Since May 25, 2018, radical changes to data privacy laws in the European Union have come into effect. The General Data Protection Regulation ("GDPR") has impacted businesses, regardless of whether they have a corporate presence in the EU or use EU-based assets to process data (which was the former test for EU data protection rules application). If a business offers goods or services to EU-based customers or monitors their behavior, it potentially is within the scope of the GDPR (please see below for more details).

The extra-territorial reach means that in practice, many businesses operating internationally need to adopt European data privacy standards, which are becoming the default global standards. The increased sanctions under the GDPR (up to 4% of global revenue or EUR 20 million, whichever is higher), together with general public expectations about data privacy, mean that compliance with data privacy laws cannot be treated as a minor regulatory issue. Potential fines and other penalties under the GDPR will put data privacy and cybersecurity at the same level as antitrust or anti-bribery and corruption programs on the corporate compliance agenda. This will require board-level awareness and leadership and the combined input from a range of professionals including legal, IT, finance, procurement and vendor management and HR.

The GDPR is directly effective in all EU Member States without the need for further national legislation. However, the GDPR has specific areas in which the Member States are either permitted or required to enact national legislation to give effect to its provisions, for example, in relation to the procedure for imposing an administrative fine; the processing of special categories of personal data; the age of consent for processing personal data in the context of online services; and the restrictions and limitations on the application and exercise of data subject rights. 

Moreover, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (“e-Privacy directive”) contains provisions regarding the protection of privacy on the Internet.

In Austria, the GDPR is complemented by the Datenschutzgesetz (Data Protection Act, “DSG”), published in the Federal Law Gazette I 1999/165 and last amended by Federal Law Gazette I 2025/50.

• Court of Justice of the European Union ("CJEU"), No. C-311/18, Judgment of the Court, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, July 16, 2020
  • The CJEU upheld the validity of the European Commission's standard contractual clauses ("SCCs"), while indicating that, in order to use them, it is up to the data controller, where applicable in cooperation with the recipient of the transferred data, to assess whether, in practice and for the transfer envisaged, these SCCs ensure that the transferred data enjoy a level of protection essentially equivalent to that ensured in the European Union. If the effect of these clauses is limited or completely excluded by the legislation of the third country applicable to the transfer of such data, the data controller must implement additional measures to ensure the required level of data protection or notify the competent data protection authority of its intention to continue transferring data without these safeguards.
  • The CJEU analyzed U.S. legislation on access to data from internet service providers and telecommunications companies by U.S. intelligence services (Section 702 FISA and Executive Order 12 333). It concluded that the interference with the privacy of individuals whose data is processed by U.S. companies and operators subject to this legislation is disproportionate in relation to the requirements of the Charter of Fundamental Rights. In particular, the Court ruled that the collection of data by intelligence services is not proportionate and that the remedies, including judicial remedies, available to individuals with regard to the processing of their data are insufficient. The CJEU therefore invalidated the European Commission's adequacy decision.
• CJEU, No. C-131/12, Judgment of the Court, Google Spain SL and Google Inc. v. Spanish Data Protection Agency (AEPD) and Mario Costeja González, May 13, 2014
  • The CJEU has clarified that operators of internet search engines are now responsible for the processing of personal data appearing on web pages published by third parties.
  • Every data subject has the right to obtain the removal of personal data concerning them, i.e., the operator of a search engine must, at the request of said data subject, remove from the list of results obtained following a search carried out using a person's name, links to web pages published by third parties containing information relating to that person.
• CJEU, No. C-673/17, Judgment of the Court, Federal Association of Consumer Organizations and Consumer Associations – Verbraucherzentrale Bundesverband eV v Planet49 GmbH, October 1, 2019
  
  • In the European Economic Area ("EEA"), users of websites and apps cannot be tracked using cookies or similar technologies without their specific consent through active behavior. Pre-ticked checkboxes are not sufficient to constitute consent. Users must also be informed of the possibility of third-party access to cookies and the lifetime of cookies. 
• CJEU, No. C-40/17, Judgment of the Court, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, July 29, 2019 
  
  • The manager of a website that inserts the Facebook “Like” button on said website becomes jointly responsible (with Facebook) for the processing of personal data of visitors to its website regarding the collection and transmission of such data to Facebook. If the manager wishes to rely on consent as a legal basis for processing, they must obtain it and inform visitors of their rights prior to the collection of data.
• CJEU, No. C-300/21, Judgment of the Court, UI v Österreichische Post AG, May 4, 2023 
  
