Data protection impact assessment (DPIA) under Autrian law

DPIA list of the Austrian supervisory authority

In May 2018, according to Art. 35 para. 5 GDPR, the DSB issued a ‘Data protection impact assessment exception ordinance (DPIA-EO), a so-called ‘white-list’, which came into force on 25 May 2018.

The so-called ‘black-list’ was published on 9 November 2018 with the ‘Data protection authority ordinance on processing operations for which a data protection impact assessment is to be conducted (DPIA-P)’ and entered into force on 10 November 2018.

The regulations for the DPIA and corresponding explanations are available (in German) on the DSB website at the following link:


A derogation from the Austrian blacklist does not stipulate the need of a DPIA for certain types of processing in connection with employment if there is a company agreement or valid approval from the personnel representatives.

Processing operations according to the 3rd main section of the DSG (§§ 36 ff; Processing of personal data for security police purposes, including state protection by the police, military self-defence, the investigation and prosecution of criminal offenses, the enforcement of sentences and of precautionary measures) are not covered by the DPIA-P.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: