1. Governing Texts

1.1. Legislation

• The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
• The Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019) (only available in German here) ('DSG')
• The Federal Law Amending the DSG 2018 (only available in German here)

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:

• Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019); and
• Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation).

The Austrian data protection authority ('DSB') has issued a general guideline document on the GDPR (only available in German here), as well as a general Q&A document covering a wide range of topics (only available in German here).

Further, the DSB has also published the following guidance:

The Austrian Chamber of Commerce ('WKO') has issued the following guidance:

• Obligations of the processors (only available in German here) ('the Processor Guidelines');
• Overview of data protection in Austria (only available in German here) ('the General GDPR Guidance);
• the Data Protection Officer guide (only available in German here) ('the DPO Guidance')

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

• Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
• Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
• Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

• Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
• Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
• Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).

The WKO has issued the following guidance:

• EU General Data Protection Regulation (GDPR): Sample contract for order processing (only available in German here)

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Section 48(3) of the DSG outlines that the processing by a processor takes place on the basis of a contract or another legal instrument according to Union law or on the basis of an express legal authorisation that binds the processor with regard to the person responsible and in the subject matter and duration of the processing, type and purpose the processing, the type of personal data, the categories of data subjects and the obligations and rights of the person responsible are defined. This contract or this other legal instrument provides in particular that the processor:

• the personal data is only processed on the documented instruction of the person responsible - also with regard to the transfer of personal data to a third country or an international organisation - unless it is obliged to do so by Union law or by-laws to which the processor is subject; In such a case, the processor will inform the controller of these legal requirements prior to processing, provided that the relevant law does not prohibit such communication due to an important public interest;
• ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality;
• takes all measures required in accordance with Section 54 of the DSG;
• complies with the conditions specified in Paragraphs 2 and 4 for using the services of another processor
• in view of the nature of the processing, if possible, using suitable technical and organisational measures to support the controller in fulfilling his obligation to respond to requests to exercise the rights of the data subject mentioned in this main section;
• taking into account the type of processing and the information available to them, supports the controller in complying with the obligations specified in Sections 52 to 56 of the DSG;
• after completion of the processing services, all personal data, at the discretion of the person responsible, either deletes or returns, unless there is an obligation to store the personal data under Union law or statutes; and 
• provides the person responsible with all necessary information to demonstrate compliance with the obligations set out in Paragraphs 1 to 6 and enables and contributes to verifications - including inspections - carried out by the person responsible or another auditor commissioned by them.

With regard to the last item above, the processor informs the person responsible immediately if they are of the opinion that an instruction violates this main part or other data protection regulations of the Union or statutory data protection regulations.

3.2. What content should be included?

The Processor Guidelines outline that, per Articles 28 and 30-31 of the GDPR as well as Section 48(3) and (5) of the DSG, the contract must be concluded in writing, whereby electronic form is also considered writing and must contain the following information:

• commitment to the person responsible;
• subject and duration of the processing;
• type and purpose of processing;
• the type of personal data;
• the categories of data subjects; and
• the duties and rights of the person responsible.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

There are no national variations.  For further information on data subject rights see Austria – Data Subject Rights. 

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

The obligation to keep a directory applies to companies with fewer than 250 employees, only, not if the processing carried out by them bears no risk to the rights and freedoms of the data subjects, processing only takes place occasionally and does not include processing of special categories of data or processing of data on criminal convictions and offences ('the General GDPR Guidance').

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

The Processor Guidelines state, per Articles 28 and 30 to 31 of the GDPR as well as Section 48(4) of the DSG, that the contract must provide that the processor:

• implement data security measures;
• ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality;
• take all necessary security measures; and
• support the controller in complying with security measures and reporting obligations (taking into account the type of processing and the information available to him).

Moreover, the Processor Guidelines state that if the processor uses a sub-processor, the same data protection obligations are also imposed on him (Section 48(4) of the DSG and the Processor Guidelines).

