Support Centre

Austria

Summary

Law: Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2023) ('DGS') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Austrian data protection authority ('DSB')

Summary: In Austria, both the national DSG and the GDPR apply with regards to privacy issues. The DSG complements the GDPR, tailors its provisions to the particular national context, and provides the legal basis for the structure and powers of the DSB. The DSB is an active authority and has issued substantial fines, including, for example, a fine of €18 million against the Austrian postal service for violating the GDPR. The DSB and the Austrian Chamber of Commerce ('WKO') regularly issue guidance on privacy issues, including on data subject access requests, cookies, direct marketing, and the right to be forgotten. Alongside the GDPR and the DSG, Austria also ratified Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108').

Insights

Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.

Although the storage limitation principle stipulated by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') appears – at least at first glance – to be rather straightforward, the past three years have already shown that this is not the case. Rather, the topic of data deletion and destruction is one of the most challenging to be dealt with by data controllers. Part 4 of the implementation series looked at vendor management best practices, whilst in part 5, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss best practices for data deletion and destruction policies in compliance with the GDPR and national legislation.

Managing data flows involving suppliers and vendors is one of the most challenging tasks for data controllers in practice. Preliminarily, this requires a detailed understanding of various legal obligations resulting from different laws. In addition, the development of case law on the national and EU level needs to be monitored and already implemented measures frequently adjusted on that basis. Finally, organisational and negotiation skills are an absolute must-have in order to balance business interests and commercial impacts. Part 3 of the implementation series explored data mapping, and in part 4, Axel Anderl and Nino Tlapak, from DORDA Rechtsanwälte GmbH, discuss vender management best practices and its nuances.

Feedback