Data & Privacy · Austria
Data protection & privacy laws in Austria (2026)
Austria shaded by its data & privacy status
As an EU member state, Austria applies the GDPR directly, complemented by the national Datenschutzgesetz (DSG), which entered into force on 25 May 2018 and fills the opening clauses the GDPR leaves to national law. The independent Austrian Data Protection Authority (Datenschutzbehörde, DSB) in Vienna is the single competent supervisory authority. Section 1 of the DSG carries constitutional rank and guarantees a fundamental right to data secrecy, notably extending protection to legal persons as well as natural persons.
Key points
Austria's data-protection regime combines the directly-applicable GDPR with the national Datenschutzgesetz (DSG), which has been in force since 25 May 2018 and replaced the earlier DSG 2000. The DSG operates in tandem with the GDPR, addressing matters left to member-state law.
The independent Datenschutzbehörde (DSB), seated in Vienna, is the national supervisory authority under Art. 51 GDPR. It has a monocratic structure (its head is appointed by the Federal President for a five-year term on government nomination), handles complaints and investigations, and issues administrative fines.
Section 1 of the DSG has constitutional rank (amendable only by a two-thirds parliamentary majority) and guarantees everyone a fundamental right to secrecy of personal data where a legitimate interest exists. Unlike the GDPR, this Austrian right also protects legal persons, not only natural persons.
Data subjects enjoy the full set of GDPR rights — access, rectification, erasure, restriction, data portability, and objection — as administered and explained by the DSB; these can be enforced by complaint to the authority or before the courts.
The DSG was amended in June 2024 (BGBl I 2024/62), adding a provision on processing for journalistic purposes following a Constitutional Court decision, and in July 2024 (BGBl I 2024/70), which—responding to a CJEU ruling of 16 January 2024—created a Parliamentary Data Protection Committee that began exercising oversight of legislative bodies on 1 January 2025.
Beyond the DSG, sector-specific rules apply (e.g., the Telekommunikationsgesetz 2021 implementing the ePrivacy regime for cookies and electronic communications), operating alongside the comprehensive GDPR/DSG framework.
Timeline - major decisions & events
In case 6 Ob 189/24y (announced 18 Dec 2025), the OGH ended an 11-year Schrems case, finding Meta's targeted-ad processing required specific consent and ordering Meta to disclose all of a user's personal data including sources and purposes. It set a binding GDPR precedent on consent and access rights across the EU.
noyb ↗The Austrian Data Protection Authority ruled that KSV1870's fully automated scoring used to deny consumers energy contracts constituted prohibited automated individual decision-making under Article 22 GDPR. It reinforced limits on algorithmic decisioning in Austria.
E+H Rechtsanwälte ↗Facing a 769% rise in complaints since 2017 (3,813 in 2024) but flat funding, the Austrian Data Protection Authority imposed operational restrictions from July 2025. It signaled a growing gap between enforcement demand and regulator capacity.
PPC Land ↗After awaiting the CJEU's Deutsche Wohnen ruling, the Federal Administrative Court confirmed a EUR 16 million fine against the Austrian Postal Service for GDPR violations tied to profiling. It is among the largest GDPR penalties ever issued in Austria.
CMS GDPR Enforcement Tracker ↗In the first decision on noyb's 101 post-Schrems II model complaints, the DSB held that exporting Google Analytics data to the US breached GDPR Chapter V because standard contractual clauses could not protect against US FISA 702 surveillance. It triggered a wave of similar rulings across EU regulators.
noyb ↗In Case C-311/18, originating from Austrian activist Max Schrems's complaint, the Court of Justice struck down the Privacy Shield and tightened conditions for using standard contractual clauses. It reshaped the legal basis for all EU-US data transfers, including for Austrian organisations.
Court of Justice of the EU ↗The revised Data Protection Act entered into force alongside the EU GDPR, restructuring the national framework while retaining the constitutional Section 1 right to data secrecy. It is the central national statute supplementing the GDPR today.
RIS (Federal Legal Information System) ↗Published as BGBl I No. 120/2017, the Data Protection Amendment Act 2018 exercised the GDPR's national discretionary powers and overhauled the DSG ahead of 25 May 2018. A government attempt to abolish the constitutional data-protection right failed for lack of a two-thirds majority.
Parlament Österreich ↗In Case C-362/14, brought by Max Schrems against the Irish DPA, the Court ruled Safe Harbor inadequate and affirmed national authorities' power to scrutinise transfers. It was the first of the landmark Austrian-originated cases to reshape global data-transfer rules.
Court of Justice of the EU ↗Austria's original Data Protection Act (BGBl No. 565/1978) enshrined a constitutional right to data secrecy in Section 1 and created the Data Protection Commission, one of the earliest such authorities worldwide. This constitutional anchor still underpins the modern framework.
GDPRhub ↗Austria - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →