Austria - Data Breach Guide

Published on Oct 26, 2019

  1. AUSTRIA (1)
    1. In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
      1. Pursuant to Article 34 (1) General Data Protection Regulation (GDPR) the controller must immediately notify natural persons (data subjects) in an appropriate manner if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. There are three exemptions from the obligation to report to individuals, these being:
  • if the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • if the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialize;
  • if this would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  1. Pursuant to Article 33 (1) GDPR the controller must notify the competent DPA within 72 hours after having become aware of a personal data breach.
  1. Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
    1. The controller must notify to the DPA and/or individuals according to Article 33 (1) and Article 34 (1) GDPR (for further information please see clause 1.1 above). Personal data is any data relating to an identified or identifiable data subject.
    2. The obligation to notify a data breach according to Articles 33 and 34 GDPR only applies to the controller. However, the processor must notify the controller without undue delay after becoming aware of a personal data breach (Article 33 (2) GDPR).
  2. For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
    1. The notification to the DPA must include at least:
  • The nature of the personal data breach including (where possible) the categories, the approximate number of data subjects concerned and categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer or other contact point where more information can be obtained;
  • A description of likely consequences of the personal data breach;
  • A description of the measures taken or proposed to be taken by the controller to address the personal data breach.

The communication to the data subjects concerned in case of a high risk must include at least:

  • The name and contact details of the data protection officer or other contact point where more information can be obtained;
  • A description of likely consequences of the personal data breach;
  • A description of the measures taken or proposed to be taken by the controller to address the personal data breach.
  1. The notification to the DPA must be made within 72 hours after having become aware of the personal data breach. The communication to the data subjects concerned in case of a high risk must be made without undue delay.
  2. The Austrian DPA provides a template in order to notify personal data breaches to the DPA. However, there is no obligation to use such a template, therefore controller can also send the relevant information via email.
  1. What are the penalties, fines, or risks in failing to notify, either by the DPA or in litigation?

Pursuant to Article 83 (4) lit a) GDPR, a fine of up to EUR 10,000,000 or in case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year can be imposed on the controller.

  1. Even if there is no current legal obligation to do so, or if there is no data controller or data processor in your country, is notification to individuals recommended in the event of a data breach of residents in your country (such as in credit card data breaches)?

Not applicable.

  1. What are the applicable data protection laws or guidelines within your country?
  • General Data Protection Regulation
  • Austrian Data Protection Act
  1. Contact information for Data Protection Authority:

Name:

Österreichische Datenschutzbehörde

Address:

Barichgasse 40-42, 1010 Vienna, Austria

Telephone:

+43 1 52 152-0

Email:

dsb@dsb.gv.at

Website:

www.dsb.gv.at

For more information, contact:

Name:

Johannes Juranek

Firm:

CMS Austria

Address:

Gauermanngasse 2, 1010 Vienna, Austria

Telephone:

+43 1 40443/2450

Fax:

+43 1 40443 92450

Email:

johannes.juranek@cms-rrh.com

Website:

www.cms-rrh.com

1 Austria is a member state of the European Union. Please also refer to the section on the European Union for the general requirements according to the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).