1. Governing Texts

1.1. Legislation

The privacy law in Austria is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019) ('DSG'). Supplementary to these data protection laws, financial market regulations provide for certain mandatory processing activities (e.g. Know Your Customer ('KYC') processes). As a national peculiarity, Austrian law contains strict banking secrecy provisions. Exceptions to the banking secrecy are only permissible in certain defined cases and violations constitute a criminal offence.

The following EU legislation, among others, is applicable:

• the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is applicable to financial services with regard to their personal data processing activities;
• the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'); and
• the Fourth Anti-money Laundering Directive (Directive (EU) 2015/849) ('the Fourth AML Directive');
• the Fifth Anti-Money Laundering Directive (Directive (EU) 2018/843) ('the Fifth AML Directive'); and
• the Sixth Anti-Money Laundering Directive (Directive (EU) 2018/1673) ('the Sixth AML Directive').

The European Data Protection Board ('EDPB') has issued the following relevant Opinions:

• Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities;
• Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR; and
• Letter regarding the PSD2 Directive.

The Article 29 Working Party ('WP29') has issued the following relevant guidance:

• Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
• Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
• Letter of the Chair of the Article 29 Working Party to FATCA; and
• Guidelines on Transparency under Regulation 2016/679 ('the Guidelines on Transparency').

The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:

• Recommendations on Outsourcing to Cloud Service Providers (20 December 2017);
• Guidelines on Major Incident Reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017);
• Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2;
• Guidelines on ML/TF Risk Factors under Articles 17 and 18(4) of Directive (EU) 205/84;
• Final Report on EBA Guidelines on Outsourcing Arrangements ('the EBA Guidelines on Outsourcing'); and
• Guidelines on ICT and Security Risk Management ('ICT Guidelines').

Austrian legislation

The following national legislation among others is applicable:

• the DSG;
• the Banking Industry Act 1993 (as amended) ('the Banking Industry Act');
• the Financial Markets Anti-Money Laundering Act (only available to download here) ('FM-GwG');
• the Common Reporting Standard Law (only available in German here) ('GMSG');
• the Payment Services Act 2018 ('ZaDiG');
• the Securities Supervision Act 2018 (only available in German here) ('WAG');
• the Corporate Code (only available in German here) ('UGB');
• the Federal Tax Code (only available in German here) ('BAO');
• the Remote Financial Services Act (only available in German here) (consumer protection law);
• the Telecommunications Act 2021 (only available in German here) ('TKG'), which implements the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive');
• the Financial Market Authority Act (only available in German here) ('FMABG');
• the Network and Information System Security Act (only available in German here) ('NISG') and the Network and Information System Security Ordinance (only available in German here) ('NISV');
• the Signature and Trust Services Act (only available in German here) ('SVG'); and
• the Insurance Supervision Act (only available to download here) ('VAG').

The Financial Market Authority ('FMA') has issued the following guidance:

• 01/2020 FMA minimum standards for internal auditing (only available to downloard in German here);
• 04/2018 FMA guidelines for IT security in WPDLU and WPF (only available to download in German here);
• 02/2020 FMA guidelines IT security in management companies (only available to download in German here); and
• the Ordinance of the Financial Market Authority (FMA) on the video-supported online identification of customers (only available in German here).

The Austrian data protection authority ('DSB') has issued the following guidance and landmark decisions:

• a general guideline document on the GDPR (only available to download in German here), as well as a general Q&A document covering a wide range of topics (only available in German here), which includes a question regarding credit bureaus and banks;
• decisions regarding the deletion of credit defaults and warnings, such as:
  • DSB-D124.567/0005-DSB/2019 (only available in German here); 
  • DSB-D123.319/0002-DSB/2019 (only available in German here); and
• DSB-D122.844/0006-DSB/2018 (only available in German here) confirmed by the Federal Administrative Court ('BVwG') in W258 2205602-1/8E (only available in German here), regarding the right to access according to Article 15 of the GDPR regarding bank statements.

1.2. Supervisory authorities

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

The DSB is established as supervisory authority within the meaning of Article 54 of the GDPR.

The FMA is responsible for enforcing financial market regulations.

