Data Protection in Austria
|Data Protection in Austria|
|Data Protection Authority:||DSB (Austria)|
|National Implementation Law (Original):||Datenschutzgesetz (DSG)|
|English Translation of National Implementation Law:||Datenschutzgesetz (DSG)|
|National Legislation Database(s):||RIS.bka.gv.at|
|English Legislation Database(s):||RIS.bka.gv.at/en|
|National Decision Database(s):||RIS.bka.gv.at|
Legislation[edit | edit source]
History[edit | edit source]
Austria has passed the first data protection law in 1979 (BGBl I Nr. 565/1978). Directive 95/46/EC was implemented by the Data Protection Act 2000 (Datenschutzgsetz - DSG 2000). Austria has traditionally not structurally differentiated between public and private data processing. Traditionally Austrian law has not only covered natural personal but also legal entities as data subjects.
National Constitutional protections[edit | edit source]
The DSG 1978 introduced the Constitutional Right to Data Protection in § 1 DSG. Austria also gave the ECHR constitutional status, whereby the Right to Privacy in Article 8 ECHR was established in Austria.
National GDPR implementation law[edit | edit source]
GDPR was mainly implemented by the new Data Protection Act (Datenschutzgesetz - DSG), passed through (BGBl. I Nr. 120/2017).
The Austrian government has passed numerous laws to update data protection rules and terminology in many other national provisions, which are not listed here in detail.
Age of Consent[edit | edit source]
Under § 4(4) DSG the age of consent in Austria is 14, in line with Austrian civil law provisions.
Freedom of Speech[edit | edit source]
Austria has exempt any processing of personal data by media for journalistic purposes from the GDPR in § 9(1) DSG. It is questionable if this broad exception is violating the Austrian Constitution, GDPR and/or the CFR.
Employment context[edit | edit source]
Data protection matters in the work context are regulated in §§ 91, 96 and 96a ArbVG. Forms of electronic control (Kontrollmaßnahme) requires the agreement of the workers' council for certain processing of employee data. If no worker' council is installed, each employee must consent to forms of electronic control under § 10 ARVRAG.
Research, Arts and Literature[edit | edit source]
§ 9(2) DSG further that processing for purposes of research, artistic and literary purposes must be balances with the right to freedom of expression and the right to information.
Austria has amended the Research Organisational Act (Forschungsorganisationsgesetz – FOG) to include many waivers from GDPR for research purposes under Article 89 GDPR. It is questionable of the law is constitutional and in line with GDPR.
Other relevant national provisions and laws[edit | edit source]
§ 151 of the Austrian Business Act (Gewerbeordnung - GewO) traditionally allows data collections and sharing for direct marking purposes. § 152 GewO mentions credit agencies. Both seem to be overridden by GDPR.
§§ 12 and 13 of the Data Protection Act (DSG) regulate CCTV cameras. The law allows CCTV based on a "legitimate interest" only (1) on privately used property, (2) in case of previous violations of rights or special dangers or (3) in the interest of private documentation if an identification of persons is not intended. It is unclear if this national determination of Article 6(1)(f) GDPR is compatible with the GDPR.
Many other GDPR provisions were introduced in the sector-specific laws throughout the relevant acts.
National ePrivacy Law[edit | edit source]
Austria has implemented the ePrivacy Directive mainly in §§ 92 to 197 of the Telecoms Act (Telekommunikationsgesetz 2013, TKG).
Cookies are regulated in § 96(3) TKG.
Spam Emails are regulated in § 107(3) TKG.
Data Protection Authority[edit | edit source]
The Datenschutzbehörde (DSB) is the national data protection authority for Austria. It has replace the Datenschutzkommission (DSK) on 1 January 2014. It resides in Vienna and is in charge of all public and private entities in Austria.
→ Details see DSB (Austria)
Judicial protection[edit | edit source]
Civil Courts[edit | edit source]
In Austria the ordinary civil courts are in charge of data protection lawsuits. § 28 DSG requires that civil lawsuits in data protection matters have to be filed with one of the 16 Regional Court (Landesgericht - LG) instead of the district courts (Bezirksgericht - BG). Under national procedural law this requires that all parties are represented by a lawyer.
Appeals can be brought to one of the four Higher Regional Courts (Oberlandesgericht - OLG) and further to the Austrian Supreme Court (Obererster Gerichtshof - OGH). The 6th chamber of the Austrian Supreme Court his the dedicated chamber for data protection matters.
Administrative Courts[edit | edit source]
Appeals from the Austrian DPA are brought before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) and can be further brought to the Austrian Supreme Administrative Court (Verwaltungsgerichtshof - VwGH) or (in certain cases) to the Austrian Constitutional Court (Verfassungsgerichtshof - VfGH).
Constitutional Court[edit | edit source]
The Austrian Constitutional Court (Verfassungsgerichtshof - VfGH) is in charge of deciding over any violation of the Constitutional Right to Data Protection in § 1 DSG, the Rights to Privacy and Data Protection in Article 7 and 8 CFR and the Right to Privacy in Article 8 ECHR. Applications can be made direly by a citizen, by members of parliament or one of the Austrian states. Austrian law also allows referrals by Civil courts. The Constitutional Court has by now a long body of case law on data protection matters.