Austria Data Privacy Laws: GDPR & DSG Guide (2026)

Austria's data privacy rules derive from two sources: the EU General Data Protection Regulation (Regulation 2016/679), which has applied directly since May 2018, and the national Datenschutzgesetz (DSG), last amended July 2024, which fills gaps through the GDPR's 69 opening clauses. The Datenschutzbehörde (DSB) supervises compliance.

Austria's Data Protection Legal Framework

Austria's approach to data privacy rests on two pillars. Regulation (EU) 2016/679 (the GDPR), which took direct effect across the EU on May 25, 2018, provides the primary regulatory framework. The Datenschutzgesetz (DSG), most recently amended in July 2024, fills the spaces where the GDPR allows national variation.

The current DSG replaced the Datenschutzgesetz 2000, which itself succeeded Austria's original 1978 data protection statute. That 1978 law was notable for establishing a constitutional right to data protection, a provision that still anchors the modern framework.

Austria's Federal Chancellery (Bundeskanzleramt) has primary responsibility for data protection policy, while the independent Datenschutzbehörde (DSB) handles enforcement. The Telecommunications Act 2021 (Telekommunikationsgesetz, or TKG 2021) adds another layer by governing cookies, electronic marketing, and communications privacy.

Since the DSG's 2018 overhaul, it has been revised in January 2019 (BGBl I 2019/14), June 2024 (BGBl I 2024/62), and July 2024 (BGBl I 2024/70). The July 2024 amendment responded to a CJEU ruling and established a new Parliamentary Data Protection Committee that began exercising supervisory powers over legislative bodies on January 1, 2025. The current consolidated text is available at ris.bka.gv.at as of May 2026.

For a broader EU-level context, see our guide to EU data privacy laws. For Austria's recording consent rules, see Austria recording laws.

Jurisdiction scope: This article addresses data privacy law in Austria under the GDPR as directly applicable EU law, the Austrian Datenschutzgesetz (DSG), and related national instruments including the TKG 2021. It does not address sector-specific privacy rules outside data protection (e.g., banking secrecy, medical confidentiality) except where they interact with the DSG.

The Constitutional Right to Data Protection

What sets Austria apart from most EU member states is Section 1 of the DSG. This provision carries constitutional rank, meaning it can only be amended with a two-thirds parliamentary majority.

Section 1 guarantees everyone a right to secrecy of personal data, particularly with regard to private and family life, provided there is a legitimate interest. The word "everyone" is significant. Unlike the GDPR, which protects only natural persons, Austria's constitutional data protection right extends to legal persons as well, including companies, associations, and other entities.

In 2018, the government attempted to abolish this constitutional provision through the Datenschutz-Anpassungsgesetz (Data Protection Adjustment Act). The effort failed when it could not secure the required two-thirds majority in the National Council. The constitutional right to data protection has therefore remained continuously in effect since 1978, making Austria one of the earliest countries in the world to enshrine data protection at a constitutional level.

This constitutional status means that any Austrian law that interferes with the right to data protection can be challenged before the Constitutional Court (Verfassungsgerichtshof, or VfGH), adding a judicial check that exists beyond the GDPR framework. The VfGH remains active in this role: appeals in the Austrian Postal Service case (see below) include a pending VfGH complaint filed by the Postal Service against the EUR 16 million fine.

The Datenschutzbehörde (DSB): Austria's Supervisory Authority

The DSB replaced the former Datenschutzkommission on January 1, 2014, and operates as an independent authority from its headquarters in Vienna. It has jurisdiction over all public and private entities processing personal data in Austria.

Structure and Powers

The DSB handles complaints from data subjects, conducts investigations, issues administrative fines, and provides guidance on data protection compliance. It participates in the European Data Protection Board (EDPB) alongside supervisory authorities from all EU member states.

The authority's powers include ordering controllers and processors to comply with GDPR requirements, imposing temporary or definitive bans on data processing, ordering the rectification or erasure of personal data, and imposing administrative fines under Articles 83 and 84 of the GDPR.