  • In the event of a breach of the GDPR, the right to compensation is subject to three cumulative conditions, which are as follows: (i) a breach of the GDPR, (ii) material or non-material damage resulting from that breach, and finally (iii) a causal link between the breach and the damage. Based on these three cumulative conditions, a simple breach does not in itself give rise to a right to compensation. Furthermore, the GDPR does not define the concept of “damage.” It merely states explicitly that both “material” and “moral” damage may give rise to a right to compensation, “without any threshold of seriousness being required” (§ 45).
• CJEU, No. C-807/21, Judgment of the Court, Deutsche Wohnen SE v Staatsanwaltschaft Berlin, December 5, 2023
  • In this matter, the CJEU ruled that Member States cannot require that a GDPR infringement must be attributed to an identified natural person before imposing a fine on a legal person acting as a controller. Therefore, companies as data controllers are liable for infringements committed by employees, managers, directors or others, if the act of infringement occurred during operational activities for the company. It is not necessary to establish that an offence was committed by an identified natural person in order to impose a fine pursuant to Art 83 of the GDPR. Furthermore, the CJEU states that an administrative fine may only be imposed where it is established that the controller intentionally or negligently committed a GDPR infringement pursuant to Art 83 of the GDPR, meaning that the imposition of a fine requires fault.

In Austria, the Austrian Federal Administrative Court imposed a fine of EUR 16 million on Österreichische Post AG for unlawfully processing data on individuals’ political affinities without a valid legal basis under Article 9.1 of the GDPR. The case originated in 2019 after reports that the company calculated, stored, and sold information on the political leanings of millions of individuals from its customer database to third parties for targeted advertising. No valid exception under Article 9.2 of the GDPR applied, as no explicit consent had been obtained and no other legal justification was available. Earlier proceedings had annulled the initial fine due to the lack of attribution to a specific natural person, but following the CJEU’s Deutsche Wohnen (C-807/21) ruling, this reasoning was overturned, confirming that companies themselves can be fined directly. In assessing the penalty, the court considered both mitigating factors (reduced number of affected individuals, settlements with data subjects, undertakings not to repeat the practice, long duration of proceedings, and the dropping of certain charges) and aggravating factors. Ultimately, the fine was reduced but set at EUR 16 million, deemed effective, proportionate, and dissuasive given the company’s group-wide turnover. The decision is not yet final.

Furthermore, the Austrian Federal Administrative Court upheld a fine against the Österreichische Post AG for violating Article 12(2) GDPR by restricting data subjects to use a mandatory online form—limited to three rights and requiring ID copies—instead of allowing alternative communication channels such as email. Following the CJEU’s Deutsche Wohnen judgment (C-807/21), the court confirmed that legal persons can be directly fined under Article 83 GDPR, dismissing the company’s arguments of legal error and lack of culpability. Given the seriousness of the infringement but also some mitigating factors, the BVwG reduced the penalty from EUR 9.5 million to  EUR 500,000 (plus EUR 50,000 costs).

In its judgment of 7 June 2024 (W256 2246230-1/00), the Austrian Federal Administrative Court addressed the lawfulness of consent-based profiling practices for marketing purposes. The company had argued that it obtained customer consent to process personal data, but the court held that the declarations did not satisfy the requirements of the GDPR. The consents were neither sufficiently informed, specific, nor freely given, and therefore could not serve as a valid legal basis under Articles 6 and 9 of the GDPR. Despite the lack of valid consent, the company carried out extensive profiling activities, generating detailed customer profiles that included sensitive data and went far beyond what was necessary for legitimate business purposes. The court regarded this profiling as a serious infringement of data protection law. Taking into account both mitigating and aggravating factors, including the duration of the proceedings and the company’s cooperation, the court imposed a reduced administrative fine. The final penalty was set at EUR 500,000, which the court considered effective, proportionate and dissuasive within the meaning of Article 83 of the GDPR.

Personal Data

The GDPR regulates the processing of personal data within the meaning of Article 4.1 of the GDPR, i.e. any information relating to an individual who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply, however, to fully anonymized or aggregated data where a living individual cannot be identified.

Sensitive Data

Sensitive data is a special category of personal data that is subject to a higher level of protection under Article 9.1 of the GDPR.

This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Data relating to criminal convictions or offenses are subject to specific protection under the GDPR and may only be processed under the control of official authority or where authorized by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

In Austria, according to Article 4 (3) of the Austrian Data Protection Act, the processing of personal data relating to conduct or omissions subject to court or administrative sanctions is permitted in accordance with the GDPR if: 

• there is an explicit authorization or obligation to process such data or 
• the legitimacy of the processing of such data is based on statutory diligence or the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party in accordance with Article 6 (1) (f) of the GDPR.

It is pertinent to note that it remains questionable whether § 4(3) DSG is compatible with the GDPR.

Data protection rights of legal persons

Furthermore, the fundamental right to data protection pursuant to Art 1 Austrian Data Protection Act does not only protect natural persons but also legal persons.

Personal data and sensitive data are protected by the GDPR through a set of principles and technical obligations designed to ensure their confidentiality, integrity, and availability throughout their lifecycle.

