National Data Protection Law

Supplements the GDPR and ensures the proper implementation of the Regulation in Austria. It was published on 31 July 2017 and went into effect on 25 May 2018. This law provides comprehensive data protection rights to individuals in line with the without diverting much from the GDPR strict rules. It lowers the consenting age of minors to 14 years of age in the context of the offering of information society services and includes specific provisions on the processing of information revealing criminal records.

Overview

In Austria, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

Is it Mandatory to Notify Individuals?

Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

Is it Mandatory to Notify Regulator?

Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

Notification Deadline

72 hours

Responsible Regulator

Austrian Data Protection Authority
Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien

Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
E-mail: [email protected]
Website: https://www.dsb.gv.at/

Breach Notification Format

Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Austrian regulator provides a non-binding PDF notification form that covers a broader range of questions.