Austria Data Privacy Laws: GDPR & DSG Guide (2026)

Austria's Data Protection Legal Framework

Austria's approach to data privacy is built on two pillars. The GDPR, which took direct effect across the EU on May 25, 2018, provides the primary regulatory framework. The Datenschutzgesetz (DSG), most recently amended in July 2024, fills the spaces where the GDPR allows national variation through its 69 opening clauses.

The current DSG replaced the Datenschutzgesetz 2000, which itself succeeded Austria's original 1978 data protection statute. That 1978 law was notable for establishing a constitutional right to data protection, a provision that still anchors the modern framework.

Austria's Federal Chancellery (Bundeskanzleramt) has primary responsibility for data protection policy, while the independent Datenschutzbehörde (DSB) handles enforcement. The Telecommunications Act 2021 (Telekommunikationsgesetz, or TKG 2021) adds another layer by governing cookies, electronic marketing, and communications privacy.

Since the DSG's 2018 overhaul, it has been revised three times: in January 2019 (BGBl I 2019/14), June 2024 (BGBl I 2024/62), and July 2024 (BGBl I 2024/70). The July 2024 amendment responded to a Court of Justice of the European Union (CJEU) ruling and established a new Parliamentary Data Protection Committee that began exercising supervisory powers over legislative bodies on January 1, 2025.

The Constitutional Right to Data Protection

What sets Austria apart from most EU member states is Section 1 of the DSG. This provision carries the force of constitutional law, meaning it can only be amended with a two-thirds parliamentary majority.

Section 1 guarantees everyone a right to secrecy of personal data, particularly with regard to private and family life, provided there is a legitimate interest. The word "everyone" is significant. Unlike the GDPR, which protects only natural persons, Austria's constitutional data protection right extends to legal persons as well, including companies, associations, and other entities.

In 2018, the government attempted to abolish this constitutional provision through the Datenschutz-Anpassungsgesetz (Data Protection Adjustment Act). The effort failed when it could not secure the required two-thirds majority in the National Council. The constitutional right to data protection has therefore remained continuously in effect since 1978, making Austria one of the earliest countries in the world to enshrine data protection at a constitutional level.

This constitutional status means that any Austrian law that interferes with the right to data protection can be challenged before the Constitutional Court (Verfassungsgerichtshof, or VfGH), adding a judicial check that exists beyond the GDPR framework.

The Datenschutzbehörde (DSB): Austria's Supervisory Authority

The DSB replaced the former Datenschutzkommission on January 1, 2014, and operates as an independent authority from its headquarters in Vienna. It has jurisdiction over all public and private entities processing personal data in Austria.

Structure and Powers

The DSB handles complaints from data subjects, conducts investigations, issues administrative fines, and provides guidance on data protection compliance. It participates in the European Data Protection Board (EDPB) alongside other EU supervisory authorities.

The authority's powers include ordering controllers and processors to comply with GDPR requirements, imposing temporary or definitive bans on data processing, ordering the rectification or erasure of personal data, and imposing administrative fines under Articles 83 and 84 of the GDPR.

The Budget Crisis

Austria's data protection enforcement faces a structural problem. As of 2024, the DSB operates with approximately 53 permanent employees and 19 administrative interns tasked with protecting the data rights of 9 million people. Germany, by comparison, spends roughly double per capita on its data protection authorities.

The approximately 20 administrative interns are classified as "material expenses" rather than permanent staff, with mandatory 12-month turnover. This creates a revolving door that drains institutional expertise and imposes continuous training costs.

The situation deteriorated further when the DSB's budget for 2026 was cut again despite rising costs and an expanding workload from new regulations including the AI Act, the Freedom of Information Act, and political advertising rules. The authority announced it would stop issuing legislative opinions except in "exceptional cases" and would only launch self-initiated investigations where submissions indicate a "sufficiently concrete suspicion of serious violation."

On September 18, 2025, the advocacy organizations epicenter.works and noyb filed a formal complaint with the European Commission, arguing that Austria violates Article 52(4) of the GDPR, which requires member states to provide adequate resources to their supervisory authorities. The Commission has the power to initiate infringement proceedings against Austria in response.