Limits on Complaint Capping: CJEU C-416/23

On January 9, 2025, the CJEU issued a significant ruling against the DSB in case C-416/23. The authority had adopted a practice of accepting only two complaints per data subject per month, reasoning that higher volumes were abusive. The CJEU held that this arbitrary cap was unlawful: as long as a data subject is not filing genuinely abusive complaints, they retain the right to have any GDPR violation remedied. Volume alone does not constitute abuse. The ruling required Austria to abandon the two-per-month limit.

The Budget Crisis

Austria's data protection enforcement faces a structural problem. The DSB operates on a 2026 budget of EUR 5.9 million (cut from EUR 6.1 million in 2025), with approximately 53 permanent employees and 19 administrative interns. Germany, by comparison, spends roughly double per capita on its data protection authorities.

The administrative interns are classified as "material expenses" rather than permanent staff, with mandatory 12-month turnover. This creates a revolving door that drains institutional expertise and imposes continuous training costs. The DSB eliminated most of its internship positions starting in July 2025 as a cost-saving measure.

The resource constraints are worsening: complaints to the DSB have increased 769% since 2017. The authority announced it would stop issuing legislative opinions except in "exceptional cases" and would only launch self-initiated investigations where submissions indicate a "sufficiently concrete suspicion of serious violation."

On September 18, 2025, epicenter.works and noyb filed a formal complaint with the European Commission, arguing that Austria violates Article 52(4) of the GDPR, which requires member states to provide adequate resources to their supervisory authorities. The Commission has the power to initiate infringement proceedings against Austria in response.

Enforcement Statistics

Despite resource constraints, the DSB processed 3,813 complaints in 2024, completing 214 procedures. Only 62 resulted in fines totaling approximately EUR 1.7 million. Most proceedings already exceed the statutory six-month deadline established by Section 73 of the Allgemeines Verwaltungsverfahrensgesetz (AVG), with many cases taking years to resolve. Only 1.36% of all proceedings end with a fine.

For 2025, the DSB announced its audit focus would shift to regional police directorates (Landespolizeidirektionen), reviewing their compliance with the GDPR and Chapter 3 of the DSG. The previous year's audit had focused on the right of access.

Lawful Bases for Processing Personal Data

All processing of personal data in Austria must satisfy two conditions: it must comply with the general data processing principles of Article 5 GDPR, and it must rest on one of the six lawful bases in Article 6 GDPR.

The Six Lawful Bases (Article 6 GDPR)

1. Consent (Art 6(1)(a)): The data subject has given freely given, specific, informed, and unambiguous consent. Consent must be as easy to withdraw as to give, and it may not be bundled with the acceptance of general terms and conditions where the processing is not necessary for the contract.

2. Contractual necessity (Art 6(1)(b)): Processing is necessary for performing a contract with the data subject or taking pre-contractual steps at their request.

3. Legal obligation (Art 6(1)(c)): Processing is necessary to comply with a legal obligation under Austrian or EU law.

4. Vital interests (Art 6(1)(d)): Processing is necessary to protect the life of the data subject or another natural person.

5. Public task (Art 6(1)(e)): Processing is necessary for a task carried out in the public interest or in the exercise of official authority.

6. Legitimate interests (Art 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, except where overridden by the data subject's interests or fundamental rights. Public authorities cannot rely on legitimate interests as a lawful basis when acting in their official capacity.

Special Categories of Data (Article 9 GDPR)

Processing of special categories of personal data (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sex life or sexual orientation data) is prohibited unless one of the Article 9(2) GDPR exceptions applies. Key exceptions include explicit consent, employment and social security law obligations, vital interests, data made public by the subject, legal claims, and scientific or historical research under Article 89.

Consent in Austrian Practice

The DSB requires that consent be genuinely free. The August 2025 ruling against DerStandard.at illustrates this: the Federal Administrative Court held that the newspaper's "Pay or Okay" model (requiring users to either consent to tracking or pay a monthly subscription of EUR 9.90) did not constitute valid consent because it lacked granularity. Users could not consent to specific types of processing separately; they could only give or withhold global consent. The court stopped short of ruling that pay-or-consent is inherently impermissible, but found that any implementation must allow category-by-category consent choices.

Data Subject Rights

The GDPR grants data subjects a comprehensive set of rights. Austria implements these without significant restriction, with the exception that requests deemed manifestly unfounded or excessive may attract a reasonable fee or be refused under Article 12(5) GDPR.