Under GDPR, processing of personal data is subject to:

• the main principles set forth in Article 5.1 of the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimization and accuracy; storage limitation; and integrity and confidentiality;
• existence of a valid legal basis for the processing (GDPR, Article 6);
• enhanced protection of sensitive data (GDPR, Article 9);
• provision of complete and transparent information to data subjects (GDPR, Articles 12 to 14);
• possibility given to data subjects to exercise their rights;
• data protection by design and by default (GDPR, Article 25);
• documenting relations with data processors (GDPR, Article 28);
• inclusion of the processing in a record of processing activities (as a data controller or processor) (GDPR, Article 30);
• security obligations (GDPR, Article 32); and
• notification of personal data breaches to he supervisory authority where there is a risk for the data subject (GDPR, Article 33) and communication to the data subject when the risk is high (GDPR, Article 34).

All of these elements ensure optimal protection of the data collected.

Furthermore, Part 2 of the Austrian Data Protection Act further sets out detailed requirements regarding data processing for the following purposes: (i) processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, (ii) providing addresses to inform and interview data subjects, (iii) freedom of expression and information and (iv) processing of personal data in case of emergency.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

The GDPR’s obligations primarily apply to data controllers, defined as any natural person, corporate entity or other legal person, public authority, agency or other body that determines the purposes and means of data processing (alone or together with others). It also provides for certain direct obligations on data processors, which are any natural person, corporate entity or other legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 

The GDPR applies to:

• The processing of personal data in the context of the activities of a data controller’s or data processor’s establishment in the EU (i.e., implying the effective and real exercise of activity through stable arrangements), regardless of whether the data is processed in the EU or not or regardless of whether the data relates to EU residents or not. 
• The processing of personal data of persons within the EU by data controllers or data processors who are established outside the EU, where the processing is related to:
  • the offering of goods or services to such data subjects in the EU (irrespective of whether payment is required); or
  • the monitoring of the behavior of such data subjects as far as the behavior takes place in the EU.

In accordance with Article 4.2 of the GDPR, data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The processing of personal data is not necessarily computerized: paper files are also concerned and must be protected under the same conditions.

Data processing must have a purpose, a specific aim determined prior to the collection and use of the data.

Under the GDPR, a data controller must comply with the following principles under Article 5:

• Lawfulness, Fairness and Transparency – the data shall be processed lawfully (i.e., based on one of the six specified legal bases), fairly and in a transparent manner (e.g., pursuant to a privacy policy that meets the requirements of the GDPR) in relation to the data subject;
• Purpose Limitation – the data
  
  • shall be collected for specified, explicit and legitimate purposes; 
  • shall not be further processed in a manner incompatible with those purposes.
• Data Minimization – the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed or are further processed;
• Accuracy – the data shall be accurate and, where necessary, kept up to date;
• Storage Limitation – the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed; 
• Integrity and Confidentiality – the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures; and 
• Accountability – The data controller shall be responsible for and be able to demonstrate compliance with the above principles.

To be processed lawfully, the GDPR requires that personal data processing are based on one of the specified legal bases, which include the following:

1. Consent

Personal data may be processed based on the data subject’s specific, freely given and informed consent.

• such consent must be provided by way of “a statement or by a clear affirmative action”(pre-ticked boxes and implied consent fall short of the standard);
• Data subjects have the right to withdraw their consent at any time and in an easy manner.

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

Consent from a child in relation to online services will only be valid if authorized by a parent or guardian. According to Article 8 of the GDPR, a child can consent from 16 years old, though the Member States may reduce this age to 13 years old. 

In this context, Austria has reduced the age of consent to 14 years old.

2. Legitimate Interests

A data controller may process personal data based on its legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.  

The data controller must, however, inform the data subject of the particular legitimate interest pursued and the data subject has the right to object to the legitimate interest-based processing on grounds particular to his or her situation (see Right of Objection below). 

Public authorities may not rely on this legal basis in the performance of their tasks.

3. Contractual Necessity

Personal data may be processed where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract. The processing must, however, be necessary to contract performance rather than merely facilitative. 

4. Legal Obligation

A data controller may process personal data where it is necessary to comply with a legal obligation to which it is subject. 

5. Vital Interest of the Data Subject

The data controller may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. 

6. Public Interest or in the exercise of Official Authority

The data controller may process personal data where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

Special Categories of Personal Data

The processing of special categories of personal data is prohibited, except where it relies on one of the exceptions set out in Article 9:

1. The data subject has given explicit consent;

2. Processing is necessary for compliance with obligations or exercising rights under employment and social security and social protection laws, as set out in EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the rights and freedoms of data subjects;

3. Processing is necessary to protect the vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;

4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a political, philosophical, religious or trade union foundation, association or not-for-profit body and relates to the personal data of its members, former members and persons in regular contact, only which are not disclosed outside without consent;

5. The personal data processed are manifestly made public by the data subject;

6. Processing is necessary for the establishment, exercise or defense of a legal claim or whenever courts are acting in their judicial capacity;

7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law, which is proportionate, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the rights and interests of the data subjects;

8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional;

9. Processing is necessary for reasons of public interest in the area of public health on the basis of EU or Member State law;

10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of EU or Member State law.

