March 2024

1. Governing Texts

The Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2021) ('DSG') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') apply to privacy-related issues in Austria. The DSG complements the GDPR. It tailors the GDPR provisions to the particular national context and provides for the duties of the Austrian data protection authority ('DSB'). The DSB is an active authority and, together with the Austrian Chamber of Commerce ('WKO'), they regularly issue guidance on privacy issues, including on data subject access requests, cookies, direct marketing, and the right to be forgotten. Alongside the GDPR and the DSG, Austria has also ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108').

1.1. Key acts, regulations, directives, bills

In Austria, the main national legislation on data protection is DSG. Notwithstanding its title, to a certain extent, the DSG also protects the personal data of legal persons. To supplement the GDPR and bring the DSG in line with the new data protection framework set out in the GDPR, the Federal Law Amending the DSG 2018 (only available in German here) entered into force on May 25, 2018.

The DSG also serves as the implementing law for the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680). As a result, Sections 36 to 61 of the DSG only apply to data processing activities conducted by criminal authorities and are not related in any way to the national implementation of the GDPR. The GDPR has also called for amendments to other national acts. Several hundred acts have been evaluated and amended, in particular, so that respective provisions comply with the requirements set out in Article 6(1)(c) and (e) of the GDPR to qualify as a valid ground of justification.

1.2. Guidelines

The DSB has issued a general guideline document on the GDPR (only available to download in German here), as well as a general Q&A document covering a wide range of topics (only available in German here).

Further, the DSB has also published the following documents (all available in German here):

• template forms for data subjects to exercise their data subject rights, such as the right of access and right to erasure, as well as template forms to file complaints with the DSB;
• a form for data breach notifications as per Article 33 of the GDPR;
• template clauses for data processing agreements as per Article 28 of the GDPR;
• annual data protection reports; and
• quarterly newsletters containing, among other topics, information on selected unpublished decisions.

The DSB also provides an online form for data subjects to file complaints, available here.

1.3. Case law

So far, there are already approx. 1,200 published decisions dealing with GDPR questions. Approximately 15% of the decisions have been issued by the DSB (the first decisions were issued by the DSB on May 28, 2018).

In addition, more than 70% of decisions have been issued by the Federal Administrative Court in its function as the appellate court against decisions of the DSB. This also shows that not all decisions of the DSB are being published. Furthermore, the Supreme Court of Justice of the Republic of Austria has also ruled in more than 100 cases on GDPR issues. A small number of decisions by lower instance civil courts on questions of civil enforcement of data protection rights have also been published.

Besides the published decisions, a much greater number of unpublished decisions on GDPR issues exist.

2. Scope of Application

2.1. Personal scope

Apart from the fundamental right to data protection (which also covers information related to legal persons), there are no national variations from the GDPR.

2.2. Territorial scope

There are no national variations from the GDPR.

2.3. Material scope

Apart from the fundamental right to data protection (which also covers information related to legal persons), there are no national variations from the GDPR.

Data processing and freedom of expression and information

Pursuant to Section 9 of the DSG for the processing of personal data by media owners, publishers, and employees of a media company or service, for journalistic purposes of such companies or services, Article 85(2) of the GDPR, as well as the DSG, shall not apply. When exercising its powers vis-à-vis such persons and entities, the DSB shall observe the protection of editorial secrecy.

Furthermore, to the extent necessary to reconcile the right to protection of personal data with the freedom of expression and information, the provisions of the GDPR set out in Article 85(2) of the GDPR (with the exception of Articles 5, 28, 29, and 32 of the GDPR) shall not apply to processing activities carried out for scientific, artistic, or literary purposes. The obligation to data secrecy, as stipulated in Section 6 of the DSG, however, still applies.

Notably, the Austrian constitutional court has repealed Section 9 of the DSG with effect from July 1, 2024.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection in Austria is the DSB.

3.2. Main powers, duties and responsibilities

In addition to the duties set out in the GDPR, the DSG provides for several additional powers, duties, and responsibilities.

Section 21 of the DSG

Per Section 21 of the DSG, the DSB advises the committees of the National Council, the Federal Council, the Federal Government of Austria, and the state governments on legislative and administrative measures upon their request. The DSB shall be consulted prior to the enactment of federal laws and ordinances in the area of data protection.