Right of Access (Article 15 GDPR)

Data subjects may request confirmation of whether their personal data is being processed and, if so, obtain a copy of that data along with information about the purposes, categories, recipients, retention periods, and the existence of automated decision-making. Controllers must respond within one month, extendable by a further two months where requests are complex or numerous.

The DSB's 2024 audit focus was specifically on the right of access, reflecting a pattern of non-compliance. One of the highest 2024 fines (EUR 15,200) was imposed on a media company that failed to respond to DSB requests for comment on access-related complaints.

Right to Rectification (Article 16 GDPR)

Data subjects may demand correction of inaccurate personal data and completion of incomplete data.

Right to Erasure (Article 17 GDPR)

The right to erasure ("right to be forgotten") applies when data is no longer necessary for its original purpose, consent is withdrawn and no other lawful basis exists, an objection is upheld, or the data was unlawfully processed. Austria's DSG Section 4(4) provides one national modification: immediate deletion is not required where, for economic or technical reasons, erasure can only be performed at scheduled intervals. Organisations may batch deletion requests subject to reasonable timeframes.

Right to Restriction (Article 18 GDPR)

Data subjects may request that processing be restricted while accuracy is contested, a lawful basis for processing is disputed, or an objection is pending.

Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, data subjects may receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21 GDPR)

Data subjects may object at any time to processing based on legitimate interests or public task grounds. The controller must demonstrate compelling legitimate grounds overriding the individual's interests. Processing for direct marketing purposes must stop unconditionally on objection.

Rights Related to Automated Decision-Making (Article 22 GDPR)

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Controllers must offer at minimum: the right to obtain human review, the right to express their point of view, and the right to contest the decision.

The DSB's September 2025 ruling against KSV1870 confirmed Austrian enforcement of this right. The DSB found that KSV1870, a major Austrian credit information agency, unlawfully used fully automated scoring to inform credit decisions for energy supplier Unsere Wasserkraft. The authority found this constituted prohibited automated individual decision-making under Article 22 GDPR, imposed processing restrictions, and prohibited KSV1870 from conducting such automated checks without the data subject's consent.

Austrian-Specific GDPR Derogations

Austria has exercised several of the GDPR's opening clauses to tailor data protection rules to national circumstances. These derogations represent the areas where Austrian law differs from the baseline GDPR.

Child Consent (Section 4(4) DSG)

The GDPR sets a default age of 16 for a child to consent to information society services (such as social media platforms), but allows member states to lower this to as young as 13. Austria set the threshold at 14 years old under Section 4(4) DSG. Children under 14 need parental consent before signing up for online services.

Video Surveillance (Sections 12-13 DSG)

Austria maintains specific rules for CCTV and video surveillance that go beyond the GDPR's general framework. Under Sections 12 and 13 of the DSG, video surveillance based on a legitimate interest is permitted only in three situations: on privately used property, where previous violations of rights or special dangers have occurred, and in the interest of private documentation where identification of individuals is not intended.

These provisions restrict the deployment of surveillance cameras in public-facing locations and establish requirements for signage, data retention periods, and access controls that apply specifically within Austria.

Data Erasure Flexibility (Section 4(4) DSG)

The DSG includes a practical modification to the GDPR's right to erasure. Under Austrian law, immediate deletion is not required when, for economic or technical reasons, erasure is only possible at certain scheduled times. This gives organisations limited breathing room to batch their deletion processes rather than responding to every erasure request in real time.

Media and Journalism Exemption (Section 9(1) DSG)

Austria provides a broad exemption from the GDPR for processing of personal data by media outlets for journalistic purposes. Section 9(1) DSG exempts journalistic data processing from nearly all GDPR requirements. The EDPB has raised concerns that this exemption may exceed the parameters allowed under Article 85 of the GDPR.

Research Exemption

Austria amended its Research Organisational Act (Forschungsorganisationsgesetz, or FOG) to include broad waivers from GDPR requirements for scientific research under Article 89 of the GDPR. These exemptions allow researchers to process personal data with fewer restrictions, though they have drawn scrutiny for potentially exceeding the intended scope of the GDPR's research derogations.

