SecurePrivacy Logo

Austrian Data Protection Act

View Law Text
Maximum Fine
€20M or 4%
Scope
National
Regulator
DSB
Framework
GDPR

Need Help with Austrian Data Protection Act Compliance?

Get expert guidance on implementing Austrian data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Austrian Data Protection Act (Datenschutzgesetz - DSG) implements and supplements the GDPR in Austria, establishing specific national requirements and enforcement mechanisms.

Key Facts

  • Enacted in 2018 to align with GDPR
  • Enforced by Austrian Data Protection Authority (DSB)
  • Includes specific national requirements beyond GDPR

Key Principles

Lawfulness and Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner.

Requirements

  • Valid legal basis for processing
  • Clear privacy notices
  • Transparent processing activities
  • Documentation of legal grounds
  • Regular compliance reviews

Examples

  • Privacy notices on websites
  • Consent management systems
  • Processing records
  • Documentation of legal bases

Data Security

Implementation of appropriate technical and organizational measures to protect personal data.

Requirements

  • Security risk assessments
  • Access control systems
  • Encryption measures
  • Regular security audits
  • Incident response procedures

Examples

  • Access management policies
  • Encryption protocols
  • Security testing
  • Incident response plans

International Data Transfers

Special requirements for transferring personal data outside the EEA.

Requirements

  • Transfer impact assessments
  • Appropriate safeguards
  • Documentation of transfers
  • Monitor adequacy decisions
  • Regular reviews

Examples

  • Standard contractual clauses
  • Binding corporate rules
  • Transfer agreements
  • Adequacy assessments

Compliance Requirements

Data Protection Officer

Requirements for appointing and maintaining a Data Protection Officer position.

Implementation Steps

  • Assess DPO requirement
  • Appoint qualified DPO
  • Ensure independence
  • Provide resources
  • Document activities

Required Documentation

  • DPO appointment letter
  • Qualification records
  • Activity reports
  • Training certificates
  • Resource allocation

Processing Records

Maintenance of records of processing activities under Article 30.

Implementation Steps

  • Document processing activities
  • Map data flows
  • Update regularly
  • Review compliance
  • Maintain records

Required Documentation

  • Processing records
  • Data flow diagrams
  • Review logs
  • Update history
  • Compliance reports

Data Breach Notification

Procedures for handling and reporting personal data breaches.

Implementation Steps

  • Establish detection procedures
  • Create response plan
  • Set up notification process
  • Train staff
  • Document incidents

Required Documentation

  • Breach response plan
  • Notification templates
  • Training materials
  • Incident logs
  • Investigation reports

Enforcement & Penalties

Administrative Fines

The Austrian Data Protection Authority can impose significant administrative fines for GDPR violations.

Penalty Categories

Severe Violations
Up to €20M or 4% of global revenue
For violations of basic principles or data subject rights
Standard Violations
Up to €10M or 2% of global revenue
For violations of technical and organizational measures
Criminal Penalties
Up to €50,000
For specific criminal violations under Austrian law

Example Cases

Austrian Post
€18 million
2021 - Illegal processing of data about political affinities
Medical Service Provider
€28,000
2022 - Insufficient technical and organizational measures

Additional Measures

The DPA can impose various corrective measures beyond monetary penalties.

Penalty Categories

Corrective Orders
Mandatory Changes
Orders to bring processing operations into compliance
Processing Bans
Temporary or Permanent
Prohibition of specific processing activities
Audits
Mandatory Compliance
Regular audits and assessments

Example Cases

Retail Company
Processing Ban
2023 - Ordered to cease illegal video surveillance
Online Platform
Corrective Order
2022 - Required to implement proper consent mechanisms