Last reviewed: 27 December 2024
Data Privacy
The Austrian Data Protection Authority (https://www.dsb.gv.at/) ("Austrian DPA").
Cybersecurity
The Federal Chancellor, the Federal Minister of the Internal Affairs, the Federal Minister of Defense and the Federal Minister for Europe, Integration and Foreign Affairs share the regulator's competences within their respective spheres of responsibility (https://www.nis.gv.at/kontakt.html). Currently, enforcement of cybersecurity laws lies with the Austrian regional administrative authorities (together "Austrian NIS-Authorities").
Last reviewed: 27 December 2024
Austrian DPA
- Very active
Austrian NIS-Authorities
- Not very
Last reviewed: 27 December 2024
Austrian DPA
We expect the Austrian DPA to focus its rather limited resources on big local players in the Austrian market, in particular on companies using data for marketing purposes. However, given the fact that NOYB, the NGO founded by the data protection activist Max Schrems is located in Austria, proceedings initiated from this NGO began to rise recently also against smaller players in the Austrian market.
Further, we anticipate the Austrian DPA to focus its enforcement activities on automated decision makings pursuant to Art. 22 GDPR / Artificial Intelligence in the next year.
Austrian NIS-Authorities
Since enforcement activities by the Austrian NIS-Authorities have not been very active in the last years and we anticipate a change of competence through the transposition of the NIS2 into Austrian national laws we do not anticipate any enforcement priorities of the current Austrian NIS-Authorities for the next year.
Last review date: 27 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
- Increasing
Class actions/group actions under data or cyber regulation are:
- Increasing
Last reviewed: 27 December 2024
There are:
- administrative remedies/civil penalties imposed by regulators and law enforcement
- Data protection: These can amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- NIS-2: In this case it can amount to up to EUR 10 million or 2 % of the total worldwide annual turnover, whichever is higher.
- DORA provides for various administrative sanctions and remedial measures (e.g. obligation to terminate the contract). However, there is no separate catalogue of fines, but there are mandatory fines for critical ICT third-party service providers amounting to 1% of global daily turnover.
- criminal penalties from regulators and law enforcement
- Pursuant to Sec. 63 of the Austrian Data Protection Act, data processing with the intention to make a profit or to cause harm although the data subject's interest in confidentiality deserves protection, can be considered as a criminal offense if the data:
- has been entrusted to or has become accessible solely because of one's professional occupation; or
- has been acquired illegally.
- In addition, other criminal offenses might also be relevant, e.g., the abuse of access data: Sec. 126c of the Austrian Criminal Code stipulates that whosoever manufactures, imports, distributes, sells, otherwise makes accessible, procures or possesses a computer password, access code or similar data with intent that they are used for the commission of enabling access to a computer system or part thereof shall be punished with imprisonment of up to six months or with a fine of up to 360 daily rates.
- Pursuant to Sec. 63 of the Austrian Data Protection Act, data processing with the intention to make a profit or to cause harm although the data subject's interest in confidentiality deserves protection, can be considered as a criminal offense if the data:
- private remedies
Individuals may, for example:- file complaints with the data protection authorities
- claim damages for material or non-material damages
- other
Works councils can file for preliminary injunctions against employers preventing them from putting into operation data processing systems.