GDPR Enforcement in Austria

Trend: Have the national data protection authorities in Austria focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Austrian data protection authority (“Datenschutzbehörde" – “DPA”) conducted in the last year in-depth audits of corporations in the telecom sector. In this regard the focus of the authority was especially on compliance with general obligations for the processing of personal data, the security of data processing and the transfer of personal data to third countries. Further, the DPA focused its audits on the position of the Data protection officer (“DPO”) within the telecommunications industry.

One of the highest fines in 2024 of EUR 15,200.00 has been imposed on a media company that did not respond to repeated requests from the DPA to comment on complaints. The company violated the obligation to cooperate under Art. 31 GDPR. The media company lodged an appeal before the Federal Administrative Court. The decision is still pending, but the Federal Administrative Court has already confirmed the criminal liability under Article 31 of the GDPR on multiple occasions due to a lack of cooperation. (see DSB 02.01.2024, 2023-0.849.065).

The Austrian Data Protection Authority (DPA) regularly conducts annual audits targeting specific sectors such as banks, hospitals, or insurance companies, each year focusing on selected GDPR provisions — for example, in 2024, the right of access. For 2025, the DPA announced that its focus will be on the regional police directorates, reviewing compliance with the GDPR and Chapter 3 of the Austrian Data Protection Act, which implements Directive (EU) 2016/680. The investigations begin with requests for records of processing activities and detailed questionnaires addressing both general and law enforcement–specific data protection practices. These procedures may include oral hearings and on-site inspections. A particular emphasis is placed on the right to deletion under Article 17 GDPR and on the modalities for exercising data subject rights, guided by a coordinated questionnaire developed within the framework of the European Data Protection Board’s Coordinated Enforcement Framework (CEF).

Another examination by the DPA in 2024 concerned a company that appointed a managing director as data protection officer at the same time. The authority found that this meant that the data protection officer was unable to carry out independent monitoring. The company had therefore appointed an unsuitable person as data protection officer and thus violated Art. 38 (6) GDPR. A fine of EUR 5,000 was imposed.

Overall, what was the most significant fine in Austria to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

As already introduced in the last year the DPA imposed a fine of EUR 18 million on the Austrian Postal Service (“Österreichische Post AG”) in October 2019. This penalty was not final, as the Austrian Postal Service appealed the decision, and the Austrian Federal Administrative Court overturned the penalty sentence due to a formal error. The DPA lodged an official appeal against this decision (case number Ra 2020/04/0187) with the Austrian Supreme Administrative Court (“VwGH”). These proceedings were then paused by the VwGH as it wanted to await the decision of the ECJ in the case of Deutsche Wohnen SE and the liability of legal persons under the GDPR. In the meantime, the ECJ's decision stated that legal entities are also liable for infringements, even if no management bodies or managing directors are responsible for the infringement but “any” employee. However, culpable conduct by the person is also required in such a case.

Based on this ECJ decision the VwGH found that the Federal Administrative Court should not have quashed the penalty simply due to the fact that the DPA could not name the natural person that is responsible for the damage. As a result, the decision of the Federal Administrative Court is unlawful and was annulled by the VwGH.  On 27 December 2024, the Federal Administrative Court decided again on this appeal and imposed a fine of EUR 16 million on the Austrian Postal Service. This decision is not final, as the Austrian Postal Service has already lodged an official appeal against this decision with the VwGH and a complaint with the Constitutional Court (“VfGH”).

How is the data protection authority organised in Austria? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

There is only one DPA responsible for enforcing the GDPR and the Austrian Data Protection Act (“Datenschutzgesetz” – “DSG”) in Austria.

The DPA is a federal authority assigned to the Ministry of Justice. With some 70 employees, this authority may be considered a small to medium-sized authority compared to other authorities in Austria. The DPA has an annual budget of around EUR 5,7 million.

How does a fine procedure work in Austria? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The DPA may directly impose fines as part of administrative criminal proceedings. Administrative criminal proceedings are governed by the Austrian Administrative Penal Act (“Verwaltungsstrafgesetz" – “VStG”).

The procedure usually starts with a formal notification issued to the party concerning the opening of penal proceedings (often as a result of ongoing general administrative proceedings in which the data protection authority has requested and received information from the controller/processor). The affected party has the right to comment on factual and legal aspects of the case before the data protection authority issues the penalty notice (“Strafbescheid”).

When the authority has completed the necessary investigations, the proceedings conclude either with a penalty notice, a discontinuation or an admonition. The proceedings are not open to the public.

The party concerned can lodge an appeal against the penalty notice, which must be submitted to the DPA itself. The DPA may issue a preliminary appeal-decision within two months of receiving the objection, i.e. the data protection authority may amend the decision it has issued or may reject or dismiss the appeal. If the data protection authority does not issue a preliminary decision, it shall submit the appeal along with the files pertaining to the proceedings to the Austrian Federal Administrative Court.

If the data protection authority issues a preliminary decision on the appeal, the party may, within two weeks of receiving the decision, request that the appeal be submitted to the Austrian Federal Administrative Court.

A party may lodge an appeal against decisions made by the Federal Administrative Court with the VwGH or with the Constitutional Court (“Verfassungsgerichtshof”), with the latter court only if the party believes that the decision violates constitutional rights.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The fines are transferred to the federal treasury.

Is there a common, official calculation methodology for fines in Austria (such as the fining models in the Netherlands or Germany)?

