Austrian legislators have made use of the opportunity to establish derogating regulations from the GDPR (‘opening clauses’). Thus, in the Austrian Data Protection Act (DSG), a child’s consent to an offer from information society services is lawful if the child has already reached the age of fourteen (§ 4 (4) DSG). Under the broad concept of ‘image recordings’, legislators have made regulations on video surveillance in § 12 f DSG. Likewise, data processing standards for specific purposes (e.g. processing in the public interest for archiving, scientific or historical research purposes as well as for statistical purposes and in case of emergency) are included in the DSG.

A substantial difference to the GDPR is found in § 4 (4) DSG. According to this regulation, immediate erasure is not necessary if, for economic or technical reasons, it is only possible at certain times. In this case, processing of the personal data concerned shall be restricted by that time, with the effect as stipulated in Art. 18 (2) GDPR. It remains to be seen how the ECJ will assess this provision and whether it is compatible with the GDPR.

In the following, you will find the additions and derogations from the GDPR on the most important topics of personal data protection that companies need to know. If topics are not linked, there are no derogating or specifying provisions in the national data-protection law.

  1. Specific data protection law and official guidelines
  2. Material and territorial scope
  3. Definitions
  4. Legal principles
  5. Legal basis
  6. Sensitive data
  7. Information requirements
  8. E-marketing (new regulation by ePrivacy Regulation remains to be seen)
  9. Online data protection (new regulation by ePrivacy Regulation remains to be seen)
  10. Automated decision-making
  11. Rights of data subjects
  12. Processing on behalf of a controller
  13. Records of processing activities
  14. Data security
  15. Data breaches
  16. Data protection impact assessment (DPIA)
  17. Data protection officer
  18. Certification
  19. Data transfer
  20. Supervisory authorities
  21. Sanctions and penalties
  22. Data protection for employees
  23. Archiving, scientific and historical research