Privacy Laws

Austrian data protection compared to the GDPR

The flag of Austria with a blue sky, a lake and mountains in the background. — © mdworschak / stock.adobe.com | #372658970

General overview

Austria has utilized the option to enact regulations that deviate from the GDPR (so-called “opening clauses”). The Austrian Data Protection Act (DSG) contains specific provisions that differ from the GDPR.

GDPR opening clauses

Austria has availed of the GDPR's opening clauses to establish specific regulations for data processing in the public sector, data processing for scientific purposes, and data processing in the healthcare sector.

Key differences and national specifics

Consent of children

According to § 4 (4) DSG, a child's consent to an offer of information society services is lawful if the child has reached the age of fourteen. This differs from the GDPR, which sets a minimum age of sixteen.

Image recordings and video surveillance

Under the broad concept of “image recordings,” the legislator has introduced regulations for video surveillance in § 12 f DSG. This demonstrates Austria's particular emphasis on privacy protection concerning image and video recordings.

Data processing for specific purposes

The DSG contains specific standards for data processing for certain purposes, such as processing in the public interest for archiving, scientific, or historical research purposes, as well as for statistical purposes and in emergencies.

Immediate deletion of data

A significant difference from the GDPR can be found in § 4 (4) DSG. According to this provision, immediate deletion is not required if it is only possible at certain times for economic or technical reasons.

Compatibility with the GDPR

It remains to be seen how the European Court of Justice (ECJ) will assess this provision and whether it is compatible with the GDPR. Companies should be aware of these differences and ensure compliance with all relevant data protection provisions.

Conclusion

Austria has specific regulations in its Data Protection Act that differ from the GDPR. Companies operating in Austria or engaging in business with Austrian citizens should ensure that they fully understand and comply with both the GDPR and Austrian data protection law.

Write email

Group	external media
Name	Calendly
Technical name	_cf_bm,__cfruid,OptanonConsent
Provider	Calendly LLC
Expire in days	365
Privacy policy	https://calendly.com/privacy
Use	To arrange appointments via the provider Calendly.
Allowed
Group	essential
Name	Contao CSRF Token
Technical name	csrf_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the website from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	Contao HTTPS CSRF Token
Technical name	csrf_https_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Used to protect the encrypted website (HTTPS) from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	PHP SESSION ID
Technical name	PHPSESSID
Provider	Contao
Expire in days	0
Privacy policy
Use	Cookie from PHP (programming language), PHP data identifier. Contains only a reference to the current session. No information is stored in the user's browser and this cookie can only be used by the current website. This cookie is mainly used in forms to increase user-friendliness. Data entered in forms is stored for a short time, for example, if the user makes an input error and receives an error message. Otherwise, all data would have to be entered again.
Allowed
Name	FE USER AUTH
Technical name	FE_USER_AUTH
Provider	Contao
Expire in days	0
Privacy policy
Use	Saves a visitor's information as soon as they log in to the frontend.
Allowed