Public Authority Fine Exemption

Under the DSG, public authorities are exempt from administrative fines. This does not mean they escape accountability entirely. As the 2024 City of Baden case demonstrated, public bodies remain liable for civil damages to affected individuals.

The Google Analytics Ruling: A Landmark Decision

On January 13, 2022, the DSB issued what became the first decision in the EU holding that the standard use of Google Analytics violates the GDPR. The case originated from one of 101 model complaints filed by noyb following the CJEU's Schrems II decision in July 2020, which invalidated the EU-US Privacy Shield.

The DSB's Analysis

The DSB examined whether the supplementary measures Google had implemented were sufficient to protect transferred data from US government surveillance. The authority found all of them insufficient. Google, as a US-based electronic communication service provider, is subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. Under these laws, US intelligence agencies can compel Google to hand over data. Google's encryption does not prevent this access because Google itself holds the decryption keys. The DSB also rejected the argument that IP address truncation prevented re-identification.

On April 22, 2022, the DSB issued a follow-up decision reaffirming its position and specifically rejecting a "risk-based approach" to international data transfers. Organisations cannot argue that the low probability of US surveillance excuses non-compliance with Chapter V of the GDPR.

Current Status

The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a new adequacy basis for transfers to certified US organisations. Google LLC participates in the DPF. Organisations using Google Analytics in Austria should verify that Google maintains its DPF certification and review their specific implementation. The DSB's established posture on supplementary measures means that transfers outside the DPF framework continue to face the same strict analysis applied in the 2022 decisions.

Notable Enforcement Actions and Fines

Austrian Postal Service (Österreichische Post AG)

The most significant enforcement case in Austrian data protection history involves Österreichische Post AG. In October 2019, the DSB imposed a fine of EUR 18 million after discovering that the postal service had compiled data on the political affinity of individually identified persons through statistical modelling and marketed this information to political parties.

The Postal Service had used its address database to assign estimated political preferences to individual customers and sold this profiling data, along with information about customers' relocation frequency and parcel delivery volumes.

The Austrian Postal Service appealed to the Federal Administrative Court (Bundesverwaltungsgericht, or BVwG). The BVwG initially overturned the fine on a procedural ground. After the DSB appealed to the Administrative High Court (VwGH) and the VwGH awaited the CJEU's Deutsche Wohnen ruling on fault attribution, the BVwG decided again on December 27, 2024, and imposed a fine of EUR 16 million. The case is still not final. The Postal Service has lodged appeals with both the VwGH and the Constitutional Court (VfGH).

KSV1870 Automated Credit Scoring (September 2025)

On September 25, 2025, the DSB ruled that Austrian credit agency KSV1870 unlawfully used fully automated scoring to deny energy services to consumers. The DSB found that KSV1870's automated calculation and transmission of risk indicators to energy provider Unsere Wasserkraft constituted prohibited automated individual decision-making under Article 22 GDPR. The authority ordered processing restrictions, required comprehensive disclosure of the decision-making logic to affected individuals, and reprimanded both companies for transparency failures. The ruling prohibits KSV1870 from conducting such automated checks in future without the data subject's explicit consent.

DerStandard "Pay or Okay" (August 2025)

On August 18, 2025, the Federal Administrative Court ruled that the "Pay or Okay" consent model operated by Austrian newspaper DerStandard.at violated GDPR consent requirements. The court found that offering users a binary choice between paying EUR 9.90 per month or consenting to comprehensive third-party tracking did not constitute valid consent, because the model lacked granularity: users had no ability to consent to specific processing purposes separately. The case is expected to proceed to the VwGH and potentially the CJEU.

City of Baden Data Breach (September 2024)

A court ordered the City of Baden to pay EUR 500 per affected individual following a 2022 data breach that exposed 33,000 personal records. While public authorities are exempt from administrative fines under Austrian law, the Higher Regional Court (Oberlandesgericht) ruled that proof of actual misuse of the data is not required for damage claims under Article 82 GDPR. Potential total liability: EUR 16.5 million if all 33,000 affected individuals pursue claims.

