This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Austria.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
As in all member states of the European Union, the General Data Protection Regulation ("GDPR") applies in Austria, which is supplemented by the Austrian Data Protection Act ("DSG"). These laws regulate the protection of personal data, which means any information that also relates to an identified or identifiable natural person. In addition, data protection provisions can be found in numerous further laws regulating specific matters (e.g. Telecommunications Act, Banking Act, Act on Medical Practitioners).
The competent authority for the enforcement of the data protection provisions is the Data Protection Authority. In certain cases, regular courts can also be called upon in the event of violations of data protection provisions.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Since the GDPR came into force, no general obligation to report data processing to the Data Protection Authority exists in Austria.
However, reporting obligations can arise on the basis of special constellations (e.g. notification of the contact details of a data protection officer to the Data Protection Authority; notification in the case of a data breach).
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The definitions of the GDPR apply (in particular. art. 4 GDPR).
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
Each processing operation must comply with the principles set out in art. 5 GDPR. The controller is responsible for compliance with these principles and must be able to demonstrate such compliance upon request.
The principle of prohibition subject to possible authorization applies to data protection. The processing of personal data is, as a basic principle, prohibited and may only be carried out where authorized by law. The cases, in which such is permissible (legal bases), are set forth in art. 6 GDPR.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
In so far as data processing cannot be based on another provision of art. 6 GDPR, the consent of the person concerned is required. However, this depends on the circumstances of the individual matter. It is therefore not always necessary for the data subjects to give their consent in order to carry out data processing.
For any consent to be effective, substantial requirements must be met. Consent is a voluntary, informed and unequivocal expression of will, given for the specific matter. The consent can be revoked by the person concerned at any time. The person concerned must be informed of this possibility of revocation before consent is given. The consent itself is not bound to any particular form. Since the controller is required to prove the existence of any consent, it is advisable to ensure appropriate documentation.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
The provisions of the GDPR apply to the processing of sensitive data.
However, the DSG provides additional requirements for the processing of personal data concerning criminal convictions. In brief, such is only permissible if (i) an express statutory authorisation or obligation exists or (ii) under the control of official authority.
How do the laws in your jurisdiction address children’s PII?
In Austria, children can consent to the processing of their personal data relating to the so-called "information society services" (e.g. social media platforms) once they reach the age of 14. Below this age limit, consent of the legal representative (parents) of the child or the consent of the child together with the consent of the legal representative is required. The controller must ensure that consent has been given by or together with the consent of the holder of parental responsibility for the child. The legal situation for data processing not related to information society services has not yet been finally clarified.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
The provisions of art. 30 GDPR apply. Accordingly, controllers (and processor must keep a written record of their processing activities. This document must be made available to the Data Protection Authority on request. Such documentation shall in particular contain the following information:
- The contact details of the controller and, where applicable, the joint controller, the controller´s representative and the data protection officer;
- the purposes of the processing operations;
- description of the categories of data subjects, personal data, recipients and transfers to third countries;
- where possible the envisaged time limits for erasure of the different categories of data; and
- a general description of the technical and organisational measures undertaken to protect the data.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
Legal consultation obligations with the Data Protection Authority exist within the framework of the GDPR (art. 36 GDPR). In the case of complex factual matters or legal issues, however, it may be advisable to seek informal discussions with the Data Protection Authority.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
According to art. 35 et seq. GDPR, a data protection impact assessment must be carried out before data processing begins for data processing operations, where the risk of an infringement of the rights of data subjects is likely to be high.
The Data Protection Authority has now published a list of processing operations, for which a data protection impact assessment is required in any case (so-called "black list"). Similarly, a "white list" has been published defining data processing operations that do not require a data protection impact assessment.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
In Austria, there is no general obligation to appoint a data protection officer. Such required is only necessary within the framework of art. 37 GDPR.