Section 22 of the DSG

Moreover, Section 22 of the DSG sets out that the DSB may request all necessary clarifications from data controllers or data processors in relation to the data processing under review and has the right to request an inspection of data processing operations and related documents. Data controllers and data processors must provide all required support.

Such supervisory activity shall be carried out with the greatest possible protection of the rights of the data controller, the data processor, or third parties, as the case may be. In inspection cases, the DSB shall be entitled, after notifying the owner of the premises and the data controller or data processor:

• to enter the premises where data processing operations are carried out;
• to put data processing equipment into operation;
• to carry out the processing operations to be inspected; and
• to make copies of data carriers to the extent strictly necessary for exercising its powers of inspection.

Information received or collected by the DSB (or by its delegates in the course of their supervisory and inspection activities) may only be used for the purpose of fulfilling its duties and responsibilities as set out in applicable data protection legislation. In general, the DSB is therefore not entitled to share such information received or collected with other authorities. If the operation of a data processing system poses a substantial and immediate threat to the confidentiality interests of the data subjects, the DSB may order that the respective data processing activity be stopped immediately.

Section 24 of the DSG

The right to have a complaint handled by the DSB shall lapse if the complainant does not lodge it within one year of becoming aware of the adversarial event, but at the latest within three years of the alleged occurrence of the event. Section 24 of the DSG provides that complaints shall be rejected by the DSB if the complainant did not lodge it within the mentioned time limits above.

Until the end of the proceedings before the DSB, data controllers and data processors may subsequently remedy the alleged infringement, e.g., by responding to the complainant's requests. If the DSB finds the alleged infringement to be completely remedied, the proceedings will be closed.

Within three months of lodging the complaint, the DSB has to inform the complainant of the status and outcome of the investigations.

4. Key Definitions

Data controller: There are no variations from the GDPR.

Data processor: There are no variations from the GDPR.

Personal data: There are no variations from the GDPR.

Sensitive data: There are no variations from the GDPR.

Health data: There are no variations from the GDPR.

Biometric data: There are no variations from the GDPR.

Pseudonymization: There are no variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national variations. For the consent of children see section on children's data below.

5.2. Contract with the data subject

There are no national variations.

5.3. Legal obligations

There are no national variations in relation to legal obligation as a legal basis. There are, however, a number of provisions of law that provide legal obligations, as envisaged under Article 6(1)(c) and 6(1)(e) of the GDPR.

5.4. Interests of the data subject

There are no national variations.

5.5. Public interest

There are no national variations.

5.6. Legitimate interests of the data controller

There are no national variations.

5.7. Legal bases in other instances

Processing for scientific or historical research purposes

Pursuant to Section 7 of the DSG, for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, which do not involve personal data as a result, the data controller may process any personal data which:

• are publicly accessible;
• the data controller has collected for other research activities or other legit purposes; or
• are pseudonymized data for the data controller and the identity of the data subject cannot be determined by legally permissible means.

In relation to all other data processing activities for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes, personal data may be used only:

• as provided for in special statutory provisions;
• with the consent of the data subject; or
• after prior approval of the DSB.

Such approval by the DSB shall be granted at the request of the data controller if:

• it is impossible to obtain the consent of the data subject because they cannot be contacted, or it otherwise involves a disproportionate amount of work;
• there is a public interest in the respective data processing activity; and
• the professional qualification of the data controller to conduct the respective data processing activity is made plausible.

The DSB may make the approval dependent upon the fulfillment of additional conditions and obligations insofar as this is necessary to safeguard the interests of the data subject. Special categories of data may only be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes if there is an important public interest in the data processing activity at hand. Furthermore, it must be ensured by the data controller that personal data is processed only by persons who are subject to a legal duty of confidentiality with regard to the subject matter of the activity or whose reliability in this respect is otherwise made plausible.

Image processing

Sections 12 and 13 of the DSG contain special rules on image processing. For the purposes of these sections, image processing means the identification (for private purposes) of events in public or non-public locations by the use of technical equipment for image processing. Acoustic information is also part of the image processing process.

