European Union · updated 2026-06-15
Austria
Austria is the home of Max Schrems and noyb — the DSB's Google Analytics ruling triggered the EU-wide transfer crisis. Expect sophisticated, activist-driven complaints here, especially about US tools and consent dark patterns.
- Law:
- GDPR + DSG (Datenschutzgesetz) + TKG 2021
- Regulator:
- DSB (Datenschutzbehörde)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Austria requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (Datenschutzerklärung)
Art. 13–14 GDPRGerman-language privacy notice for consumer services, naming the DSB as complaint authority.
How to implement Austrian e-commerce law (ECG §5) also requires an imprint like Germany's — add an /impressum page to avoid the same cease-and-desist exposure.
Required -
Cookie consent banner
§165 TKG 2021Opt-in with first-layer rejection and prior blocking; noyb has filed hundreds of complaints against Austrian and EU sites with non-compliant banners.
How to implement Assume your banner will be tested by privacy activists: equal-prominence reject, no colour nudging, working withdrawal link. noyb's complaint templates are effectively the audit checklist.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities in German or English.
How to implement First document the DSB requests; keep transfer entries current given Austria's transfer-litigation history.
Required -
Data protection officer
Art. 37 GDPRGDPR-baseline thresholds only.
How to implement If appointed, publish contact details and notify the DSB.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour DSB notification plus individual notification for high-risk breaches.
How to implement Use the DSB's German-language web form; a preliminary report inside 72 hours with follow-up is accepted.
Required -
Transfer impact assessment for US vendors
Ch. V GDPRAustria produced the first Google Analytics transfer ruling. Post-DPF the position has eased, but transfer mapping remains the expected baseline.
How to implement List every non-EEA vendor, record its DPF certification or SCCs, and reassess when frameworks change — Schrems III challenges are widely expected.
Recommended
The details
- Cookie consent
- §165 TKG 2021 requires opt-in consent for non-essential cookies. Austrian courts and the DSB scrutinise 'Pur-Abo' models (pay or consent) and dark patterns — reject must be a genuine first-layer option.
- Data Protection Officer
- GDPR baseline thresholds; no lower national threshold. Publish contact details and inform the DSB when appointed.
- Processing agreements
- Art. 28 GDPR agreements required with all processors. Post-Schrems II, Austrian counterparties commonly demand transfer-impact assessments alongside the DPA.
- Breach notification
- Notify the DSB within 72 hours via its web form; document all breaches internally regardless of notification.
- Enforcement in practice
- Österreichische Post was fined €18M (2019, later reduced on appeal) for profiling citizens' political affinities and selling the data — and the DSB's 2022 Google Analytics decision reshaped EU-US transfer practice.
Data subject rights
What users can demand from you in Austria, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Austrian complainants are unusually well-drafted (noyb publishes templates); answer completely the first time to avoid escalation.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Austrian corporate law requires 7-year retention of business records (§212 UGB) — cite it for financial data.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export for consent- and contract-based processing.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support path.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Austria's Robinson list covers postal marketing; telemarketing requires prior consent under TKG.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
The Post profiling case shows inferred attributes (like political affinity) are personal data — disclose profiling and provide objection routes.
Tools that cover Austria
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Usercentrics
DACH-market CMP with German-language banners tuned to TKG and activist-proof configurations.
Visit Usercentrics → -
privacy policy
iubenda
German-language Datenschutzerklärung and imprint generation for the Austrian market.
Visit iubenda → -
dpa template
Termly
DPA templates with SCC modules for the transfer paperwork Austrian counterparties expect.
Visit Termly →
Frequently asked questions
Why does Austria punch above its weight in GDPR enforcement?
noyb — Max Schrems' Vienna-based NGO — files strategic complaints that become landmark rulings (Schrems I and II invalidated two EU-US transfer frameworks; the DSB's Google Analytics decision followed a noyb complaint). Compliance gaps in Austria attract expert adversaries, not just regulators.
Are 'pay or consent' subscription models legal in Austria?
Austrian decisions accepted newspaper 'Pur-Abo' models under conditions (reasonable price, genuine choice), and the question is now contested EU-wide after the EDPB's 2024 opinion on Meta. If you offer one, price it credibly and document the equivalence of the tracking-free option.
Can I use Google Analytics in Austria?
The DSB's 2022 ruling found GA3's US transfers unlawful pre-DPF. With the Data Privacy Framework in force, GA4 behind opt-in consent with EU data settings is defensible — but Austria is where the next legal challenge will likely originate, so keep an exit option.
Does Austria require an Impressum like Germany?
Yes — §5 ECG requires commercial sites to identify the operator. Same fix as Germany: one imprint page linked from the footer.
Similar jurisdictions
Free download
Get GDPR updates for Austria
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.