Furthermore, Section 48(1) of the DSG states that if the processing is carried out on behalf of a person responsible, the person responsible only works with processors who offer sufficient guarantees that suitable technical and organisational measures are carried out in such a way that the processing takes place in accordance with the requirements of this federal law and the protection of rights the data subject guaranteed.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

The Processor Guidelines note that the contract must contain provisions of the processors' commitment to support the controller in complying with the security measures and reporting obligations (taking into account the type of processing and the information available to him) ('the Processor Guidelines').

Moreover, the obligations regarding data breach notifications have not been varied by the DSG. Notably, there are sector-specific breach reporting obligations in Austria.

For further information on data breach notification see Austria – Data Breach.

For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

According to the Processor Guidelines, the processor may not commission any other processor (subcontractor) without the prior written consent of the controller. If there is no general written approval the processor must always inform the controller of any intended change in relation the involvement or replacement of other processors. The controller has the opportunity to object to such changes. Furthermore, like the data controller, the sub-processor has to work together with the supervisory authority in the performance of their tasks upon request. In addition, the Processor Guidelines highlight that the same obligations that apply to processors will apply to sub-processors ('the Processor Guidelines and Section 48(4) of the DSG).

The processor and any person subordinate to the controller or the processor who has access to personal data may only process this data on the instructions of the controller unless they are obliged to process it due to a statutory provision.

Furthermore, Section 48(2) of the DSG outlines that the processor is not permitted to use any other processor without the prior separate written approval of the person responsible.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

There are no restrictions on the transfers of personal data within Austria however, the DSG outlines limited restrictions to transfers outside of Austria within the context of law enforcement Chapter 3 of the DSG. In addition, there are sector-specific obligations with regard to data transfers.

For further information see Austria – Data Transfers.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses'.

For further information on data transfers under the GDPR, see: EU – GDPR – Data Transfers

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The Processor Guidelines outline that the processor is obliged to work with the supervisory authority on request, support the controller in complying with the security measures and reporting obligations, and provide the person responsible with all necessary information to prove compliance with the obligation and enable and contributes to inspections by the person responsible ('the Processor Guidelines').

Furthermore, the Processor Guidelines state that these obligations also extend to sub-processors.

11. Processor DPO / Represenative

11.1. Are processors required to appoint a DPO / representative?

Data protection officer ('DPO')

Companies are only required to appoint a data protection officer in the following cases if ('the DPO Guidance'):

• the core activity consists of processing operations which, due to their nature, scope and/or purpose, require extensive regular and systematic monitoring of data subjects (e.g. banks, insurance companies, credit agencies and professional detectives).
• the company's core activity is the extensive processing of sensitive data or data on criminal convictions or offenses (e.g. hospitals).

Additionally, the DPO Guidance states that these requirements apply equally to controllers and processors. Both controllers and processors can therefore be obliged to appoint a data protection officer; the existence of the prerequisite must be checked independently of the other.

For further information see Austria – Data Protection Officer Appointment.

For further information on DPOs under the GDPR, see: EU - GDPR - Data Protection Officer Appointment.

Representative

At the national level, the Processor Guidelines state that for processors whose headquarters are outside the EU, but who are still within the scope of the GDPR, the processor shall designate a representative in writing. This representative must be in one of the Member States established be where the persons concerned, there are whose personal data related to the processed goods or services offered or whose behaviour is observed. The representative acts in addition to or instead of the processor as a point of contact, especially for supervisory authorities and data subjects.

Exceptions to the obligation to appoint a representative only exist for:

• processing that takes place occasionally does not include extensive processing of special categories of data (sensitive data) or extensive processing of personal data on criminal convictions and offenses and, taking into account the type, circumstances, scope, and purposes of the processing is not expected to result in any risk for the rights and freedoms of natural persons, or
• authorities or public bodies.

The processor is still liable.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

There are no national variations.  

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.