Image processing is admissible only if:

• it is necessary for the vital interests of a person;
• the data subject has consented to the processing of their personal data;
• it is ordered or permitted by special statutory provisions; or
• there are overriding legitimate interests of the data controller or a third party in the individual case and the image processing is proportionate.

Such overriding legitimate interests are given in particular if:

• the image processing serves to preventively protect persons or private property (used exclusively by the data controller) and does not extend beyond the property, with the exception of the unavoidable inclusion of public traffic areas;
• the image processing is necessary to preventively protect persons or property in publicly accessible places, which are subject to the domestic authority of the data controller, where required as a result of already occurred infringements or of a special potential danger as per the nature of the location; or
• the image processing pursues a private interest in documentation which is not directed towards the identifying recording of uninvolved persons or objects potentially enabling the indirect identification of such persons.

The following, however, are inadmissible in any case:

• to make an image recording in the highly personal sphere of a data subject without their express consent;
• image processing for the purpose of controlling employees;
• the automated comparison of personal data obtained by means of image processing with other personal data for the creation of personality profiles without express consent of the data subject; and
• the evaluation of personal data obtained by means of image processing on the basis of special categories of data as a selection criterion.

The data controller shall take appropriate data security measures taking into account the risk of the image processing activity and shall ensure that access to the image recordings and any subsequent modification thereof by unauthorized persons is excluded. The data controller shall, except for real-time monitoring, keep detailed records of each access, inspection, or deletion operation. Personal data collected shall be deleted by the data controller if they are no longer needed for the purpose for which they were collected and if there is no other legal obligation to retain them. Storing such image data for more than 72 hours must be proportionate and must be recorded and justified separately. The data controller shall inform data subjects about the image processing activity and label the respective image recording systems appropriately. The data controller shall in any case be clearly identifiable from the labelling, unless the data subject already is aware of the specific data controller.

Notably, the Federal Administrative Court ruled that Sections 12 and 13 of the DSG seem partly contrary to the GDPR and, thus, in practice they are now disregarded by the DSB to a large extent.

Data processing in the event of a disaster

Pursuant to Section 10 of the DSG, in the event of a disaster, public sector officials and aid organizations may process personal data jointly to the extent necessary to provide assistance to the persons directly affected by the disaster, to locate and identify missing persons and deceased persons, and to inform relatives. Third parties may transfer such data to public sector officials and aid organizations, provided that it is needed for them to deal with the disaster and for the aforementioned purposes.

Personal data may also be transmitted to third countries insofar as this is absolutely necessary for the fulfillment of the aforementioned purposes. Information indicating that the data subject has committed a criminal offense may not be transmitted, unless this is absolutely necessary for identifying the data subject. The DSB must be informed, without delay, of such transmissions to third countries and of the detailed circumstances and the facts of such transmissions. The DSB has the right to prohibit further data transfers to third countries, if necessary to protect the rights of data subjects, in particular, if the specific disaster situation does not demand such data transfer.

Upon a respective request from a close relative of a person actually or presumably directly affected by the disaster, data controllers are entitled to transmit personal data on the whereabouts of the person concerned and the state of research to such close relative if the close relative can prove their identity and relationship to the data subject. Regarding the processing of personal data in the event of a disaster, special categories of data may only be transferred to close relatives if they can prove their identity and their status as relatives, and the transfer is necessary to safeguard their rights or those of the data subject.

Personal data processed for disaster management purposes (as highlighted above) shall be deleted immediately after they are no longer needed for such purposes.

6. Principles

There are no national variations and the principles provided under the GDPR apply.

7. Controller and Processor Obligations

7.1. Data processing notification

In accordance with the GDPR, Austria has repealed its prior notification and registration regime. As of May 25, 2018, data controllers are no longer obliged to register and notify their data processing activities with the data processing register. Registration proceedings still pending at May 25, 2018, are deemed to have been terminated.

7.2. Data transfers

There are no national variations.

7.3. Data processing records

There are no national variations.

7.4. Data protection impact assessment

An impact assessment must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned. The DSB has issued a list of processing activities for which a Data Protection Impact Assessment ('DPIA') must be carried out by the data controller (only available in German here).