Member States may have further conditions with regard to the processing of genetic data, biometric data or data concerning health.

In Austria, the electronic transfer of personal genetic and health data is, under certain circumstances, subject to specific data security measures, which are determined in the Austrian Gesundheitstelematikgesetz (Health Telematics Act, “GTelG”). In addition to that, other specific rules regulate specific use cases of genetic, biometric or health data, i.e., the prohibition of the use of genetic data in specific circumstances.

In addition to these special categories of data mentioned in Article 9, Member States may also further determine the specific conditions for the processing of a national identification number or any other identifier of general application.

In Austria, the processing of the social security number is only permitted in the context of social security purposes. According to the ruling practice of the Austrian data protection authority, the social security number may not be used as a “general identifier” because, in such a case, this data is not related to a social security matter. Any processing of the social security number for other purposes requires statutory authorization.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

Risk-Based Approach 

Data controllers must also have “appropriate technical and organizational measures” in place to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking a risk-based approach (Article 24). This requires that the controller takes account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The measures must be reviewed and updated where necessary and shall include the implementation of appropriate data protection policies.  

Privacy by Design and Privacy by Default

The GDPR also introduces new concepts of ‘privacy by design’ and ‘privacy by default’ under Article 25. This requires that a controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to:

• the amount of personal data collected;
• the extent of their processing; and 
• the period of their storage and their accessibility. 

The GDPR requires that “appropriate technical and organizational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Article 32 provides some detail on the standards that controllers and processors should take into account in determining appropriate security measures against unauthorized or unlawful processing, accidental damage, destruction or loss of data. The data controller must take into account:

• the state of the art; 
• the cost of implementing the measures; 
• the nature, scope, context and purposes of processing; and
• the risk of varying likelihood and severity for rights and freedoms of the data subject posed by the processing, in particular, those presented against unauthorized or unlawful processing, accidental damage, destruction or loss of data.

The GDPR notably states that pseudonymization and encryption should be considered where appropriate and that controllers maintain system resilience and security testing, backup, recovery and continuity measures.

Data controllers and data processors must ensure all of their employees comply with the security measures in place and not process personal data other than on the instructions of the controller.

Personal data may not be kept for longer than is necessary for the specified purpose or purposes for which it was collected and a data retention procedure or policy should be implemented in this respect. 

Under the GDPR, data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. 

The data controller shall provide information on action taken on a request within one month of receipt, which period may be extended by two further months where necessary, taking account of the complexity and number of requests and provided that the controller informs the data subject of such extension within one month of the request. 

Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may charge a “reasonable fee based on administrative costs” or refuse the request.

Right of Access 

The data subject can ask a data controller for a copy of his or her personal data being processed by the data controller. 

Right of Rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right of Erasure

In certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right of Restriction of Processing

The data subject has the right to obtain from the controller restriction (i.e. suspension) of the processing in certain circumstances, such as where the accuracy of the data is being contested, the processing is unlawful or the data subject has objected to the processing. 

Right to Data Portability

The right to data portability of personal data is the right to receive the personal data provided by the data subject to the controller (on the basis of consent or contractual necessity) in a structured, commonly used and machine-readable format and to transmit that data to another controller.

Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, to the processing of the personal data based on the performance of a task carried out in the public interest or for the legitimate interests of the controller or a third party.

The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. 

Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of his personal data at any time.

Automated Decisions with Legal or Significant Effects

Data subjects have a right not to be subject to automated decision-making in respect of the personal data, including profiling, with no human intervention where such a decision produces legal effects concerning the data subject or similarly significantly affects him or her (e.g., creditworthiness check or e-recruitment). This does not apply where explicit consent is provided, the processing is authorized by EU or Member State law or the processing is necessary for the purposes of entering into or performing a contract with the data subject. 

In Austria, if personal data processed by automated means cannot be rectified or erased immediately for technical or economic reasons, the processing must be restricted until such action is possible pursuant to Article 4 (2) of the Austrian Data Protection Act. During this restriction, the effects set out in Article 18(2) GDPR apply.

In Austria, Article 4 (5) (6) of the Austrian Data Protection Act restricts the right of access of the data subject. According to Article 4 (5) of the Austrian Data Protection Act, data subjects shall not have a right of access in relation to a controller acting with public authority and powers, if granting access would put the performance of the tasks delegated to the controller at risk. Article 4 (6) Austrian Data Protection Act restricts the right of access if granting access would prejudice a trade or business secret.
In addition to that, restrictions to various data subject rights can be found in different laws, i.e., the Ärztegesetz (Austrian law regarding the exercise of the medical profession, “ÄrzteG”).

