Data breaches under Autrian law

Notification of data breaches to the Austrian supervisory authorities

The reporting of a data protection breach to the supervisory authority must take place immediately and if possible within 72 hours, after the controller has become aware of this breach. If the notification is made after 72 hours, this delay must be justified.

  • 55 DSG refers to Art. 33 GDPR concerning the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or carrying out sentences, including the protection and prevention of threats to public security as well as for the purpose of national security, intelligence and the protection of military facilities by the armed forces.

The DSB provides an online form on its website for reporting data breaches.

Exceptions to notifying data subjects about data breaches

In accordance with Art. 34 GDPR, the controller must notify data subjects of beaches concerning their personal data.

Restrictions to the obligation of notifying data subjects of breaches

A provision on notification restrictions is included in in § 56 para 2 DSG with regard to personal data processing by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the enforcement of sentences, including the protection and prevention of threats to public security, and for the purpose of national security, intelligence and military self-defence.

Accordingly, informing the data subject may be postponed, restricted or omitted, if strictly necessary and proportionate in a specific case; in particular, this is the case for the prevention, detection, prosecution of criminal offenses and for the protection of public and national security.