In particular, the DSB outlined that a DPIA must be carried out in the following circumstances:

• processing operations involving an assessment or a classification of natural persons, including the creation of profiles and forecasts, for purposes concerning work performance, economic situation, health, personal preferences and interests, reliability, behavior, whereabouts, or movement of the person, solely being based on automated processing and potentially having negative legal, physical, or financial consequences;
• processing of data for the purpose of evaluating the conduct and other personal aspects of natural persons and which may be used by third parties to make automated decisions having legal effects on the persons evaluated or which similarly significantly affect them;
• processing operations aimed at the observation, supervision, or control of data subjects, in particular, by means of image and related acoustic data processing, and concerning:
  • data collected through networks or aiming at systematic and extensive monitoring of publicly accessible areas;
  • public places, which can be entered by unspecified groups of persons;
  • roads with public transport which can be used by everyone under the same conditions;
  • locations which due to an obligation to contract may be entered by any person;
  • locations which, in the public interest, may be entered by any person;
  • image processing using mobile cameras for the purpose of preventing or countering dangerous attacks or criminal conduct in public and private spaces;
  • image and acoustic processing to prevent and protect persons or property on private real estate used for residential purposes when such real estate is not used exclusively by the responsible person and all authorized users living in the common household; or
  • churches, houses of prayer, insofar as they are not already covered above, and other institutions serving the practice of religion in the community;
• processing of data using or applying new or novel technologies or organizational solutions which make it more difficult to assess the impact on the persons concerned and the social consequences, in particular through the use of artificial intelligence and the processing of biometric data, provided that the processing does not merely involve the reproduction of facial images in real-time;
• merging and/or cross-checking data sets from two or more processing operations carried out for different purposes and/or by different controllers, going beyond the processing operations normally expected of a data subject, provided that through the use of algorithms, decisions might be taken that can significantly harm the data subject; and
• processing operations carried out on the most personal sphere, even if the processing is based on consent.

In the case of employment, a DPIA shall not be necessary for the above situations where there is a respective works council agreement or respective agreement with the staff committee. The DSG has clarified that systematic monitoring shall mean processes that take place within the framework of a system or in advance, and which are organized and methodically carried out.

Furthermore, a DPIA has to be carried out if a processing activity meets two or more of the following criteria:

• extensive processing of special categories of data;
• extensive processing of personal data on criminal convictions and offenses;
• collection of location data within the meaning of Article 92(3)(6) of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC), as implemented in the Federal Act Enacting the Telecommunications Act (only available in German here) ('TKG') which are processed in a communications network or by a communications service and which indicate the geographical location of the telecommunications terminal equipment of a user of a public communications service;
• processing the data of data subjects in need of protection, such as minors, employees, patients, mentally ill persons, and asylum seekers; and
• merging and/or cross-checking data sets consisting of two or more processing operations carried out for different purposes and/or by different data controllers, in a data processing operation going beyond the processing operations normally expected by a data subject, provided that the processing operations are carried out for purposes for which not all the data to be processed were collected directly from the data subject.

Activities not subject to prior consultation/authorization

The DSB has issued a list of processing activities that are exempt from DPIAs (only available in German here).

At first, a DPIA was not required to be carried out for data processing activities which had not been subject to the notification requirement under the 'old' data protection regime or, which had been subject to prior approval by the DSB under the 'old' data protection regime, provided that, in both cases, the relevant data processing activity had already commenced on May 24, 2018, fulfils all requirements as set out in the GDPR, and had not been materially changed after May 25, 2018.

Furthermore, a DPIA does not have to be conducted for specific data processing activities in the following fields, as long as these are conducted in the manner set out in the DSB's list (regarding purpose, data categories, and/or data controllers):

• customer administration, accounting, logistics, bookkeeping;
• personnel administration;
• member administration;
• customer care and marketing for own purposes;
• property and inventory management;
• register, evidence, books;
• access management for IT systems;
• access control systems;
• stationary image processing and the associated acoustic processing for surveillance purposes (video surveillance);
• real-time image and acoustic data processing;
• image and acoustic processing for documentation purposes;
• patient/client/customer management and fee accounting of individual physicians, health service providers and pharmacies;
• legal and advisory professions;
• archiving, scientific research, and statistics;
• statements of support;
• financial management of local authorities and other public bodies;
• public tax administration;
• grant administration by public bodies;
• public relations and information activities by public officials and their business apparatuses;
• file management and procedural management;
• organization of events; or
• awards and honors.

