Data Protection Enforcement in Austria

Administrative Remedies

The Austrian Data Protection Authority (DPA) has the power to investigate complaints and cases, and to order the suspension of processing and/or transfer of data, as well as destruction of data; these orders can be appealed to the Federal Administrative Court. Administrative penalties for infringement of Austrian Data Protection Act amount to fines of up to €10,000 (for negligent violations) or up to €25,000 (for willful violations).

Civil Remedies

Individuals can file complaints with the DPA, and can seek a judicial remedy, including an injunction, for violations of the law. In case of employee data protection violations, the works councils, if one exists, can obtain a preliminary injunction from the Employment Court. Furthermore, damages can be sought according to general civil law.

Criminal Remedies

The Austrian Data Protection Act provides a criminal sanction of up to 1 year imprisonment in case of intentional misuse or intentional unauthorized transfer of such data to third parties. In addition, the Austrian Criminal Code envisages criminal sanctions for illegal access to computer systems (hacking), abusive interception of data, data damaging (illegally changing, deleting or making data unusable), misuse of computer programs or fraudulent misuse of data processing.

Other Remedies

Infringement of the provisions of the Austrian Data Protection Act may allow consumer protection organizations as well as competitors to obtain an injunction under the Austrian Act against Unfair Competition. Furthermore, press coverage of infringements of data protection law may lead to serious damage to reputation.

Selected Enforcement Actions / General Comments

Administrative sanctions are not imposed by the DPA but by local authorities. In the city of Vienna, there are approx. 40 proceedings per year in which sanctions are imposed. As regards criminal sanctions, there has, so far, only been a single case that was publicly reported. Private enforcement has recently received significantly more attention. In July 2014, Max Schrems filed a quasi-class action a social media company in the Commercial Court Vienna. More than 25,000 users of the social media platform from all around the world had assigned him their rights to claim damages from the social media company for various alleged privacy violations. Currently, the Commercial Court Vienna is still considering social media company’s arguments against Austria’s international jurisdiction. This case illustrates that private enforcement can be a very significant risk for high-profile corporations.