Media Company Non-Cooperation (2024)

A fine of EUR 15,200 was imposed on a media company that failed to respond to repeated DSB requests for comment on complaints. This illustrates that non-cooperation with the supervisory authority under Article 31 GDPR can itself trigger penalties, independent of the underlying data protection issues.

Breach Notification Requirements

Austria follows the GDPR's breach notification framework without significant national modifications. The requirements apply to all controllers processing personal data within Austrian jurisdiction.

Notification to the DSB (Article 33 GDPR)

Controllers must notify personal data breaches to the DSB without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must include: the categories and approximate numbers of individuals and records affected; the name and contact details of the data protection officer or other contact point; a description of the likely consequences; and the measures taken or proposed to mitigate harm. Late notifications must include an explanation for the delay.

Notification to Data Subjects (Article 34 GDPR)

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must communicate the breach to affected data subjects without undue delay. This direct notification can be avoided if the controller applied technical measures (such as encryption) rendering the data unintelligible, took subsequent measures ensuring the high risk is no longer likely to materialise, or where individual notification would involve disproportionate effort (in which case public communication is acceptable).

Record-Keeping (Article 33(5) GDPR)

All breaches, regardless of severity, must be documented internally. The documentation must include the facts of the breach, its effects, and the remedial actions taken. The DSB may request access to these records during investigations or audits.

Data Protection Officers

Austria follows the GDPR's DPO requirements without substantial national modifications. Organisations must appoint a DPO when their core activities involve regular and systematic monitoring of individuals on a large scale or large-scale processing of special categories of data. All Austrian federal ministries must appoint at least one DPO under Section 5(4) DSG, going beyond the GDPR's general criteria.

Enhanced Confidentiality Protections

Where Austria goes further than the GDPR baseline is in DPO confidentiality. Under the DSG, DPOs and persons working under them are bound by strict confidentiality regarding the identity of data subjects who contact the DPO and any circumstances that could allow identification. This obligation continues after the DPO relationship ends.

Right to Refuse Testimony

Austrian DPOs and their support staff have a statutory right to refuse testimony regarding information obtained in their DPO capacity. Documents and files held by the DPO that fall under this right cannot be lawfully seized. This protection is notably stronger than what the GDPR alone requires.

Conflict of Interest Prohibition

The DSB has enforced the Article 38(6) GDPR prohibition on DPO conflicts of interest. A 2024 case resulted in a EUR 5,000 fine against a company that appointed its managing director as DPO, a role incompatible with the independent monitoring function the DPO must exercise.

International Data Transfers

Austria follows the GDPR's Chapter V framework for international data transfers. Transfers to countries with an EU adequacy decision may proceed without additional safeguards. As of 2026, adequacy decisions cover: all EEA countries, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay. Transfers to certified US organisations under the EU-US Data Privacy Framework (adopted July 2023) are also covered.

For transfers to countries without an adequacy decision, organisations must rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and conduct a Transfer Impact Assessment (TIA) evaluating the legal framework of the destination country.

The DSB's Google Analytics decisions established that Austrian enforcement of transfer rules is strict. Supplementary measures must demonstrably prevent access by foreign intelligence services. A risk-based approach arguing that surveillance is statistically unlikely does not satisfy Chapter V of the GDPR, per the April 2022 DSB decision.

Penalties and Sanctions

Austria's penalty framework for data protection violations operates on three levels: GDPR administrative fines, DSG-specific administrative fines, and criminal sanctions.

GDPR Administrative Fines (Articles 83-84 GDPR)

Less severe violations carry fines of up to EUR 10 million or 2% of global annual turnover (whichever is greater). These cover: failure to notify a breach, failure to maintain proper records, failure to designate a DPO where required, or failure to conduct a data protection impact assessment.

More severe violations carry fines of up to EUR 20 million or 4% of global annual turnover (whichever is greater). These cover: unlawful processing, failure to obtain valid consent, violation of data subject rights, unlawful international data transfers, and violations of the basic principles of Article 5 GDPR.

The Deutsche Wohnen Fault-Attribution Rule

Prior to the CJEU's Deutsche Wohnen ruling (C-807/21, December 5, 2023), Austria's position was that imposing a GDPR fine on a legal entity required attributing the infringement to a specific identified natural person. This position derived in part from the constitutional tradition reflected in DSG Section 1, under which individual culpability was seen as a prerequisite for administrative sanction.