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

Consent is one of the legal bases provided for by the GDPR on which the processing of personal data may be based. It is defined in Article 4.11 of the GDPR as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The consent of the individual is systematically required for certain types of processing, which are governed by specific legal provisions: for example, to carry out commercial prospecting by email.
Under Article 7 of the GDPR, four cumulative criteria must be met for consent to be valid. Consent must be:

1. Free: consent must not be coerced or influenced. The individual must be offered a genuine choice, without suffering any negative consequences if they refuse;
2. Specific: consent must correspond to a single processing operation for a specific purpose;
3. Informed: to be valid, consent must be accompanied by a certain amount of information communicated to the person before they consent (the identity of the data controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent, where applicable: the fact that the data will be used in the context of automated individual decisions or that it will be transferred to a country outside the European Union);
4. Unambiguous: consent must be given by a clear statement or other affirmative act. There must be no ambiguity as to the expression of consent.
   
   For example, the following methods of obtaining consent cannot be considered unambiguous: pre-ticked or pre-activated boxes, “bundled” consent (where a single consent is requested for several separate processing operations), or inaction (e.g., failure to respond to an email requesting consent).

The data subject has the right to withdraw consent, and as such, they must be able to withdraw their consent at any time, using a method that is as simple as the method used to obtain consent (for example, if consent was obtained online, it must also be possible to withdraw consent online).

In addition, the data controller must be able to demonstrate at any time that the individual has given valid consent. To do so, the data controller must document the conditions under which consent was obtained.
When the child is under 16 years of age, processing is only lawful if consent is given or authorized by the holder of parental responsibility over the child. The GDPR allows Member States to vary the age below which consent must be given by parents between 13 and 16 years.

In Austria, the age is 14.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

Authorization to use personal data is managed through the selection and justification of a legal basis for each processing operation and, in certain cases, through the collection of explicit consent.

The GDPR requires that all processing of personal data be based on at least one of the six legal bases provided for in Article 6.

Authorization to use data does not therefore necessarily imply consent from the data subject, provided that the use is based on another legal basis provided for in Article 6.

In the case that an entity that has collected data wishes to reuse it for purposes other than those initially specified, the consent of the data subject must be obtained again.

The use of consent boxes that are checked by default is prohibited. Furthermore, silence on the part of the person concerned (e.g., the person visits the website without accepting or refusing cookies) does not constitute consent.

The GDPR also restricts the transfer of personal data to a country outside the European Economic Area ("EEA") unless certain conditions or safeguards are in place. 

Transfer to Adequate Countries Outside the EEA

Transfers of data to a third country or international organization are permitted where the European Commission has taken an adequacy decision under Article 45 of the GDPR that there is an adequate level of protection of personal data in that country or organization.

The existing list of countries that have been approved by the EU Commission will remain in force. Transfers of personal data to the following countries can take place without too much concern:

• Andorra
• Argentina
• Canada (partial adequacy decision for personal data transferred to recipients subject to the Canadian Personal Information Protection and Electronic Documents Act 2000) 
• Faroe Islands
• Guernsey
• Israel
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• The Isle of Man
• United Kingdom
• Uruguay

While the Privacy Shield was a partial adequacy decision covering transfers to organizations that complied with the Privacy Shield Principles in the United States, it has been invalidated by the decision of the European Court of Justice in case C-311/18 dated 16 July 2020 ("Schrems II decision") and is not applicable anymore.

In the wake of the invalidation of the Privacy Shield, the European Commission issued an adequacy decision for the EU–US Data Privacy Framework (“DPF”). Such transfers can occur freely with U.S. companies that are certified under the DPF, without needing additional safeguards. However, some concerns were raised regarding the consequences of the U.S. surveillance laws, and there is a belief that the DPF might be invalidated by the European Court of Justice.

Transfer to Non-Adequate Countries

Where the country to which the personal data will be transferred does not appear on an approved list of countries (such as the transfer to U.S. companies not certified under the DPF), the transfer of personal data can still take place only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available. 

The appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules in accordance with Article 47; 
• so-called standard contractual clauses adopted by the European Commission or the supervisory authority, which incorporate the EU standards into the contract;
• an approved code of conduct pursuant to Article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
• an approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; 
• binding corporate rules pursuant to Article 47.

The standard contractual clauses are the most commonly used appropriate safeguard mechanism. However, according to the Schrems II decision, controllers relying on standard contractual clauses or BCRs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area. Where necessary, supplementary measures (i.e., legal, technical or organizational measures) have to be implemented to ensure such an essentially equivalent level of protection.

The GDPR also provides for derogations to the prohibition of personal data transfers, for instance, where the data subject has explicitly consented to the transfer, after having been informed of the possible risks due to the absence of an adequacy decision. 

The GDPR does not relate to “incidents” related to personal data, but to “breaches”, i.e., any security incident, whether malicious or not, and occurring intentionally or unintentionally, that compromises the integrity, confidentiality, or availability of personal data.

In accordance with Article 4.12 of the GDPR, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

The GDPR introduces a compulsory requirement for controllers to report data breaches to the competent national supervisory authority(ies) (please see below) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  

A risk assessment will, therefore, need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken. 

Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

Providers of publicly available electronic communications services in public communications networks in the EU are subject to a mandatory reporting obligation in accordance with EU Regulation No 611/2013.