Enforcement Statistics

Despite the resource constraints, the DSB processed 3,813 complaints in 2024. However, only 214 procedures were completed, and just 62 resulted in fines totaling approximately EUR 1.7 million. Most proceedings already exceed the statutory six-month deadline, with many cases taking years to resolve.

For 2025, the DSB announced that its audit focus would shift to regional police directorates, reviewing their compliance with the GDPR. The previous year's audit focus had been on the right of access.

Austrian-Specific GDPR Derogations

Austria has exercised several of the GDPR's opening clauses to tailor data protection rules to national circumstances. These derogations represent the areas where Austrian law differs from the baseline GDPR.

Child Consent (Section 4(4) DSG)

The GDPR sets a default age of 16 for a child to consent to information society services (such as social media platforms), but allows member states to lower this to as young as 13. Austria set the threshold at 14 years old under Section 4(4) DSG. Children under 14 need parental consent before signing up for online services.

Video Surveillance (Sections 12-13 DSG)

Austria maintains specific rules for CCTV and video surveillance that go beyond the GDPR's general framework. Under Sections 12 and 13 of the DSG, video surveillance based on a legitimate interest is permitted only in three situations: on privately used property, where previous violations of rights or special dangers have occurred, and in the interest of private documentation where identification of individuals is not intended.

These provisions restrict the deployment of surveillance cameras in public-facing locations and establish requirements for signage, data retention periods, and access controls that apply specifically within Austria.

Data Erasure Flexibility (Section 4(4) DSG)

The DSG includes a practical modification to the GDPR's right to erasure. Under Austrian law, immediate deletion is not required when, for economic or technical reasons, erasure is only possible at certain scheduled times. This gives organizations limited breathing room to batch their deletion processes rather than responding to every erasure request in real time.

Media and Journalism Exemption (Section 9(1) DSG)

Austria provides a broad exemption from the GDPR for any processing of personal data by media outlets for journalistic purposes. Section 9(1) DSG exempts journalistic data processing from nearly all GDPR requirements. Some commentators and the European Data Protection Board have raised concerns that this exemption may exceed the parameters allowed under Article 85 of the GDPR.

Research Exemption

Austria amended its Research Organisational Act (Forschungsorganisationsgesetz, or FOG) to include broad waivers from GDPR requirements for scientific research purposes under Article 89 of the GDPR. These exemptions allow researchers to process personal data with fewer restrictions, though they have drawn scrutiny for potentially exceeding the intended scope of the GDPR's research derogations.

Public Authority Fine Exemption

Under the DSG, public authorities are exempt from administrative fines. This does not mean they escape accountability entirely. As the 2024 City of Baden case demonstrated, public bodies remain liable for civil damages to affected individuals.

The Google Analytics Ruling: A Landmark Decision

On January 13, 2022, the DSB issued what became the first decision in the EU holding that the use of Google Analytics violates the GDPR. The case originated from one of 101 model complaints filed by noyb (the European Center for Digital Rights, led by Max Schrems) following the CJEU's Schrems II decision in July 2020.

Background

The Schrems II ruling invalidated the EU-US Privacy Shield framework and established that data transfers to the United States require supplementary measures to protect EU citizens' data from US surveillance programs. noyb then filed 101 complaints across EU member states targeting websites that continued using Google Analytics, which transfers user data to Google LLC's servers in the United States.

The DSB's Analysis

The DSB examined whether the supplementary measures Google had implemented were sufficient to protect transferred data from US government surveillance. Google pointed to several safeguards: encryption of data in transit and at rest, physical security at data centers, a policy of carefully reviewing government access requests, and transparency reports.

The DSB found all of these measures insufficient. The authority reasoned that Google, as a US-based electronic communication service provider, is subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. Under these laws, US intelligence agencies can compel Google to hand over data, and Google's encryption does not prevent access because Google itself holds the decryption keys.

The DSB also rejected the argument that IP address truncation (a feature available in Google Analytics settings) prevented re-identification. The authority concluded that Google had sufficient additional data points to re-identify individuals even from truncated IP addresses.

Aftermath and Impact

On April 22, 2022, the DSB issued a follow-up decision reaffirming its position and specifically rejecting a "risk-based approach" to international data transfers. This meant that organizations could not argue that the low probability of US surveillance excused non-compliance with Chapter V of the GDPR.