The CJEU resolved the tension: a company may be fined under Article 83 GDPR without first identifying the responsible natural person. However, the CJEU rejected strict liability. A legal entity can only be fined if the infringement occurred intentionally or negligently at an organisational level. Negligence can be inferred from systemic failures in data protection governance, even without pinning responsibility on a named individual. Austrian courts and the DSB now apply this standard. The practical effect is that organisations can no longer avoid fines by claiming that no individual employee was personally at fault.

DSG-Specific Administrative Fines

Under the DSG, the authority may impose fines of up to EUR 50,000 for violations of national DSG provisions. These apply only where the offense does not already constitute a violation under Article 83 GDPR, preventing double punishment. Cookie and electronic marketing violations under TKG 2021 also carry fines up to EUR 50,000.

Criminal Sanctions (Section 63 DSG)

Austria maintains criminal penalties for data protection violations. Under Section 63 DSG, anyone who deliberately uses personal data (entrusted through professional occupation or acquired illegally) to unlawfully enrich themselves or a third party, or to damage another person's data protection interests, faces imprisonment of up to one year or a fine of up to 720 daily rates. This provision applies specifically to intentional misuse for profit or malicious purposes.

Public Authority Liability

While public authorities are exempt from administrative fines under the DSG, they remain subject to civil liability under Article 82 GDPR. The City of Baden precedent confirmed that affected individuals can claim damages without proving actual misuse of their exposed data.

Cookies and Electronic Privacy

Section 165(3) of the TKG 2021 implements the EU ePrivacy Directive in Austrian law and governs the use of cookies and similar tracking technologies.

The law distinguishes between two categories. Technically necessary cookies (serving the sole purpose of carrying out a communication or providing a service explicitly requested by the user) do not require consent. All other cookies, including analytics and advertising trackers, require prior opt-in consent. Following the CJEU's Planet49 ruling (Case C-673/17), valid consent requires an affirmative opt-in action. Pre-checked boxes do not constitute valid consent.

The DSB enforces cookie violations and can impose fines of up to EUR 50,000 under the TKG 2021, separate from GDPR fine authority.

EU Digital Omnibus: Upcoming Changes

In November 2025, the European Commission proposed the EU Digital Omnibus package. For cookies, the proposal folds cookie rules into the GDPR via a new Article 88a and creates a limited consent exemption for privacy-preserving audience measurement tools that do not track individuals across sites. The proposed changes would also require single-click accept/reject mechanisms with equal prominence and browser-level preference signals that websites must honour. Organisations would be prohibited from re-requesting declined consent for six months.

The Digital Omnibus entered the legislative procedure in November 2025. Final adoption is expected mid-to-late 2026. Until the package is enacted, the existing TKG 2021 consent requirements remain in full force in Austria.

EU AI Act Overlay

Regulation (EU) 2024/1689 (the EU AI Act) entered into force on August 1, 2024. Its provisions apply on a phased timeline that directly affects organisations operating in Austria.

Application Timeline

Prohibited AI practices (such as social scoring and most real-time biometric surveillance in public spaces) have been banned across the EU, including in Austria, since February 2, 2025. Transparency obligations for general-purpose AI systems and limited-risk AI apply from August 2, 2026. Rules for high-risk AI systems (in areas including biometrics, critical infrastructure, education, employment, migration, and border control) apply from December 2, 2027.

Austria's Institutional Response

Austria established the KI-Servicestelle (AI Service Office) within the Rundfunk und Telekom Regulierungs-GmbH (RTR), on the basis of amendments published in BGBl I Nr. 6/2024 (KommAustria-Gesetz §20c and TKG 2021 §194a). The KI-Servicestelle functions as a public-facing information hub, advisory body, and national competence centre for AI. It publishes guidance on AI Act obligations and coordinates the KI-Beirat (AI Advisory Board).

The KI-Servicestelle is an advisory body and does not exercise sanctioning powers. Austria has not yet formally designated the market surveillance and notifying authorities required for AI Act enforcement. The KI-Maßnahmenpaket announced that the Servicestelle would eventually transition into or support a dedicated national AI enforcement authority, but formal designation remains pending as of May 2026.

