DSB (Austria)

From GDPRhub
Name: Datenschutzbehörde
Abbreviation : DSB
Jurisdiction: Austria
Head: Mag. Dr. Andrea Jelinek
Deputy: Mag. Dr. Matthias Schmidl
Adress: Barichgasse 40-42, 1030 Wien, Austria
Webpage: www.dsb.gv.at
Email: dsb@dsb.gv.at
Phone: +43 1 52 152-0
Twitter: n/a
Procedural Law: AVG (in DE) / AVG (in EN)

DSG (in DE) / DSG (in EN)

Decision Database: RIS (only in DE)
Translated Decisions: Category:DSB (Austria)
Head Count: 37
Budget: n/a

The Datenschutzbehörde is the federal Data Protection Authority for Austria. It resides in Vienna and is in charge of enforcing GDPR for Austria.

Structure[edit | edit source]

The DSB is a monolithic authority. All decisions are taken on behalf of the head of the DSB. Cases are usually assigned to an employee that is named on all documents. The individual employee decided on behalf of the head of the DSB. There is no information about individual sections within the DSB.

Procedural Information[edit | edit source]

Applicable Procedural Law[edit | edit source]

The Austrian DSB operates under the Austrian Administrative Procedural Act (Allgemeines Verwaltungsverfahrensgesetz - AVG) unless the GDPR or the national Data Protection Act (Datenschutzgesetz) has more specific rules.

The AVG defines the form of the procedure and the rights of the parties before the DSB in general. For example, § 73 AVG stipulates a duty to decide over each complaint as soon as possible, but always within 6 months or § 17 AVG ensures a right of the parties to access to all documents. Under § 13 AVG applications can be submitted in person, in writing, via email or via phone. Each party (data subject and controller) have all procedural rights under the AVG.

The national Data Protection Act (Datenschutzgesetz - DSG) regulates certain procedural elements as a lex specialis for the DSB, like the details of the complaints procedure in § 24 DSG (see below).

Complaints Procedure under Art 77 GDPR[edit | edit source]

Under § 24(2) DSG any complaint needs to name (1) the violated right, (2) as far as possible the controller, (3) the facts of the case, (4) the reasons why the complainant feels his rights are violated, (5) the request to find a violation of the law and (6) any information that allows to determine if the complaint was filed on time. In addition all relevant documents (like the correspondence with the controller) need to be attached. Under § 24(4) DSG complaints need to be filed one year from the time the complainant has learned about the violation and three years from the incident.

Ex Officio Procedures under Article 57 GDPR[edit | edit source]

The DSB can run ex officio procedures out of its own motion. Cases were so far triggered by media reports or larger public debates about controllers.

Appeals[edit | edit source]

Appeals against decisions by the Austrian DSB can be taken by the parties concerned to the Federal Administrative Court (Bundesverwaltungsgericht - BVwG), which has three dedicated chambers for data protection cases.

Practical Information[edit | edit source]

For most data protection claims against a controller and for complaints to the DSB standard forms (in German) are provided at dsb.gv.at.

The DSB (and previously the DSK) has published more than 1.600 of their decisions in the Austrian decision database RIS.bka.gv.at since 1994. Not all decisions are published, only decisions that are novel or important usually get published.

Statistics[edit | edit source]

You can help us filling this section!

EU/EEA Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain · Sweden
Iceland · Liechtenstein · Norway EDPS · EDPB
Non-EU/EEA Data Protection Authorities
United Kingdom