Supervisory Authority

Article 55, GDPR, provides that each national supervisory authority has the competence to act in relation to matters in its territory.  In Austria, the supervisory authority is the Datenschutzbehörde (Austrian Data Protection Authority, “DSB”): https://www.dsb.gv.at/ 

In France, the National Oversight Commission for Intelligence-Gathering Techniques ("CNCTR") monitors the surveillance techniques used by French intelligence services and verifies that any infringement of the right to privacy is proportionate.

Lead Supervisory Authority

In circumstances where a controller or a processor is engaged in “cross-border processing” (being the processing of personal data which takes place in the context of activities of establishments of that controller or processor in more than one Member State or processing which substantially affects or is likely to substantially affect data subjects in more than one Member State), then the supervisory authority of the main or single establishment of the controller or processor shall have the competence to act in respect of such cross-border processing.

Tasks and Powers of a Supervisory Authority

The GDPR provides for enhanced, wide-ranging powers of enforcement to supervisory authorities, who may impose substantial fines for breaches of the GDPR. 

The tasks of a supervisory authority are set out in Article 57 of the GDPR and include, among others:

• monitoring and enforcing the application of the GDPR; 
• promoting awareness;
• handling complaints; 
• conducting investigations;
• cooperating with other supervisory authorities;
• administrative tasks such as drawing up codes of conduct, reviewing certifications and approving standard contractual clauses for transfers of personal data outside the EEA. 

The powers of a supervisory authority are set out in Article 58 and include, among others:

• ordering the production of information from controllers and processors;
• conducting investigations in the form of audits, including onsite investigations;
• issuing warnings, reprimands, and enforcement orders, 
• ordering the suspension or ban of non-compliant processing activities;
• the imposition of administrative fines; and
• advising, for example, in relation to high-risk processing or issuing opinions.

The European Data Protection Board ensures that EU rules designed to protect data are applied consistently across all EU countries, so that all citizens have the same rights, regardless of where they live.

Finally, the European Commission and the CJEU contribute to the interpretation and enforcement of the GDPR.

Administrative Fines

The imposition of administrative fines by a supervisory authority is subject to appropriate procedural safeguards in accordance with Union or Member State law and therefore, the mechanism and procedure for imposing a fine may vary from Member State to Member State.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

The level of administrative fines is set out in Article 83, together with examples of aggravating and mitigating factors in determining whether to impose a fine and, if so, the level of such fine. In each case, the supervisory authority is to ensure that the imposition of fines is effective, proportionate and dissuasive. The amount of a fine depends on the nature of the infringement in question, with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or EUR 10,000,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or EUR 20,000,000, whichever is higher.

Article 30 (5) of the Austrian Data Protection Act excludes the imposition of administrative fines on authorities and public entities.

Direct marketing to individuals is currently regulated at a Member State level under national legislation that gives effect to the e-Privacy Directive ("Directive 2002/58/EC"). 

The use of publicly available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing is restricted. Generally, such communications by electronic means require consent or are subject to a right to opt out.

In Austria, Article 174 of the Austrian Telekommunikationsgesetz (Telecommunications Act, “TKG”) requires consent to send electronic direct marketing communications (i.e., emails and texts). However, consent (“Opt-In”) is not required if, (1) the electronic mail is not sent for direct marketing purposes, or if (2) the sender has received the contact details for the communication in the context of a sale or a service to his customers, and the communication concerns products or services similar to those already supplied by the same legal entity, provided the customer has been given the explicit opportunity to refuse such marketing communication upon the collection of the electric contact information and upon each transmission free of charge and that the customer has not already refused such communication.

Article 174 (5) TKG lists cases in which the sending of electronic mail for purposes of direct marketing is prohibited in any case.

In January 2017, the European Commission published its proposal for an e-Privacy Regulation, which will replace and modernize the existing e-Privacy Directive and should particularize and complement the GDPR as its lex specialis on the protection of privacy and confidentiality of electronic communications. On February 10, 2021, the Council of the European Union finally agreed on a draft text of the e-Privacy Regulation, along with a mandate for its Presidency to start negotiations with the European Parliament in order to reach a consensus thereon. The 1st political trilogue concerning the ePrivacy regulation took place on May 20, 2021, under the Portuguese Presidency. The e-Privacy scope of application is set to have a broader reach than the GDPR, as inter alia concerns EU end-users – to whom electronic communications data (including both the content and metadata thereof) refer – regardless of whether they are natural or legal persons. On February 11, 2025, the European Commission disclosed in the “2025 Work Programme” that it will withdraw the proposal for a new ePrivacy regulation (replacing the current ePrivacy Directive). The current ePrivacy Directive and its national transposition laws will remain in force.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

Healthcare sector

In accordance with Article 9.1 of the GDPR, the processing of health data is prohibited in principle, except in the specific cases provided for in Article 9.2.

In Austria, the electronic transfer of personal genetic and health data is, under certain circumstances, subject to specific data security measures, which are determined in the Austrian Health Telematics Act. In addition to that, other specific rules regulate specific use cases of genetic, biometric or health data, i.e., the prohibition of the use of genetic data in specific circumstances.

