Austria - Data Protection

History of Data Protection in Austria

Prior to the implementation of Directive 95/46/EC, the Austrian Data Protection Act dated from 1978. Following the implementation of the Directive, there was a debate as to whether this ageing law complied with the new requirements laid down in the Directive.

After an extensive examination of this question, it was decided to introduce new national legislation. As a result, the Austrian Data Protection Act 2000 (Datenschutzgesetz 2000 or the DSG) was passed in 1999 in order to ensure that Austria complied with the Directive. It came into force on 1 January 2000.

Summary of Data Protection in Austria

Title of Data Protection Legislation	Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000 - DSG 2000) - unofficial English translation
Name of supervisory authority	Austrian Data Protection Commission [Datenschutzkommission]
General Powers of supervisory authority	The Data Protection Commission's role is to safeguard data protection in accordance with the regulations of the Datenschutzgesetz 2000. The Austrian Data Protection Council shares this role (DSG 2000, Part 7, s35 (1)). The Commission has the power to make rulings on matters of data protection (s41). The Commission rules on all requests for information.
Who has standing to notify the supervisory authority of breaches?	Anybody whose rights under the Act have been breached by either a controller or a processor (s30(1)).
What are the penalties for data controllers if they breach the law?	If the Commission issues recommendations to a data controller and they fail to comply, it can initiate an administrative inquiry to check the registration bring a criminal charge with the authorisation of the injured party in case of severe transgressions by a private sector controller file a lawsuit before the competent court of law pursuant to sect. 32 para. 5 in case of a transgression by a state body, the competent highest authority can take measures to ensure that the recommendation of the Commission is complied with, or inform the Commission why the recommendation has not been complied with. See s30(6).
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)?	No
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate?	It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased?	The legislation uses the term "natural person" (s4(3)), but it is unlikely that this will be interpreted to include the deceased. In Austrian law, the legal capacity of a natural person ends with death.
Who is able to indirectly identify the data subject?	Anybody

Laws and Regulations

Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000) - unofficial English translation
Legal Texts in German
External link to Lander data protection laws

Institutions

Austrian Data Protection Authority
City of Vienna Data Protection Page
STRING Committee - Standards and Guidelines for information technology applications in the Austrian public health system (in German)
ARGE DATEN - Austrian Society for Privacy and Data Protection
Forum of the Austrian Ethics Committee
'Datenschutz-Policy' (Data Protection policy) by Klaus M. Simonic and Gunther Gell (University of Graz for the Ministry of Science).
Patients Ombudsmen of Vienna (all in German)
- Lower Austria
- Vorarlberg
Federal Ministry of Health and Women: Genetic Technology Information (in German)