Data Protection Authority
Data Protection Authority
The Austrian Data Protection Authority (DSB) is the central supervisory authority for the protection of personal data in Austria. It monitors compliance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), decides on complaints, initiates review proceedings, imposes sanctions, and represents Austria on the European Data Protection Board. Its task is to safeguard fundamental rights, prevent abuse, and oblige companies and authorities to comply with data protection obligations.
The Data Protection Authority is the state supervisory authority for the protection of personal data in Austria.
Tasks and Responsibilities
The Data Protection Authority undertakes a broad range of activities, all of which serve to protect personal data:
- Processing of complaints from data subjects
- Conducting ex officio review proceedings
- Decision in administrative penal proceedings and imposition of fines
- Receipt and control of notifications of data breaches
- Approval procedures, for example for codes of conduct or certification bodies
- Opinions on draft laws
This makes it the central point of contact for data subjects, companies, and data protection officers alike.
Definition of Data Protection
Data protection is the fundamental right to decide for oneself who processes what information about a person. Personal data is all information that relates to a specific person or makes a person identifiable, such as name, address, telephone number, email address, but also photos, IP addresses, or health data.
Data protection does not mean that no data may be processed. It means that processing is only permitted under clear legal conditions and that data subjects have extensive rights. These rights protect against abuse and give the possibility to exercise control over one’s own data.
Rights of Data Subjects
Every person can demand that the Data Protection Authority respect their fundamental rights. The GDPR provides a clear set of rights for this purpose:
- Right to information: Before any data processing, data subjects must be clearly and fully informed.
- Right to access: Every data subject may find out what data is stored and for what purpose.
- Right to rectification and erasure: Incorrect data must be corrected, inadmissible data must be deleted.
- Right to restriction of processing: Under certain conditions, processing may only be continued in a restricted manner.
- Right to object: An objection can be raised at any time against certain data processing.
- Right to data portability: Data subjects may request that their data be transferred to themselves or to another company in a common format.
- Right to protection against automated decisions: No one should be disadvantaged solely on the basis of automated procedures.
These rights are not only theoretical in nature, but can be enforced – if necessary, in complaint proceedings before the Data Protection Authority.
Obligations of Companies
Companies and authorities are obliged to implement data protection not only on paper, but in practice. The essential obligations include:
- Legal basis of processing: Every data processing must be based on a legal basis, such as consent or a contract.
- Transparency obligations: Data subjects must be clearly informed what happens to their data.
- Technical and organizational measures (TOMs): IT security and organizational processes must be designed in such a way that data is protected against loss, misuse, or unauthorized access.
- Records of processing activities: Companies must document in a comprehensible manner which data they process.
- Notification of data breaches: Security incidents must be reported to the Data Protection Authority within 72 hours.
- Carrying out data protection impact assessments: A detailed analysis must be carried out for high-risk processing.
Violation of the Protection of Personal Data
According to the GDPR, violations of the protection of personal data exist if unauthorized alteration, deletion, disclosure, or loss of data occurs due to inadequate security. This can occur through:
- Destruction, loss, or alteration of personal data
- Unauthorized access or disclosure – for example, through hacker attacks, sending data carriers to the wrong recipients, or insecure storage
- Accidental data release – e.g. through insecure storage or transmission
- This applies regardless of whether the incident occurred intentionally or unintentionally
Examples that can constitute such a violation:
- Data loss due to unencrypted files or USB sticks
- Hacker attack on customer databases
- Misdirected emails containing personal data
- Personal documents that are accidentally publicly accessible
These facts can lead directly to risks, including identity theft, damage to reputation, or financial damage for data subjects
Proceedings before the Data Protection Authority
The procedure before the Data Protection Authority is formalized and can have various forms:
Complaint Procedure
Data subjects may lodge a complaint with the Data Protection Authority if they believe that someone is unlawfully processing their personal data. This procedure is comparatively low-threshold.
The process:
- The data subject submits a written complaint – either by form, email, or post.
- The Data Protection Authority checks whether the complaint is formally admissible.
- The respondent – usually a company or an authority – is asked to comment.
- This is followed by the investigation of the facts, if necessary with supplementary questions or hearings.
- At the end, there is a decision by the Data Protection Authority, with which it either rejects the complaint or grants it and orders remedial measures.
For data subjects, this procedure is the most important way to enforce their rights under the GDPR.
Ex Officio Reviews
The Data Protection Authority is not only dependent on complaints, but can also act ex officio. This happens in particular when there is evidence of systematic violations or security gaps.
Special features:
- The procedure begins without an application from a data subject.
- Reporting persons have no party status and are not informed about the result.
- The Data Protection Authority independently checks whether violations exist and orders measures if necessary.
Ex officio reviews have a strong preventive effect, as they increase the pressure on companies and authorities to ensure data protection not only reactively, but continuously.
Administrative Penal Proceedings
If the Data Protection Authority determines a violation, it can initiate administrative penal proceedings. The aim is to oblige companies and public bodies to remedy violations and impose noticeable sanctions.
Possible sanctions are:
- Fines of up to 20 million euros or 4% of the worldwide annual turnover,
- Orders to stop or adjust data processing,
- Warnings and conditions.
The amount of a fine depends on the severity, duration, and intentionality of the violation. Previous violations or cooperative behavior in the proceedings also play a role.
Peter HarlanderHarlander & Partner Rechtsanwälte „Wer Verfahren vor der Datenschutzbehörde auf die leichte Schulter nimmt, riskiert nicht nur hohe Geldbußen, sondern auch den Verlust von Vertrauen und Reputation.“
Legal Remedies
Decisions of the Data Protection Authority are made by decree. Those affected can appeal against these decrees to the Federal Administrative Court (BVwG).
- The BVwG reviews the decision in legal and factual terms.
- Under certain circumstances, an appeal against its decision to the Administrative Court (VwGH) or a complaint to the Constitutional Court (VfGH) is possible.
This ensures that decisions of the Data Protection Authority are subject to multi-stage judicial control.
Select Your Preferred Appointment Now:Free initial consultationInternational Dimension
Data protection is no longer a national issue. The Data Protection Authority works with other European supervisory authorities and is part of the
Freedom of Information
In addition to data protection, freedom of information is also gaining in importance. With the new Freedom of Information Act (IFG), the Data Protection Authority will in future take on the role of a contact partner for questions of transparency and for access to official information.
These obligations are not optional. Failure to comply with them regularly leads to investigations and, in extreme cases, to heavy fines.
Your Benefits with Legal Assistance
Proceedings before the Data Protection Authority involve considerable challenges for both data subjects and companies. Data subjects risk not being able to fully enforce their rights without professional support. Companies, in turn, are faced not only with high fines, but also with damage to their image and costly adjustments to their processes. In addition, the procedures are highly formalized and contain complex legal requirements that are difficult to manage without professional support.
Legal support from a specialized law firm provides security and ensures that your interests are professionally represented from the outset. You benefit from sound experience in data protection law and consistent representation before the authority.
- checks whether the respective legal topic is applicable in your case
- accompanies you through the entire process or handling
- ensures legally compliant design and implementation of all necessary steps
- supports in the calculation, enforcement or defense of claims
- protects your rights and interests against all parties involved
Sebastian RiedlmairHarlander & Partner Attorneys „Datenschutz wird oft unterschätzt, dabei entscheidet die richtige Strategie im Umgang mit der Datenschutzbehörde über Erfolg oder Misserfolg.“