Judicial sector

Chapter 3 of the Austrian Data Protection Act sets out specific provisions to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, and for the purposes of national security, intelligence, and the protection of military facilities by the armed forces.

Codes of conduct

In accordance with Article 40 of the GDPR, the Austrian Data Protection Authority has approved the following codes of conduct for specific industries:

• Code of Conduct for Internet Service Providers,
• Code of Conduct for Network Operators When Processing Personal Data with Smart Meters from Final Consumers,
• Code of Conduct of the Professional Association of Employers in Private Education,
• Code of Conduct for the Practice of Address Publishing and Direct Marketing Companies,
• Code of Conduct for the Practice of Accounting Professions (accountants, bookkeepers, payroll accountants),
• Code of Conduct for Insurance Brokers and Advisors in Insurance Matters.

Telecommunications sector

Section 14 of the Telecommunications Act sets out specific provisions regarding the processing and transmission of personal data or of data relating to a legal person which are not publicly accessible, in connection with the provision of public communications services in public communication networks, including those public communications networks which support data collection and identification equipment.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

Article 37 of the GDPR sets out the procedures for appointing a Data Protection Officer ("DPO").

This appointment is mandatory when:

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 
• The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The DPO must have legal and technical expertise in personal data protection and a good understanding of the business sector, internal organization, particularly processing operations, information systems, and data protection and security requirements.

In addition, the DPO must have sufficient resources to perform their duties (Article 38.2, GDPR), which means that they must:

• be involved in all matters relating to personal data protection;
• have sufficient time to perform their duties;
• have adequate material and human resources;
• have access to relevant information;
• be able to maintain their specialized knowledge;
• be easily accessible to the persons concerned.

Finally, the DPO must be able to act independently (Article 38.3, GDPR), which means:

• not being in a conflict of interest if their role as a delegate is combined with another role;
• be able to report on their actions to the highest level of the organization's management;
• not be penalized for performing their duties as a delegate;
• not receive instructions in the performance of their duties as a delegate.

The tasks assigned to the DPO are detailed in Article 39 of the GDPR and mainly involve advising, informing, monitoring, and managing relations with supervisory authorities.

Under the GDPR, archiving and documentation obligations are part of the principle of accountability, which means that every organization must be able to demonstrate its compliance with the GDPR at any time, imposing specific requirements for document retention and maintenance.

Any entity that processes data must document and regularly update its records demonstrating compliance with the GDPR.

It is necessary to document the processing of personal data in the following documents:

• Records of data processing activities (both for data controllers and data processors) (Article 30, GDPR);
• DPIAs for, if applicable,  processing operations likely to result in high risks to the rights and freedoms of individuals (Article 35, GDPR);
• Where there are data transfers outside the European Union, appropriate documentation, depending on the context of such transfer, e.g., standard contractual clauses, BCRs, and certifications (Articles 28 and 42, GDPR).

It is also necessary to keep the information provided to data subjects, the templates used to obtain consent from data subjects, and the procedures put in place for data subjects to exercise their rights.

Finally, contracts that define the roles and responsibilities of those involved in processing must also be archived, including contracts with subcontractors, internal procedures in the event of data breaches (Article 33, GDPR), and evidence that data subjects have given their consent when the processing of their data is based on this basis.

With regard to the archiving of personal data, Article 5.1(e) GDPR imposes a limited retention period for data, i.e., a period not exceeding that necessary for the purposes for which they are processed. These retention periods must be documented in the processing records, internal document management policies, and information notices to data subjects.

Article 35 of the GDPR requires that a Data Protection Impact Assessment ("DPIA") be carried out when a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA is carried out by the data controller, in collaboration with the DPO (if a DPO has been appointed). If a data processor is involved in the processing, they must provide assistance and the information necessary to carry out the DPIA.

The DPIA shall be required in particular in the following cases:

• a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; 
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or 
• a systematic monitoring of a publicly accessible area on a large scale. 

In addition, if the processing meets at least two of the nine criteria set out in the G29 Guidelines, a DPIA is mandatory:

• evaluation/scoring (including profiling);
• automated decision-making with legal or similar effects
• systematic monitoring;
• collection of sensitive or highly personal data;
• large-scale collection of personal data;
• cross-referencing of data;
• vulnerable individuals (patients, elderly people, children, etc.);
• innovative use (use of new technology);
• exclusion from the enjoyment of a right or contract.

In Austria, the Austrian Data Protection Authority has adopted a regulation on processing operations requiring a data protection impact assessment and an exemption regulation with a list of types of processing operations for which no data protection impact assessment is required.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

The DPIA shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 
• an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. 

The DPIA must be conducted before processing operations begin. It should be started as early as possible and updated throughout the treatment cycle.

It is also necessary to review the DPIA regularly to ensure that the level of risk remains acceptable throughout the treatment, as the environment, particularly the technical environment, will evolve, requiring adjustments to the measures implemented.