2. Personal and Financial Data Management

2.1. Legal basis for processing

According to the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency (Article 5(1)(a) of the GDPR). In addition, processing shall only be lawful if (Article 6(1) of the GDPR):

• the data subject has given consent to the processing for one or more specific purpose;
• the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
• the processing is necessary for the compliance with a legal obligation to which the controller is subject;
• the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies.

Austria does not materially amend the application of legal grounds according to Article 6 of the GDPR. Where consent shall be obtained for offers of information society services to children, the processing will be lawful where the child is at least 14 years old (Section 4(4) of the DSG in conjunction with Article 8(1) of the GDPR). Criminal data, including data on suspected criminal activities, may be processed where: (i) an explicit legal authorisation or obligation; or (ii) legal due diligence obligations or legitimate interests require such processing (Section 4(3) of the DSG in conjunction with Article 10 of the GDPR). The latter exception is particularly necessary where financial institutions process data on suspected fraud or anti-money laundering activities. Legal obligations and the performance of a contract therefore form the main legal grounds for processing of customer data (e.g. KYC processes, anti-money laundering ('AML') notifications).

The consent of customers and interested parties will regularly be necessary for marketing activities (in case of electronic communication in conjunction with Section 174 of the TKG). In accordance with Article 7(4) of the GDPR, the provision of a service must not be made conditional on a non-essential consent. Nonetheless, some marketing activities or customer analysis may be based on the legitimate interests of the controller (e.g. postal ads, or where the exception of Section 174(4) of the TKG applies).

2.2. Privacy notices and policies

Pursuant to Article 5(1)(a) of the GDPR and the principle of transparency, concerned data subjects must be provided with certain information (typically referred to as a privacy notice or privacy policy). According to Articles 13 and 14 of the GDPR, such information must include, for example, the controller's identity and the contact details of the controller, the categories of personal data processed and the purposes of the processing, the recipients of the data, retention periods, and information concerning the existence of the data subject's rights. There are no additional sector-specific requirements for financial entities to provide customers with corresponding information.

2.3. Data security and risk management

Taking into account the costs of implementation, nature, scope, context and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors in the financial sector must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).

The requirements for data security and risk management are further detailed in the EBA Guidelines on ICT and Security Risk Management and the EBA's Guidelines on Outsourcing.

Financial institutions providing critical infrastructure services within the meaning of the NISG are required to implement additional security measures and incident response processes.

2.4. Data retention/record keeping

Personal data must not be retained in a form which permits the identification of the data subject for longer than what is necessary (Article 5(1)(e) of the GDPR). The period for which the personal data is stored should be limited to a minimum and time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).

Personal data obtained for the provision of financial services shall be processed for the duration of the performance of the contract. Additionally, financial institutions are required to store certain data based on legal retention obligations (regularly for at least seven years as from the end of the respective tax/reporting year) or as required by AML law (see section on financial reporting and money laundering below).

3. Financial Reporting and Money Laundering

Financial institutions are required to collect and store certain customer identification data to prevent money laundering and the financing of terrorism (KYC processes). The FM-GwG further obliges financial institutions to record, and in some cases notify, the FMA of suspicious transactions. Such identification and transaction data must be retained for 10 years after the end of the business relationship with the customer (Section 21 of the FM-GwG).

Furthermore, the Austrian GMSG introduced the common reporting standards ('CRS') which oblige financial institutions to provide certain information to the responsible financial authority. In addition, Austria signed, based on the Foreign Account Tax Compliance Act ('FATCA'), the Agreement between the United States of America and the Republic of Austria for Cooperation to Facilitate the Implementation of FATCA, which imposes further reporting obligations.

4. Banking Secrecy and Confidentiality

Austrian banking secrecy obligations are very strict and apply to all information that has been entrusted or made accessible to the financial institution based on the (prospective) business relationship with the business or individual customers (Section 38 of the BWG). Banking secrecy covers all facts, transactions, and even the relationship itself. The banking secrecy obligations are unlimited in terms of time and bind any employee or other persons acting for the financial institution even beyond their employment or contractor relationship. Information covered by the banking secrecy may only be shared with other 'secret carriers' bound by the same banking secrecy obligation (e.g. when acting 'for' the financial institution).

