- The following actions done deliberately and without authorization with regard to the personal data of a large number of people which are not publicly accessible shall be punishable with imprisonment of up to three years or a fine:
- transferring the data to a third party or
- otherwise making them accessible
for commercial purposes.
- The following actions done with regard to personal data which are not publicly accessible shall be punishable with imprisonment of up to two years or a fine:
- processing without authorization, or
- fraudulently acquiring
and doing so in return for payment or with the intention of enriching oneself or someone else or harming someone.
- 1 Such offences shall be prosecuted only if a complaint is filed. 2 The data subject, the controller, the Federal Commissioner and the supervisory authority shall be entitled to file complaints.
- A notification pursuant to Article 33 of Regulation (EU) 2016/679 or a communication pursuant to Article 34 (1) of Regulation (EU) 2016/679 may be used in criminal proceedings against the person required to provide a notification or a communication or relatives as referred to in Section 52 (1) of the Code of Criminal Procedure only with the consent of the person required to provide a notification or a communication.