Zum Inhalt Zum Hauptmenü

Search form

Data protection regime with Austrian peculiarities


Data protection regime with Austrian peculiarities

Der Standard
2018, May 16


The legislative process was laborious, but the implementation of the GDPR in Austria has been completed. The fact that the public authorities are being exempted from all punishments is a devastating signal. And in the future there is a threat of legal fragmentation in individual material laws.


Despite the basic idea of full harmonisation of data protection law in Europe, the more than 70 (!) opening clauses of the GDPR give EU member states room for manoeuvre. Therefore, 28 national data protection laws will continue to exist after 25 May, which can implement and specify the GDPR and provide for special provisions.

In the Austrian legislative process, the old and new governments have not covered themselves with glory: In an overdue legislative procedure with a shortened review and during which changes were made because of the break in the coalition, the previous Data Protection Act ("DPA") was comprehensively amended in June 2017. This was intended to implement the necessary accompanying laws and opening clauses to the GDPR by the deadline of 25 May 2018. However, constitutional provisions could not be amended due to a lack of an appropriate majority. The amendment therefore suffered from structural shortcomings and caused confusion.

The new government wanted to reorganize this with another amendment in April. The same spectacle was repeated, this time under the wrong political auspices. Again, the constitutional majority could not be achieved, and the amendment was adopted at short notice. Once again, at the expense of the economy, party policy has won out over material policy.

In terms of content, however, the new data protection regime is in place. The following Austrian peculiarities are to be emphasized:

  • Data of legal persons is not subject to the GDPR: Although the constitutional provision for the protection of legal persons could not be removed, the amended DPA expressly states that the scope of application of the GDPR is limited to personal data of natural persons. For data of legal persons, a rudimentary, unclear regarding the scope, basic protection remains.
  • Lowering the consent age of children to 14 years: In a practical manner, the legislator has lowered the non-binding age limit of 16 years as stipulated by the GDPR for the granting of a declaration of consent.
  • The data protection authority can check data processing at any time, request the corresponding documentation on GDPR compliance and keep a "view" - even without concrete suspicion.
  • New regulations on "image processing": The special provisions concern every detection of events, even if no surveillance purpose - as is the case with classical video surveillance - is pursued. This also includes taking photographs. As a rule, image recording according to the Data Protection Act is only permissible if the person depicted has given his or her consent or if legitimate interests justify the recording (e.g. protection and surveillance of private and public areas by surveillance cameras).
  • The data protection authority can impose the exorbitant fines (up to EUR 20 million or four percent of the group's annual turnover) directly on legal entities - i.e. the company. Under "special circumstances", natural persons - management, board of directors or a representative under administrative criminal law, but not the data protection officer - may also be punished.
  • In the second DPA amendment, the legislator made it clear that the data protection authority must primarily instruct and warn the companies and proceed proportionately in the case of fines. This corresponds to the practice of administrative criminal law and is not a dilution, but is of course explained in accordance with the GDPR.
  • Institutions "acting in enforcement of the law" are exempt from the penalties, irrespective of whether they are organised as public authorities or private companies. Thus, the legislator has taken advantage of an opening clause of the GDPR which is favourable for the public sector. This is permissible, but the signal effect is devastating and is not balanced out by the data protection officer who is obliged to do so in this area.

The duty to provide instructions explicitly inserted in the DPA and the proportionate handling of penalties have now also been enshrined in a draft amendment to administrative criminal law. As a result, the trend in all areas is away from the merely punitive bureaucracy towards a modern service provider for entrepreneurs and citizens.

Another planned amendment to the Austrian Administrative Penal Act ("VStG") suspends the general presumption of administrative criminal liability in the event of an impending fine of more than EUR 50,000. This would never cover GDPR infringements and the data protection authority would always have to prove at least negligence. Moreover, in the future only one penalty is to be imposed for "similar administrative offences" and thus the accrual principle is to be abolished.

Even if the DPA framework is now in place, the data protection regulations are threatened with fragmentation into special material laws. There are already concrete drafts of special data protection laws, for example in science and research or in the financial sector. In addition, the National Council took advantage of the opening clauses of the GDPR in April with the Data Protection Adaptation Act, which affects more than 120 (!) laws, in addition to mere terminological changes and concretisations. The danger remains that further changes are (hidden) in material laws instead of in the central DPA. This would lead to an unmanageable fragmentation of the law.


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.

© 2020 · DORDA   PODCAST

we deliver clartity