The DSB has a statutory advisory and evaluative role in AI contexts under the Informationsfreiheitsgesetz, ensuring information disclosures respect personal data rights, and publishes guidance on data protection in the context of AI systems. Where AI systems involve profiling or automated individual decision-making, GDPR Articles 22 and 35 (data protection impact assessments) apply alongside the AI Act.

Intersection with GDPR

The AI Act and GDPR operate in parallel. An AI system that generates profiling outputs used in automated decisions affecting individuals falls under both regimes: the AI Act for system-level risk classification and the GDPR for data subject rights. Controllers deploying high-risk AI systems in Austria should assess both regulatory frameworks when conducting data protection impact assessments under Article 35 GDPR.

Recent Developments (2024-2026)

Parliamentary Data Protection Committee (January 2025)

In response to a January 2024 CJEU ruling, Austria's July 2024 DSG amendment established a new Parliamentary Data Protection Committee (Parlamentarischer Datenschutzausschuss). This committee began supervising data protection activities of legislative bodies on January 1, 2025, closing a longstanding gap in independent oversight of parliamentary data processing.

CJEU Ruling on DSB Complaint Capping (January 2025)

The CJEU's ruling in C-416/23 held that the DSB cannot restrict data subjects to two complaints per month. The court confirmed that data subjects have the right to have any GDPR violation remedied, absent genuine abuse, regardless of how many complaints they need to file. This ruling was a direct rebuke of an Austrian practice.

KSV1870 Automated Scoring (September 2025)

The DSB's prohibition on KSV1870's automated credit-scoring practices represents Austria's first major Article 22 GDPR enforcement action against a credit agency. The ruling signals that the DSB is willing to target automated decision-making in financial contexts even while constrained by its budget.

DerStandard "Pay or Okay" (August 2025)

The Federal Administrative Court's ruling against DerStandard.at clarified that a pay-or-consent model requires granular consent options at a minimum. The case is expected to generate further guidance on the outer limits of consent-based tracking business models in Austria.

EU Digital Omnibus Proposal (November 2025)

The Commission's Digital Omnibus package proposes to simplify cookie consent rules and fold ePrivacy into the GDPR framework. If adopted in its current form, it would override Austria's strict cookie consent posture for privacy-preserving audience measurement tools. The proposal is still in the legislative procedure as of May 2026.

Ongoing Budget Debate (2025-2026)

The infringement complaint filed with the European Commission by epicenter.works and noyb remains pending. The 2026 DSB budget of EUR 5.9 million represents a further cut from the EUR 6.1 million allocated in 2025.

Compliance Essentials for Businesses Operating in Austria

Organisations processing personal data of Austrian residents should address these areas as priorities:

1. Legal basis documentation. Map all processing activities to one of the six Article 6 GDPR lawful bases and document the basis in the Record of Processing Activities (ROPA) required by Article 30 GDPR.

2. Consent mechanics. Ensure consent is freely given, specific, informed, and obtained through an affirmative opt-in action. Bundled consents and pre-checked boxes are invalid. Following the DerStandard ruling, pay-or-consent models must offer granular consent by processing purpose.

3. Cookie compliance. Review cookie banners under TKG 2021 requirements and monitor the EU Digital Omnibus legislative progress for forthcoming changes to analytics consent rules.

4. Data subject rights processes. Establish documented procedures to respond to access, erasure, rectification, portability, restriction, objection, and automated-decision rights requests within GDPR timeframes.

5. Automated decision-making review. Audit any AI or algorithmic systems that produce legal or similarly significant effects. Following KSV1870, any fully automated scoring used for credit, employment, or similar decisions must either obtain explicit consent or rely on one of the narrow Article 22(2) exceptions, with human review available on request.

6. Cross-border transfer review. Conduct a Transfer Impact Assessment for any transfers to countries outside the EU/EEA and without an adequacy decision. Verify that US service providers are DPF-certified where reliance on the DPF is intended.

7. DPO conflict of interest. The DSB's EUR 5,000 fine in 2024 confirms that DPOs cannot hold roles in the same organisation that compromise their independence. Senior management and compliance officers cannot serve as DPO.