The ruling triggered a cascade of similar decisions across Europe. The French CNIL, Italian Garante, and other supervisory authorities issued comparable findings, all coordinated through an EDPB task force. The practical effect was that thousands of European websites switched away from Google Analytics or implemented server-side proxying to avoid direct data transfers.

The EU-US Data Privacy Framework, adopted in July 2023, eventually provided a new legal basis for EU-US data transfers. However, the Austrian ruling remains significant as a precedent for how supplementary measures are evaluated and for establishing that a risk-based approach to transfer assessments is insufficient.

Notable Enforcement Actions and Fines

Austrian Postal Service (Österreichische Post AG)

The most significant enforcement case in Austrian data protection history involves Österreichische Post AG. In October 2019, the DSB imposed a fine of EUR 18 million after discovering that the postal service had compiled data on the political affinity of individually identified persons through statistical modeling and marketed this information to political parties.

The Postal Service had used its address database to assign estimated political preferences to individual customers and sold this profiling data. It had also marketed information about customers' relocation frequency and parcel delivery volumes.

The Austrian Postal Service appealed the fine to the Federal Administrative Court (Bundesverwaltungsgericht, or BVwG). On December 27, 2024, the court reduced the fine to EUR 16 million. The case is not final. The Postal Service has lodged appeals with both the Administrative High Court (Verwaltungsgerichtshof, or VwGH) and the Constitutional Court (VfGH).

City of Baden Data Breach

In September 2024, a court ordered the City of Baden to pay EUR 500 per affected individual following a 2022 data breach that exposed 33,000 personal records. While public authorities are exempt from administrative fines under Austrian law, the Higher Regional Court (Oberlandesgericht) ruled that proof of actual misuse of the data is not required for damage claims.

If all 33,000 affected individuals pursued their claims, the total liability could reach EUR 16.5 million. This case established an important precedent: public authorities may avoid regulatory fines, but they face potentially severe civil liability for data protection failures.

Media Company Non-Cooperation

One of the higher fines in 2024 was EUR 15,200 imposed on a media company that failed to respond to repeated DSB requests for comment on complaints. This case illustrates that non-cooperation with the supervisory authority can itself trigger penalties, independent of the underlying data protection issues.

Breach Notification Requirements

Austria follows the GDPR's breach notification framework without significant national modifications. The requirements apply to all controllers processing personal data within Austrian jurisdiction.

Notification to the DSB

Controllers must notify personal data breaches to the DSB without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Late notifications must include an explanation for the delay. The notification itself must contain the categories and approximate numbers of individuals and records affected, the name and contact details of the data protection officer (or other contact point), a description of the likely consequences, and the measures taken or proposed to mitigate harm.

Notification to Data Subjects

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to affected data subjects without undue delay. This direct notification can be avoided if the controller has applied appropriate technical measures (such as encryption) that render the data unintelligible, has taken subsequent measures that ensure the high risk is no longer likely to materialize, or where individual notification would involve disproportionate effort (in which case public communication is acceptable).

Record-Keeping

All breaches, regardless of severity, must be documented internally. The documentation must include the facts of the breach, its effects, and the remedial actions taken. The DSB may request access to these records during investigations or audits.

Penalties and Sanctions

Austria's penalty framework for data protection violations operates on three levels: GDPR administrative fines, DSG-specific administrative fines, and criminal sanctions.

GDPR Administrative Fines

The GDPR provides two tiers of administrative fines. Less severe violations (including failure to notify a breach, failure to maintain proper records, or failure to designate a data protection officer when required) carry fines of up to EUR 10 million or 2% of global annual turnover, whichever is greater.

More severe violations (including unlawful processing, failure to obtain valid consent, violation of data subject rights, or unlawful international data transfers) carry fines of up to EUR 20 million or 4% of global annual turnover, whichever is greater.

DSG Administrative Fines

Under the DSG, the authority may impose additional administrative fines of up to EUR 50,000 for violations of national provisions. These fines apply only where the offense does not already constitute a violation under Article 83 of the GDPR, preventing double punishment.

Cookie and electronic marketing violations under the Telecommunications Act (TKG 2021) also carry administrative fines of up to EUR 50,000.