Finally, the Austrian Federal Economic Chamber has issued a checklist on how to conduct a DPIA (only available in German here).

7.5. Data protection officer appointment

Pursuant to Section 5 of the DSG, the data protection officer ('DPO') and the persons acting on their behalf shall be obliged to maintain secrecy in the performance of their duties, without prejudice to other duties of confidentiality. This applies, in particular, to the identity of data subjects who have contacted the DPO and to circumstances that allow conclusions to be drawn about them, unless the data subject has expressly released the DPO from confidentiality. The DPO and the persons acting on their behalf may use the information gathered in the course of their activities exclusively for the performance of their duties and are obliged to maintain secrecy even after their duties have ceased.

If, in the course of their duties, a DPO obtains knowledge of data for which a person subject to the control of the DPO is entitled to a statutory right to refuse to give evidence, this right shall also apply to the DPO and the persons acting on their behalf, to the extent that the person entitled to the above-mentioned statutory right, has exercised the same. Within the scope of the DPO's right to refuse to make a statement, their files and other documents are prohibited from being seized or confiscated. The 'when is a data protection officer necessary and what are their tasks?' (only available in German here) ('the WKO Guidance') provides that the contact details of the DPO must be made public and the DSB must be notified. The WKO Guidance recommends that the notification should be in writing and the DSB can be contacted via [email protected]. Moreover, the WKO Guidance recommends obtaining clear consent for the DPO from the DSB.

Role

The DPO is bound by confidentiality when performing their duties, without prejudice to other obligations of confidentiality. This applies, in particular, in relation to the identity of data subjects who have contacted the DPO, and to circumstances that allow identification of these persons, unless the data subject has expressly granted a release from confidentiality. The DPO is bound by confidentiality even after the end of their activities (Article 2, Chapter 1, Section 5(1) of the DSG).

If during their activities, a DPO obtains knowledge of data in respect of which a person employed with a body subject to the supervision of the DPO has a statutory right to refuse to give evidence, the DPO and the persons working for the DPOs also have such a right to refuse to give evidence. It is prohibited for the files and other documents of the DPO to be confiscated and/or searched to the extent of the right of the DPO to refuse to give evidence (Article 2, Chapter 1, Section 5(2) of the DSG, the WKO Guidance).

7.6. Data breach notification

Attorneys at law and public notaries are not obliged to inform data subjects of a data breach as per Article 34 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act (last amended in 2022) (only available in German here) ('the Attorneys Act') and Section 37 of the Public Notaries Act (last amended in 2022) (only available in German here) ('the Public Notaries Act')) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

Sectoral obligations for breach

The TKG stipulates a separate data breach notification duty for telecoms and internet providers. Providers of publicly available electronic communications services are obliged to notify the competent national authorities, and in certain cases also the subscribers and individuals concerned, of personal data breaches. The notification must be done no later than 24 hours after the detection of a personal data breach, where feasible. A second notification, containing additional information must then be made within three days. Breached providers must also notify affected subscribers or individuals of any breach that is likely to adversely affect their personal data or privacy.

Directive on Security Network and Information Systems (Directive (EU) 2016/1148), as implemented in the Federal Act on the Safeguarding of a High Level of Security of Network and Information Systems and Amending the TKG 2018 (only available in German here), sets a range of network and information security requirements which apply to operators of essential services and digital service providers including enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors. For incidents having a significant impact on the continuity of the essential services they provide, these operators are obliged to notify the competent authority without undue delay. This notification obligation does not necessarily require personal data to be affected.

Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC (Regulation (EU) No 910/2014) ('the Regulation') provides a legal framework for electronic identification and trust services such as the creation, verification, and validation of electronic signatures or certificates for website authentication. Pursuant to Article 19 of the Regulation, providers of such services shall, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body and, where applicable, other relevant bodies, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein. Thus, where personal data is affected in such cases, the DSB would have to be notified within 24 hours rather than 72 hours pursuant to Article 33 of the GDPR. Furthermore, where the incident is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the persons concerned shall also be notified without undue delay.

