesting a parent's email address for written consent.

However, preventive or counselling services offered directly to children are exempt from requiring parental consent, as they aim to protect the child's best interests. Any information addressed specifically to a child should be easily accessible and presented in clear and plain language, considering that children are less aware of the risks and consequences of sharing data and their rights.

The Austrian Data Protection Act (Datenschutzgesetz - DSG) establishes the age of consent in the country as 14, in line with Austrian civil law provisions.

Data processing standards

Austria has passed several laws to update data protection rules and terminology in many other national provisions. Austrian legislators have made use of the opportunity to establish derogating regulations from the GDPR ('opening clauses').

The Austrian Data Protection Act (DSG) includes data processing standards for specific purposes. For instance, the DSG covers the processing of personal data in the public interest for archiving, scientific or historical research purposes, as well as for statistical purposes and in emergencies.

A notable difference between Austrian data protection law and the GDPR is found in § 4 (4) DSG, which states that immediate erasure of personal data is not necessary if, for economic or technical reasons, it is only possible at certain times. In such cases, the processing of personal data shall be restricted until that time, aligning with Art. 18 (2) GDPR. However, it is unclear how the ECJ will assess this provision and whether it fully complies with the GDPR.

Furthermore, Austria has amended the Research Organisational Act (Forschungsorganisationsgesetz – FOG) to include waivers from GDPR for research purposes under Article 89. The compatibility of this law with the GDPR and the Austrian Constitution is questionable.

Data protection for employees

The General Data Protection Regulation (GDPR) is a regulation of the European Union that applies directly in every member state, including Austria. The Austrian Data Protection Act (Datenschutzgesetz, DSG) supplements the GDPR and contains provisions implementing the EU directive on the processing of personal data.

Data protection matters in the work context are regulated in §§ 91, 96 and 96a ArbVG. Forms of electronic control (Kontrollmaßnahme) require the agreement of the workers' council for certain processing of employee data. If no worker's council is installed, each employee must consent to forms of electronic control under § 10 ARVRAG.

The Austrian Data Protection Act (DSG) and the General Data Protection Regulation (GDPR) give data subjects, including employees, certain rights. These include:

• The right to withdraw consent to the processing of personal data at any time.
• The right to information as to whether personal data is being processed and what the content of this data is.
• The right to rectification or completion and the right to deletion of personal data.
• The right to restriction of processing, objection to processing, and data portability.

The Austrian Data Protection Authority (Datenschutzbehörde, DSB) is the national data protection authority for Austria. It resides in Vienna and is in charge of all public and private entities in the country. The DSB can be contacted for complaints about data protection matters.

Frequently asked questions