Data & Privacy - Austria

Austria's data-protection regime combines the directly-applicable GDPR with the national Datenschutzgesetz (DSG), which has been in force since 25 May 2018 and replaced the earlier DSG 2000. The DSG operates in tandem with the GDPR, addressing matters left to member-state law.

The independent Datenschutzbehörde (DSB), seated in Vienna, is the national supervisory authority under Art. 51 GDPR. It has a monocratic structure (its head is appointed by the Federal President for a five-year term on government nomination), handles complaints and investigations, and issues administrative fines.

Section 1 of the DSG has constitutional rank (amendable only by a two-thirds parliamentary majority) and guarantees everyone a fundamental right to secrecy of personal data where a legitimate interest exists. Unlike the GDPR, this Austrian right also protects legal persons, not only natural persons.

Data subjects enjoy the full set of GDPR rights — access, rectification, erasure, restriction, data portability, and objection — as administered and explained by the DSB; these can be enforced by complaint to the authority or before the courts.

The DSG was amended in June 2024 (BGBl I 2024/62), adding a provision on processing for journalistic purposes following a Constitutional Court decision, and in July 2024 (BGBl I 2024/70), which—responding to a CJEU ruling of 16 January 2024—created a Parliamentary Data Protection Committee that began exercising oversight of legislative bodies on 1 January 2025.

Beyond the DSG, sector-specific rules apply (e.g., the Telekommunikationsgesetz 2021 implementing the ePrivacy regime for cookies and electronic communications), operating alongside the comprehensive GDPR/DSG framework.