7.7. Data retention

Pursuant to Section 4(2) of the DSG, if the correction or deletion of personal data cannot be carried out immediately because of economic or technical reasons, and so can only be carried out at certain times, the processing of the personal data concerned must be restricted pursuant to Article 18(2) of the GDPR until the correction or deletion of personal data can be carried out.

7.8. Children's data

Pursuant to Section 4(4) of the DSG, in relation to an offer of the information society services made directly to a child, a child can lawfully consent to the processing of their personal data where they are at least 14 years old. For all other data processing activities (not related to an offer of the information society services), children can in any case validly consent if they are at least 14 years old.

In individual cases, however, it might also be possible that a younger child can give their valid consent, provided that the child possesses the required capabilities for understanding the scope and consequences of consenting in the individual situation.

7.9. Special categories of personal data

Processing of special categories of personal data

The DSG does not contain general derogations for the processing of special categories of data. However, the DSG provides for specific rules in the following situations:

• pursuant to Section 7(3) of the DSG, special categories of data may only be processed for archiving purposes in the public interest, scientific of historical research purposes, or statistical purposes if there is an important public interest in the data processing activity at hand;
• regarding the processing of personal data in the event of a disaster, as per Section 10(4) of the DSG, special categories of data may only be transferred to close relatives if they can prove their identity and their status as relatives and the transfer is necessary to safeguard their rights or those of the data subject; and
• regarding image recordings, Section 12(4)(4) of the DSG prohibits the evaluation of personal data obtained by means of image recording on the basis of special categories of data as a selection criterion.

In addition, sector-specific laws in the health sector (e.g., the Federal Act on Data Security Measures when using personal electronic Health Data (Health Telematics Act 2012)) provide for special provisions on the processing of genetic data, biometric data, or data concerning health.

Processing of criminal convictions data

Pursuant to Section 4(3) of the DSG, the processing of personal data concerning judicial or administrative criminal acts or omissions, also including suspicions on the commission of criminal offenses, as well as criminal convictions or preventive measures, is permissible only if:

• there is an express statutory authorization or obligation to process such data; or
• the permissibility of the processing of such data results from legal duties of care or the processing is necessary to safeguard the legitimate interests of the data controller or a third party pursuant to Article 6(1)(f) of the GDPR, and the manner in which the data processing is carried out ensures that the interests of the data subject are safeguarded.

7.10. Controller and processor contracts

There are no national variations.

8. Data Subject Rights

8.1. Right to be informed

Attorneys at law and public notaries are not required to fulfill their information duties as per Articles 13 and 14 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client or third parties, or to ensure the enforcement of civil claims.

8.2. Right to access

Pursuant to Section 4(6) of the DSG, the data subject's right to access (pursuant to Article 15 of the GDPR) cannot be applied vis-à-vis a data controller, notwithstanding other statutory restrictions, if the provision of this information would endanger a business or trade secret of the data controller or third parties.

Attorneys at law and public notaries are not required to answer data subject access requests as per Article 15 of the GDPR, to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client or third parties, or to ensure the enforcement of civil claims.

8.3. Right to rectification

Attorneys at law and public notaries are not required to answer to data subject rectification requests as per Article 16 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

8.4. Right to erasure

Pursuant to Section 4(2) of the DSG, if the correction or deletion of personal data cannot be carried out immediately because of economic or technical reasons, and so can only be carried out at certain times, the processing of the personal data concerned must be restricted with effect pursuant to Article 18(2) of the GDPR until the correction or deletion of personal data can be carried out.

Attorneys at law and public notaries are not required to answer data subject erasure requests, as per Article 17 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

Some regulations (mainly in the health sector) restrict the obligation to answer data subject erasure requests.

8.5. Right to object/opt-out

Attorneys at law and public notaries are not required to answer to data subject objection requests as per Article 21 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

A number of sector-specific laws restrict the obligation to answer data subject objection requests, mainly vis-à-vis public authorities, in the context of public registers and in the health sector.

