GDPR Complete Package Austria: What AT Companies Need Differently
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.
TL;DR
- AT companies need GDPR + DSG (Austrian Data Protection Act) instead of the German BDSG — references and supervisory authority differ
- DPO obligation in AT follows Art. 37 GDPR with NO employee threshold — unlike Germany (Section 38 BDSG triggers at 20 employees)
- Supervisory authority: centralized ODSB (Austrian Data Protection Authority) in Vienna — more cooperative than German state authorities
- AT-specific topics: Image recording (Section 12 DSG), employee data protection (Section 11 DSG), research (Section 7 DSG)
- Average ODSB fine 2024: EUR 8,000 — significantly lower than DE supervisory practice, but EU max (EUR 20m) still applies
1. AT-Specific Particularities
The GDPR applies directly throughout the EU. However, each Member State retains national opening clauses. In Austria, the DSG (Datenschutzgesetz, Federal Law Gazette I No. 165/1999) governs:
- Section 5 DSG: Duties and position of the Data Protection Officer (supplements Art. 37 GDPR)
- Section 7 DSG: Processing for scientific or statistical purposes
- Section 11 DSG: Employee data protection
- Section 12 DSG: Image recording (video surveillance) — separate regime with mandatory signage
- Section 13 DSG: Privacy notice — additional AT-specific mandatory disclosures
- Section 49 DSG: Restrictions on the right of access in criminal matters
2. DPO Requirement in Austria
Under Art. 37 GDPR plus Section 5 DSG, a DPO is mandatory for:
- Public authorities and bodies
- Companies whose core activity involves systematic profiling or large-scale monitoring
- Companies processing special categories of data (Art. 9 GDPR) on a large scale
Important: Austria has NO employee headcount threshold like Germany (Section 38 BDSG, 20-employee trigger). The DPO obligation therefore activates at smaller AT companies than in Germany. External DPOs are common practice.
3. The Austrian Data Protection Authority (ODSB)
Address: Barichgasse 40-42, 1030 Vienna. Website: dsb.gv.at. Online complaint form available.
2024 enforcement snapshot:
- Approx. 4,500 complaints, around 60% resolved within six months
- 15% of proceedings end in a fine; average around EUR 8,000
- Highest fine in 2024: EUR 480,000 (tracking on a vendor platform)
- All-time record: EUR 9 million (Austrian Post 2019)
4. Typical GDPR Cases in AT
| Case | AT-specific rule |
|---|---|
| Warehouse video surveillance | Section 12 DSG: signage mandatory, 72h retention default |
| Employee GPS tracking | Section 11 DSG: stronger employee data protection, works council co-determination |
| Newsletter dispatch | Art. 6 GDPR + Section 174 GewO (Austrian Trade Act): double opt-in mandatory |
| Cookie banner | TKG 2021 Section 165 (analog to German TDDDG): opt-in for tracking cookies |
| Processing by a German service provider | Art. 28 GDPR + Section 5 DSG group rules where applicable |
5. AT Adaptations for a GDPR Kit
A GDPR kit suitable for an Austrian organization should cover:
- Privacy notice with AT-specific disclosures and ODSB complaint reference
- DPO appointment under Section 5 DSG (template plus contract)
- RoPA with AT-typical processing activities (social insurance reporting, OGK)
- Video surveillance concept under Section 12 DSG (signage and 72h default)
- Employee data protection agreement under Section 11 DSG
- ODSB complaint-handling workflow
- Research and statistics clauses under Section 7 DSG (universities, R&D departments)
Summary
Austrian companies cannot simply adopt a German GDPR kit. The DSG diverges materially on DPO triggers, employee data protection, and video surveillance. A combined DACH approach must include AT-specific modules covering ODSB practice, DSG sections, and Austrian retention rules. The cooperative ODSB stance is an opportunity for early-mover compliance — but EU fine maxima still apply.
Frequently Asked Questions
Does the German BDSG also apply in Austria?
No. In Austria, the DSG (Data Protection Act, Federal Law Gazette I No. 165/1999, as amended by Federal Law Gazette I No. 14/2019) applies. The DSG supplements the GDPR with national opening clauses — analogous to the German BDSG, but with its own provisions on image recordings, employee data protection, and research.
Do I need a Data Protection Officer (DPO) in Austria?
Under Art. 37 GDPR + Section 5 DSG: mandatory for public authorities, companies whose core activity is profiling/monitoring, and large-scale processing of special categories. NO employee threshold as in Germany (Section 38 BDSG). An external DPO is permitted and more common in Austria than in Germany.
Who is the supervisory authority in Austria?
The Austrian Data Protection Authority (ÖDSB) — a central federal authority, unlike in Germany (16 state DPAs plus the BfDI). Headquartered in Vienna, with approx. 50 employees. Fine practice in 2024: average approx. EUR 8,000 per case, maximum EUR 9 million (Austrian Post 2019).
Which Austria-specific topics should a GDPR kit cover?
Image recordings (Section 12 DSG, special video surveillance regulation), scientific research (Section 7 DSG), employee data protection (Section 11 DSG, different from Section 26 BDSG), criminal law (Section 49 DSG, restriction on the right of access), the ÖDSB's interpretation of the DPO obligation.
Website privacy policy — Austrian minimum content?
Under Art. 13 GDPR + Section 13 DSG, additionally: reference to the Austrian DSG, supervisory authority ÖDSB with address and complaint procedure, Austria-specific recipient categories (e.g. Austrian social insurance instead of German SV).
Fine amounts in Austria vs. Germany?
EU maxima are identical (EUR 20 million / 4% of turnover). In practice: Austrian fines in 2024 were significantly lower than German fines. The ÖDSB takes a more cooperative approach, with more warnings and fewer fine proceedings. However: in cases of repeat offences or data protection scandals, the full EU maxima apply.
Sources
- Regulation (EU) 2016/679 (GDPR) — full text, EUR-Lex (As of: 02.05.2026, in force since 25.05.2018)
- European Commission — data protection main page (As of: ongoing)
- EDPB annual report 2023 (executive summary) (As of: 08.2024)
- European Commission — Digital Omnibus press release (As of: 02.05.2026, trilogue ongoing)
Tools & self-assessments
GDPR Checklist
30 check points for data protection compliance in SMEs.
Fining Calculator
Estimate the potential fine exposure for your organisation.
GDPR Self-Assessment
Structured self-test with maturity score and remediation roadmap.
Cookie Banner Audit
TDDDG/GDPR review of your cookie banner with concrete remediation hints.