Criminal Sanctions (Section 63 DSG)

Austria is one of several EU member states that maintains criminal penalties for data protection violations. Under Section 63 of the DSG, anyone who deliberately uses personally identifiable information (that was entrusted to them through their professional occupation or that they acquired illegally) to unlawfully enrich themselves, enrich a third party, or damage another person's data protection interests faces imprisonment of up to one year or a fine of up to 720 daily rates.

This criminal provision applies specifically to situations involving intentional misuse for profit or malicious purposes. It represents a significant deterrent beyond the administrative fine system.

Public Authority Liability

While public authorities are exempt from administrative fines, they remain subject to civil liability for data protection violations. The City of Baden precedent confirmed that affected individuals can claim damages without proving actual misuse of their exposed data.

Cookies and Electronic Privacy

Section 165(3) of the Telecommunications Act 2021 (TKG 2021) implements the EU ePrivacy Directive in Austrian law and governs the use of cookies and similar tracking technologies.

The law distinguishes between two categories. Technically necessary cookies (those serving the sole purpose of carrying out a communication or providing a service explicitly requested by the user) do not require consent. All other cookies, including analytics and advertising trackers, require prior opt-in consent from the user.

Following the CJEU's Planet49 ruling (Case C-673/17), valid consent for cookies must be freely given, specific, informed, and based on an affirmative opt-in action. Pre-checked boxes do not constitute valid consent.

The DSB enforces cookie violations and can impose fines of up to EUR 50,000 under the TKG 2021. This enforcement power is separate from and additional to the GDPR fine authority.

Data Protection Officers

Austria follows the GDPR's DPO requirements without substantial national modifications. Organizations must appoint a DPO when their core activities involve regular and systematic monitoring of individuals on a large scale or large-scale processing of special categories of data.

Enhanced Confidentiality Protections

Where Austria goes further than the GDPR baseline is in DPO confidentiality. Under the DSG, DPOs and persons working under them are bound by strict confidentiality regarding the identity of data subjects who contact the DPO and any circumstances that could allow identification. This confidentiality obligation continues even after the DPO relationship ends.

Right to Refuse Testimony

Austrian DPOs and their support staff have a statutory right to refuse testimony regarding information obtained in their DPO capacity. This legal privilege means that documents and files held by the DPO that fall under this right cannot be lawfully seized. This protection is notably stronger than what the GDPR alone requires.

Public Sector Requirements

Section 5(4) of the DSG requires all Austrian federal ministries to appoint at least one DPO, going beyond the GDPR's general criteria for mandatory DPO appointment.

International Data Transfers

Austria follows the GDPR's Chapter V framework for international data transfers. Transfers to countries with an EU adequacy decision (including, since July 2023, certified organizations in the United States under the EU-US Data Privacy Framework) may proceed without additional safeguards.

For transfers to countries without an adequacy decision, organizations must rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and conduct a Transfer Impact Assessment (TIA) evaluating the legal framework of the destination country.

The DSB's Google Analytics decisions established that Austrian enforcement of transfer rules is strict. Supplementary measures must demonstrably prevent access by foreign intelligence services, and a risk-based approach arguing that surveillance is unlikely does not satisfy this standard.

Recent Developments

Parliamentary Data Protection Committee (2025)

In response to a January 2024 CJEU ruling, Austria amended the DSG in July 2024 and established a new Parliamentary Data Protection Committee (Parlamentarischer Datenschutzausschuss). This committee assumed supervisory authority over data protection activities of legislative bodies on January 1, 2025, addressing a gap where parliamentary data processing had lacked independent oversight.

Enforcement Priority Shift (2025)

The DSB announced that its 2025 audit focus would target regional police directorates (Landespolizeidirektionen) to review their compliance with the GDPR. This represents a notable shift toward scrutinizing law enforcement data processing, an area where the balance between security and privacy is particularly sensitive.

Ongoing Budget Debate (2025-2026)

The complaint filed with the European Commission in September 2025 by epicenter.works and noyb remains pending. If the Commission initiates infringement proceedings, Austria could face pressure to significantly increase DSB funding. The outcome will likely affect data protection enforcement capacity across the country for years to come.