8. EU AI Act compliance planning. Identify any AI systems in scope for the AI Act, particularly high-risk categories. Align GDPR Article 35 data protection impact assessments with AI Act risk assessments where they overlap.

9. Breach notification readiness. Maintain documented incident response procedures capable of meeting the 72-hour notification window under Article 33 GDPR.

10. Public authority civil liability. Austrian public sector bodies should be aware that the City of Baden precedent eliminates the need for data subjects to prove actual misuse when claiming Article 82 GDPR damages.

Disclaimer

This article presents general legal information about Austria's data privacy framework under the GDPR and Datenschutzgesetz (DSG). It does not constitute legal advice. The information covers Austria and EU-level data protection law as verified in May 2026. Laws, enforcement practices, and regulatory guidance change frequently. Readers should consult a lawyer licensed in Austria (or the relevant EU member state) for advice on their specific situation.

Authorities Cited

1. Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
2. Datenschutzgesetz (DSG), BGBl. I Nr. 165/1999 as amended, consolidated text May 2026. https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597
3. Austrian Data Protection Authority (Datenschutzbehörde, DSB) official website. https://data-protection-authority.gv.at/
4. Relevant Data Protection Laws, Austrian Data Protection Authority. https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws
5. Rights of the Data Subject (GDPR and DSG), Austrian Data Protection Authority. https://data-protection-authority.gv.at/data-protection-in-austria/rights-of-the-data-subject
6. Austrian Federal Ministry of Finance, Data Protection Overview. https://www.bmf.gv.at/en/data-protection.html
7. CJEU, Case C-807/21, Deutsche Wohnen SE v Staatsanwaltschaft Berlin, judgment of December 5, 2023. https://gdprhub.eu/index.php?title=CJEU_-_C-807/21_-_Deutsche_Wohnen
8. CJEU, Case C-416/23 (Österreichische Datenschutzbehörde v F R), judgment of January 9, 2025. https://noyb.eu/en/austrian-data-protection-authority-slammed-cjeu
9. DSB, Decision 2021-0.586.257 (D155.027), Google Analytics, January 13, 2022. https://gdprhub.eu/index.php?title=DSB_%28Austria%29_-_2021-0.586.257_%28D155.027%29
10. DSB, follow-up decision on risk-based approach, April 22, 2022. https://noyb.eu/en/update-noybs-101-complaints-austrian-dpa-rejects-risk-based-approach-data-transfers-third-countries
11. BVwG, Case W258 2227269-1/39E, Österreichische Post AG (EUR 16 million fine), December 27, 2024. https://gdprhub.eu/index.php?title=BVwG_-_W258_2227269-1/39E
12. DSB, KSV1870 automated credit scoring decision, September 25, 2025. https://noyb.eu/en/noyb-win-austrian-authority-forbids-unlawful-credit-scoring-ksv1870
13. BVwG (Federal Administrative Court), DerStandard.at "Pay or Okay" ruling, August 18, 2025. https://noyb.eu/en/court-decides-pay-or-okay-derstandardat-illegal
14. noyb and epicenter.works, Complaint to the European Commission on DSB budget constraints, September 18, 2025. https://noyb.eu/en/budget-cuts-paralyse-austrian-dpa-ngo-complaint-eu-commission
15. EDPB, administrative criminal proceedings against Österreichische Post AG. https://www.edpb.europa.eu/news/national-news/2019/administrative-criminal-proceedings-austrian-data-protection-authority_en
16. Regulation (EU) 2024/1689 (EU AI Act). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
17. KI-Servicestelle at RTR, AI Act guidance. https://www.rtr.at/rtr/service/ki-servicestelle/ai-act/AI_Act.en.html
18. European Commission, EU AI Act regulatory framework. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
19. CJEU, Case C-673/17, Planet49, cookie consent ruling. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CJ0673
20. Data Protection in Austria, GDPRhub. https://gdprhub.eu/Data_Protection_in_Austria

Related Articles

• EU Data Privacy Laws: The Complete Guide
• Austria Recording Laws

Last updated: 2026-05-19. Statutes cited reflect their in-force version as of May 2026.