In many enterprises, however, compliance officers are appointed, whose responsibilities include data protection and the handling of confidential information. The legal status of such compliance officers is not regulated by law, but is determined by the respective contractual arrangement made.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Such information obligations are governed by Articles 13 and 14 of the GDPR. These are usually published on the enterprise’s website or are even posted on the company's premises. In some industries (e.g. banks, insurance companies) it is even customary to hand these over to the customers.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
In many cases, the data protection provisions apply (also) directly to processors, in particular the provisions of the GDPR (e.g. security of processing, appointment of a data protection officer).
In addition, legal obligations that affect the controller are often passed on to the processor by contract.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
The provisions of art. 28 et seq. GDPR apply to the involvement of processors.
A processor may only be involved if it offers sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing is in accordance with the requirements of the GDPR and the protection of the rights of the data subject is guaranteed.
The controller must conclude a written/electronic contract with the processor. The minimum content of the contract is set forth in art. 28 GDPR. Further provisions are legally possible and are also agreed in practice.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
The transmission of personal data within the European Economic Area ("EEA") is not subject to any restrictions and is therefore unregulated.
A data transfer outside the EEA is only permitted if the requirements of art. 44 et seq. GDPR are met. As far as possible, enterprises will use the EU standard contractual clauses in such cases.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
As a basic principle, the provisions of the GDPR also apply to such matters.
However, there are lines of business that have defined their own and very specific security requirements (e.g. doctors, banks). In principle, these must also be observed by processors.
Does your jurisdiction impose requirements of data protection by design or default?
As a basic principle, the provisions of the GDPR also apply to these matters.
In practice, however, generally contracts once again explicitly state which requirements the processor is required to comply with.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
The appropriate provisions of the GDPR apply here.
Accordingly, a personal data breach is defined as a breach of security which, whether unintentionally or unlawfully, results in the destruction, loss, alteration, or unauthorized disclosure of or access to personal data.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
A personal data breach must be reported by the controller to the Data Protection Authority immediately and at the latest within 72 hours of becoming aware of the violation. The notification must meet certain minimum requirements as to its content, including the nature of breach, category and approximate number of data subjects concerned, categories and approximate number of personal data records concerned, a description of the likely consequences of the personal data breach, name and contact details of any data protection officer appointed.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
In Austria, the rights of data subjects laid down in Articles 15 through 22 of the GDPR apply as a basic principle:
- right of access
- right to rectification
- right to erasure
- right to restriction of processing
- right to data portability
- right to object
However, all these rights do not apply in every case. There are numerous exceptions whereunder a data subject does not have the rights mentioned above and in certain cases. For example, a right to access is excluded if the provision of this information would endanger a business- or trade secret of the controller or of a third party. Similarly, in the area of medical law, the data subject does not have all of these rights.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Depending on the nature of the right, the exercise of a data subject's rights can take place before the Data Protection Authority or before the ordinary courts.
In the case of data subjects' rights (see question 20 above), this falls within the competence of the Data Protection Authority.
If, on the other hand, claims for damages are concerned, these are to be raised in the ordinary courts. Both material damages as well as immaterial damages can be claimed. The general provisions of civil law shall apply to these claims for damages.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
The Data Protection Authority may impose fines for violations provisions on data protection.
The fines can be in an amount of up to € 20.000.000,-- or up to 4% of the total worldwide annual turnover of the previous business year.
The amount of the specific fine will depend upon on the type, severity and duration of the data protection violation and of the degree of fault.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The most important exceptions have already been summarized above. However, the following provision in connection with the right to erasure is also worth mentioning: If the rectification or erasure of personal data processed by automated means cannot be carried out immediately as it can only be carried out at certain times for commercial or technical reasons, the processing of the personal data concerned must be restricted up to such point in time, with the effect as provided by art. 18 (2) GDPR.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
The relevant provisions of the GDPR apply in this respect.
However, these cookies may only be stored for as long as they are absolutely necessary for this service.
Please describe any laws addressing email communication or direct marketing?
The sending of an e-mail - including text message (SMS) - is prohibited without the prior consent of the recipient if (i) the e-mail is sent for direct marketing purposes or (ii) it is addressed to more than 50 recipients. However, there are exceptions and/or further restrictions to this basic rule, which must be reviewed on a case-by-case basis.