If a DPIA indicates that data processing would entail a high risk (unless the controller takes measures to mitigate the risk), the controller must consult the data protection authority in accordance with Article 36 of the GDPR. In this case, a consultation procedure may follow.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

In the context of the GDPR, a third-party vendor refers to any external entity that processes personal data on behalf of another organisation. This may include cloud service providers, marketing agencies, payment processors, and IT support companies, among others. As these vendors handle personal data, they become an extension of the organisation and must adhere to the same compliance requirements.

Cases where the third-party vendor is considered a data processor:

• The third-party vendor may be considered a data processor if it processes personal data solely in accordance with the instructions of the data controller and does not use the data for its own purposes (hosting, customer support, emailing, data analysis).
• A third-party vendor may only reuse personal data for its own purposes if such reuse is compatible with the initial processing and the data controller has given its written authorization.
• This entity can be considered a subcontractor as defined in Article 4 of the GDPR, i.e., a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

Cases where a third-party vendor cannot be considered a data processor:

• The third-party vendor may be considered an independent data controller if it decides on the purposes and means of the processing itself or if it is jointly responsible for the processing with the data controller (advertising service provider that collects data for its own targeting purposes).
• In this case, the third-party vendor must obtain the consent of the data subjects in order to legally use their data for a purpose other than that initially intended.

In all cases, before entering into a contract with the third-party vendor, you must:

• assess its level of security and compliance (certifications);
• ensure that appropriate technical and organizational measures are in place;
• analyze the risks associated with the processing (nature and sensitivity of the data, purposes, transfers abroad);
• in the event of international transfers, ensure that guarantees equivalent to those of the GDPR are in place;
• ensure that an effective data breach management policy is in place (rapid notification, obligation to cooperate, security tools).

Article 83 of the GDPR sets out the general conditions for supervisory authorities to impose administrative fines on controllers or processors of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In Austria, the Austrian Data Protection Authority shall apply Article 83 of the GDPR in a manner so as to observe proportionality. In the case of first-time infringements, in particular, the Austrian Data Protection Authority shall use its corrective powers in accordance with Article 58 of the GDPR, in particular by issuing reprimands. 

Furthermore, in cases an offence does not meet the elements of Article 83 of the GDPR, such an offence can constitute an administrative offence punishable by a fine of up to EUR 50,000 pursuant to § 62 Austrian Data Protection Act by anyone who:

• intentionally and illegally gains access to data processing or maintains an obviously illegal means of access,
• transmits data intentionally in violation of the rules on confidentiality (§ 6 Austrian Data Protection Act), in particular intentionally uses data entrusted to him or her according to § 7 or 8 Austrian Data Protection Act for other prohibited purposes,
• by giving incorrect information, intentionally obtains personal data pursuant to § 10 Austrian Data Protection Act,
• processes images contrary to the provisions of Chapter 1, Part 3 of the Austrian Data Protection Act, or
• refuses inspection pursuant to § 22 para. 2 Austrian Data Protection Act.

Additionally, certain breaches of Data Protection Laws may also be punished by imprisonment up to one year or a criminal fine pursuant to § 63 Austrian Data Protection Act.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.

The GDPR does not impose any obligation to carry out a compliance audit, unlike DPIA, which may be mandatory in certain situations.

However, Articles 5 and 24 of the GDPR impose a principle of accountability on data controllers. As such, they must implement appropriate technical and organizational measures and must be able to demonstrate compliance with the processing at any time.

Thus, the implementation of regular internal audits ensures that the obligations imposed by the GDPR are being met and identifies any unauthorized practices so that they can be stopped.

In the event that the data controller uses a subcontractor, the latter must make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (Article 28.3(h) GDPR).

Finally, data protection authorities have a right similar to an audit right, allowing them to monitor an entity's compliance and request the provision of documents to prove it (Article 58 of the GDPR).

The Austrian Data Protection Authority provides basic information as well as FAQs on a wide range of data protection topics, such as:

• Rights of the data subject,
• Proceedings before the Austrian Data Protection Authority,
• Data-Breach-Procedure,
• Pictures & videos,
• Data protection and the internet,
• Creditor protection & credit agencies,
• Data Protection & Cookies.

The Austrian Data Protection Authority informed in its recent newsletter that data breach notifications pursuant to Article 33 of the GDPR are reviewed in regard to their content. However, due to budget restrictions, a notification will only be sent to the controller if the Austrian Data Protection Authority is of the opinion that follow-up measures are necessary or the report is incomplete.

The European Commission issued a project of reform of the GDPR on 21st May 2025, which would notably exempt some data processors from the obligation to hold a record of data processing. This would apply to data processors who have less than 750 employees, and subject that the processing is not likely to result in high risk for the rights and freedoms of data subjects.

For detailed information on how this aspect of GDPR is enacted in Austria, please contact CERHA HEMPEL Rechtsanwälte GmbH directly.