Skip to content
GDPR by Law

European Union · updated 2026-06-15

Austria

Conditional

Austria is the home of Max Schrems and noyb — the DSB's Google Analytics ruling triggered the EU-wide transfer crisis. Expect sophisticated, activist-driven complaints here, especially about US tools and consent dark patterns.

Law:
GDPR + DSG (Datenschutzgesetz) + TKG 2021
Regulator:
DSB (Datenschutzbehörde)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Austria requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (Datenschutzerklärung)

    Art. 13–14 GDPR

    German-language privacy notice for consumer services, naming the DSB as complaint authority.

    How to implement Austrian e-commerce law (ECG §5) also requires an imprint like Germany's — add an /impressum page to avoid the same cease-and-desist exposure.

    Required
  2. Cookie consent banner

    §165 TKG 2021

    Opt-in with first-layer rejection and prior blocking; noyb has filed hundreds of complaints against Austrian and EU sites with non-compliant banners.

    How to implement Assume your banner will be tested by privacy activists: equal-prominence reject, no colour nudging, working withdrawal link. noyb's complaint templates are effectively the audit checklist.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities in German or English.

    How to implement First document the DSB requests; keep transfer entries current given Austria's transfer-litigation history.

    Required
  4. Data protection officer

    Art. 37 GDPR

    GDPR-baseline thresholds only.

    How to implement If appointed, publish contact details and notify the DSB.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour DSB notification plus individual notification for high-risk breaches.

    How to implement Use the DSB's German-language web form; a preliminary report inside 72 hours with follow-up is accepted.

    Required
  6. Transfer impact assessment for US vendors

    Ch. V GDPR

    Austria produced the first Google Analytics transfer ruling. Post-DPF the position has eased, but transfer mapping remains the expected baseline.

    How to implement List every non-EEA vendor, record its DPF certification or SCCs, and reassess when frameworks change — Schrems III challenges are widely expected.

    Recommended

The details

Cookie consent
§165 TKG 2021 requires opt-in consent for non-essential cookies. Austrian courts and the DSB scrutinise 'Pur-Abo' models (pay or consent) and dark patterns — reject must be a genuine first-layer option.
Data Protection Officer
GDPR baseline thresholds; no lower national threshold. Publish contact details and inform the DSB when appointed.
Processing agreements
Art. 28 GDPR agreements required with all processors. Post-Schrems II, Austrian counterparties commonly demand transfer-impact assessments alongside the DPA.
Breach notification
Notify the DSB within 72 hours via its web form; document all breaches internally regardless of notification.
Enforcement in practice
Österreichische Post was fined €18M (2019, later reduced on appeal) for profiling citizens' political affinities and selling the data — and the DSB's 2022 Google Analytics decision reshaped EU-US transfer practice.

Data subject rights

What users can demand from you in Austria, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Austrian complainants are unusually well-drafted (noyb publishes templates); answer completely the first time to avoid escalation.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Austrian corporate law requires 7-year retention of business records (§212 UGB) — cite it for financial data.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based processing.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support path.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Austria's Robinson list covers postal marketing; telemarketing requires prior consent under TKG.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

The Post profiling case shows inferred attributes (like political affinity) are personal data — disclose profiling and provide objection routes.

Tools that cover Austria

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Usercentrics

    DACH-market CMP with German-language banners tuned to TKG and activist-proof configurations.

    Visit Usercentrics →
  • privacy policy

    iubenda

    German-language Datenschutzerklärung and imprint generation for the Austrian market.

    Visit iubenda →
  • dpa template

    Termly

    DPA templates with SCC modules for the transfer paperwork Austrian counterparties expect.

    Visit Termly →

Frequently asked questions

Why does Austria punch above its weight in GDPR enforcement?

noyb — Max Schrems' Vienna-based NGO — files strategic complaints that become landmark rulings (Schrems I and II invalidated two EU-US transfer frameworks; the DSB's Google Analytics decision followed a noyb complaint). Compliance gaps in Austria attract expert adversaries, not just regulators.

Are 'pay or consent' subscription models legal in Austria?

Austrian decisions accepted newspaper 'Pur-Abo' models under conditions (reasonable price, genuine choice), and the question is now contested EU-wide after the EDPB's 2024 opinion on Meta. If you offer one, price it credibly and document the equivalence of the tracking-free option.

Can I use Google Analytics in Austria?

The DSB's 2022 ruling found GA3's US transfers unlawful pre-DPF. With the Data Privacy Framework in force, GA4 behind opt-in consent with EU data settings is defensible — but Austria is where the next legal challenge will likely originate, so keep an exit option.

Does Austria require an Impressum like Germany?

Yes — §5 ECG requires commercial sites to identify the operator. Same fix as Germany: one imprint page linked from the footer.

Similar jurisdictions

Free download

Get GDPR updates for Austria

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.