Legislation

In order to implement the opening clauses of the GDPR, two amendments to the Data Protection Act (the ‘Data Protection Adjustment Act 2018’ and the ‘Data Protection Deregulation Act 2018’) were passed in Austria. The Data Protection Adjustment Act also serves to implement the data protection directive for police and the judiciary (DSRL-PJ).

The Data Protection Adjustment Act 2018 and the Data Protection Deregulation Act 2018 were published respectively in Federal Law Gazette I No. 120/2017 and Federal Law Gazette I No. 24/2018.

The legislative proposal of the Data Protection Adjustment Act 2018 was adopted on 29 June 2017 in the 190th session of the National Council. On 6 July 2017, the Federal Council decided not to appeal the federal law.

On 31 July 2017, the law was announced in the Bundesgesetzblatt (BGBl), Federal Law Gazette I No. 120/2017.

Already in March 2018, the Data Protection Act was amended by the Data Protection Deregulation Act 2018. This law was passed on 20 April 2018 in a third reading by the National Council. On 26 April 2018, the Federal Council did not object to the law. On 15 May 2018, the federal Law was published in the Federal Law Gazette I No. 24/2018.

Both laws came into force on 25 May 2018. This was followed by an amendment in Federal Law Gazette I No. 14/2019.

Therefore, since 25 May 2018, both the regulations of the General Data Protection Regulation and the Austrian Data Protection Act, as amended by the Data Protection Adjustment Act 2018 and the Data Protection Act 2018, are to be observed.

At the core of the new regulations is the Federal Act concerning the Protection of Personal Data of natural person (Data Protection Act – DSG).

As a result, the previously applicable DSG 2000 was stripped of the simple legislative provisions; the constitutional provisions (in particular the fundamental right to data protection in accordance with § 1 DSG) remain in force.

The DSG is divided into five main sections:

  • 1st main section – Implementation of the General Data Protection Regulation and supplementary regulations
  • 2nd main section – Institutions (of data protection),
  • 3rd main section – Implementation of the DSRL-PJ,
  • 4th main piece – Special penal provisions
  • 5th main section – Final provisions

The Austrian Data Protection Act (DSG) in its current version is available (in English) on the homepage of the federal Legal Information System (RIS) at the following link.

  • § 1 ff DSG are constitutional provisions.

The original ministerial draft (322/ME XXV. GP) of the Data Protection Adjustment Act 2018 intended to abolish the fundamental right to data protection, which has been a cornerstone in Austria since the Data Protection Act 1978 as a constitutional provision in § 1 DSG and was previously valid for everyone.

In the future, this should only apply to natural persons.

The necessary 2/3 majority in the National Council was not reached to make this change. Consequently, in accordance with § 1 DSG, the fundamental right to data protection still applies to everyone, and thus also to legal persons.

Guidelines of the supervisory authority

The website of the Austrian Data Protection Authority provides an overview of regulations, national laws, decisions of the supervisory authority as well as a supervisory authority guideline, which is available at the following link:

https://www.data-protection-authority.gv.at/

The guideline is a summary of the GDPR and should also serve as an aid to answer specific questions.