8.6. Right to data portability

Attorneys at law and public notaries are not required to answer data subject data portability requests as per Article 20 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act, respectively) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

Some regulations (mainly in the health sector) restrict the obligation to answer data subject data portability requests.

8.7. Right not to be subject to automated decision-making

The right of a data subject not to be subject to a decision based solely on automated processing, including profiling, as set out in Article 22 of the GDPR shall not apply vis-à-vis attorneys at law and public notaries to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act, respectively) to ensure the protection the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

8.8. Other rights

Right to restriction of processing

As per Section 22(4) of the DSG, in pending proceedings, the DSB may also order a restriction of processing in accordance with Article 18 of the GDPR at the request of a data subject, by means of an official decision, if the data controller fails to comply with an obligation in this regard in due time.

Attorneys at law and public notaries are not required to answer data subject restriction requests as per Article 18 of the GDPR to the extent required to comply with their statutory obligation to confidentiality (as per Section 9 of the Attorneys Act and Section 37 of the Public Notaries Act) to ensure the protection of the rights and freedoms of their own client, third parties, or to ensure the enforcement of civil claims.

A number of sector-specific laws restrict the obligation to answer data subject restriction requests, mainly in the context of public registers and in the health sector.

Right to compensation and liability

Pursuant to Section 29 of the DSG, the general provisions of civil law apply to claims for compensation as per Article 82 of the GDPR. For such claims, the competent court of first instance shall be the regional court in the district where the claimant (the data subject) has their regular residence or domicile, or at the claimant's option, in the district where the defendant (the data controller or data processor) has their regular residence or principal place of business or establishment.

If, in the course of a claim for compensation as per Article 82 of the GDPR, a data subject is represented by an institution, organization, or association within the meaning of Article 80(1) of the GDPR, and it is unclear whether the relevant criteria are fulfilled, the DSB shall, at the request of the respective court, issue a binding decision on this issue. The respective institution, organization, or association is a party to the proceedings before the DSB and, thus, would have the right to appeal such decision of the DSB.

9. Penalties

Administrative sanctions

Subject to the provisions of Article 83 of the GDPR, the DSB may impose administrative fines. Pursuant to Section 11 of the DSG, however, in the case of primary infringements, the DSB shall make use of its remedial powers (in particular, by issuing warnings) instead of imposing fines. Section 30 of the DSG contains a specific rule on fines to be imposed on legal persons and in particular states that legal persons may also be held liable for infringements of the provisions of the GDPR if a lack of supervision or control by the management of the legal person enabled such infringements to be committed by a person acting for the legal person.

Unless the offense constitutes an offense under Article 83 of the GDPR or is punishable by a more severe penalty under other administrative penal provisions, an administrative offense punishable by a fine of up to €50,000 is committed by anyone who:

• intentionally obtains unlawful access to data processing or intentionally maintains recognizably unlawful access;
• deliberately transmits data in violation of the obligation to data secrecy;
• deliberately obtains personal data in the event of a disaster under false pretenses;
• operates an image processing system, not in line with the specific requirements set out in the DSG; or
• refuses an inspection by the DSB.

Administrative fines may not be imposed on public authorities, bodies governed by public law, other public bodies, or private bodies insofar as they exercise public authority.

Criminal sanctions

Pursuant to Section 63 of the DSG, anyone who, with the intention to unlawfully enrich themselves or a third party, or with the intention to thereby harm another person in their own interests in the fundamental right to data protection, uses, makes accessible to another person, or publishes personal data which have been entrusted with or made accessible to them exclusively on the basis of their professional activity or which they have illegally obtained for themselves, although the data subject has a legitimate interest in keeping such data confidential, shall be punished by the court with imprisonment for up to one year, or with a monetary fine calculated up to 720 daily rates (depending on actual income), unless the offense is punishable by a more severe penalty under another provision.

9.1 Enforcement decisions

Only a handful of enforcement decisions by the DSB pursuant to Article 83 of the GDPR have been officially published, most of them dealing with video surveillance activities. Final and binding enforcement decisions have, so far, mostly been in the range of a few hundred to several thousand euros. The DSB has, however, on several occasions already indeed issued fines regarding GDPR violations in the range of several million euros.