Exceptions apply inter alia in the following cases:

• for disclosures in connection with pending criminal court proceedings, and in connection with pending criminal proceedings for intentional fiscal offences, with the exception of fiscal misdemeanours;
• for disclosure based on AML law or certain other reporting duties; and
• for the extent the disclosure is necessary for the resolution of legal claims arising from the customer relationship with the financial institution.

A waiver of the banking secrecy requires the prior written and specific consent of the customer for the respective disclosure.

Violations of the banking secrecy may result in administrative and criminal law fines and civil liabilities of the financial institution. Most prominently, whoever discloses or exploits information subject to the banking secrecy for the purpose of making a profit for them or a third party, or in order to cause disadvantage to a third party, may be punished by the criminal court with imprisonment of up to one year or with a fine of up to 360 daily rates (Section 101 of the BWG). Furthermore, the FMA can sanction the financial institution and, ultimately, revoke its bank licence.

5. Insurance

The VAG addresses processing in the insurance industry imposing strict secrecy obligations on the insurance institutions (Section 321 of the VAG). However, this regulation does not intentionally address data protection matters. Likewise, there is currently no code of conduct for insurance providers.

6. Payment Services

The PSD2 is implemented in the ZaDiG. In order to obtain a license, the applicant is required to inter alia develop and provide a security strategy, including measures to address fraudulent and illegal use of personal data (Section 9(1) fig 10 and (3) of the ZaDiG). In certain cases, payment service providers are legally obliged to use 'strong' authentication measures (e.g. multi-factor-authentication).

Payment service providers may only access, process, and store the personal data required for the services with the explicit consent of the users and must provide information according to Articles 13 and 14 GDPR (Section 90(4) of the ZaDiG). In addition to this reference, the GDPR is applicable in parallel and users have, inter alia, a right to access according to Article 15 of the GDPR.

7. Data Transfers and Outsourcing

See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.

Outsourcing is primarily addressed in the EBA Outsourcing Guidelines. Furthermore, national provisions set out requirements for outsourcing (Section 25 of the BWG and its annex) and limit the outsourcing of 'material' duties (Section 25(3) of the BWG).

These regulatory requirements do not address data protection matters but usually indicate the data protection roles (e.g. controller to processor transfers). Therefore, a data processing agreement according to Article 28 of the GDPR is necessary.

Any data transfer must also consider the specifics of the Austrian banking secrecy and may require the recipient to inform and oblige their employees and agents to the banking secrecy.

8. Breach Notification

As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.

There are no sector specific requirements for financial institutions to notify regulators, clients, or consumers of a data breach. The general breach notification requirements according to the GDPR apply. The DSB provides a voluntary template (available to download in German here) for notifications of personal data breaches. Furthermore, providers of critical infrastructure may be required to notify certain substantial breaches according to the NIS Directive (implemented in the NISG).

9. Fintech

At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Further to this, in September 2020 the European Commission followed up on this with a 2020 Action plan on FinTech including a strategy on an integrated EU payments market. The plan and strategy were included in the European Commission's digital finance package. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework.

Austria has not implemented FinTech-specific laws yet. Providers of FinTech services must assess whether a bank licence will be required, or whether the respective service can be provided e.g. as 'alternative investment' according to the Alternative Financing Act (only available in German here) ('AltFG'). Services regulated by the AltFG are under the supervision of the regional administrative authorities (Bezirksverwaltungsbehörde), while services with obligations to hold a bank licence are supervised by the FMA.

For new and innovative projects, the Austrian FMA offers a regulatory sandbox and dedicated contact points (available to access here).

10. Enforcement

The GDPR provides for administrative fines of up to (Article 83 of the GDPR):

• €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
• €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.

Violations of the right to privacy are supervised by the DSB. Data subjects may file civil claims for material and non-material damages with national courts. Violations of the banking secrecy may (additionally) lead to criminal court proceedings.

Financial regulatory provisions are supervised by the FMA.

11. Additional Areas of Interest

The DSG provides for special secrecy obligations of employees (Section 6 of the DSG) and of data protection officers (Section 5 of the DSG).

Furthermore, the DSG formally also establishes a right to privacy for legal entities (not covered by the GDPR). However, the scope of application is still rather unclear and highly disputed, even though it is common sense that GDPR fines must not be applied by analogy.

Roland Marko Partner
[email protected]
Johannes Sekanina Associate
[email protected]
Wolf Theiss Firm, Vienna