No, there is no official calculation method for fines in Austria that is publicly available. However, the DPA has internal guidelines for calculating fines. This internal guideline will now also be based on the European guidelines of the European Data Protection Board (“EDPB”).

On 16 May 2022 the EDPB published for consultation its guidelines on the calculation of fines under the GDPR. The guidelines include five steps for the calculation of fines: (1) Identifying the processing operations in the case and evaluating the application of Art 83 para 3 GDPR; (2) Finding the starting point for further calculation; (3) Evaluating aggravating and mitigating circumstances related to past or present behaviour of the data controller/processor and increasing or decreasing the fine accordingly; (4) Identifying the relevant legal maximums for the different processing operations, whereby increases applied in previous or next steps cannot exceed this amount; (5) Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness, and proportionality, as required by Art 83 para 1 GDPR, and increasing or decreasing the fine accordingly.

The guidelines are meant to harmonize the methodology of calculating fines for GDPR-breaches and to increase transparency across the European Economic Area. With regard to the legal nature of the guidelines issued by the EDPB, it should be noted that they are considered “soft law”. Accordingly, they do not have any legally binding effect. However, national data protection authorities shall take decisions in compliance with the guidelines adopted at EDPB level, since the considerations set out in the guidelines, were developed and adopted in cooperation with all members of the EDPB (thus, including all European data protection authorities). In Austria the DPA refers in their decisions to the EDPB guidelines for the calculation of the fines imposed. Nevertheless, the authority points out that the exact determination of the amount of the penalty remains a discretionary decision under the Austrian Administrative Penal Act. Although the calculation of fines imposed by the DPA is based on the EDPB Guidelines, many of the fines imposed by the DPA have been significantly reduced by the Austrian Federal Administrative Court in 2024. In order to protect the general preventive effect of fines the DPA refers selected cases to the VwGH as part of an official appeal.

Can public authorities be fined in Austria? If they can: Where does this money go?

According to Sec 30 para 5 Austrian Data Protection Act, administrative fines cannot be imposed on authorities and public entities, such as, in particular, entities established in a manner set out under public law as well as private law, entities acting on the basis of a statutory mandate, and public-law corporations.

However, civil liability for damages remains a possibility. In a notable case, the Regional Court of Wiener Neustadt ordered the City of Baden to pay damages for a data breach in March 2022. This ruling was recently confirmed by the Higher Regional Court of Vienna. The incident involved the early release of new Baden-Card features, despite incomplete IT configuration, which resulted in 33,000 data records — including personal and payment information — being accessible online for several days. Although no actual misuse or theft was proven, the court found that the fear and stress experienced by affected individuals justified compensation.

The Higher Regional Court reaffirmed that under the GDPR, liability for non-material damage does not require proof of actual harm — the mere risk of exposure and resulting emotional distress is sufficient. The court also clarified that the City of Baden could not transfer responsibility to its IT contractor, as it had knowingly launched a system with security gaps. This position aligns with the 2023 ECJ decision in case C-340/21, which confirmed that public bodies and companies can be held liable for data breaches even without concrete harm. While individual damages were set at €500, the financial impact could be substantial if all 33,000 affected individuals pursued claims — totaling up to €16.5 million.

In Austria, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The DPA does not publish all fines imposed, nor the related procedural steps. A selection of the decisions made by the DPA can be accessed via the Federal Legal Information System (“Rechtsinformationssystem” – “RIS”), a database covering federal and state law as well as case law. The decisions are anonymised.

In addition, the DPA publishes a newsletter which addresses landmark cases and trends, on an anonymised basis.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

The DPA publishes a "Data Protection Report" every year. In this report, the DPA provides information on the number of different proceedings conducted by it (i.e., individual complaint handling procedures (national/cross-border), data breach notification proceedings, approval of code of conducts, etc.). In addition, the DPA provides executive summaries of the, in its own view, most important decisions.

In 2021, 267 fining procedures were completed, with proceedings against natural persons constituting the majority of cases. 36 proceedings resulted in fines (11 against legal entities, 25 against natural persons), 7 proceedings resulted in warnings. In total, the DPA imposed approximately EUR 24,7 million in fines for the year 2021.

In 2022, 122 fining procedures were completed, with proceedings against natural persons constituting the only cases. In total 28 fines have been imposed and 7 warnings. In total, the DPA imposed around EUR 50,000 in fines for the year of 2022. This is due to preliminary ruling proceedings at the ECJ since 21 December 2021 (C-807/21, Deutsche Wohnen SE), which deal with the question of the liability of legal entities. In this regard administrative procedures have been postponed until the ECJ ruled in this matter.

On 5 December 2023, the ECJ stated in its decision that it is possible to impose the administrative fines provided for in Art. 83 GDPR directly on legal entities (ECJ of 5 December 2023, C-807/21 Rs Deutsche Wohnen SE, para. 44). Therefore, many of the postponed procedures of legal entities were continued and decided in 2024. The figures from 2023 regarding imposed fines are therefore not truly indicative, as they are distorted by the high number of postponed proceedings.
In 2024, a total of 214 fining procedures were completed. 62 proceedings ended in fines. In total, the Data Protection Authority imposed fines of around €1,7 million in 2024.

Does Austria have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Austrian data protection law does not provide for any model declaratory proceedings/class actions. However, consumer protection associations are able to assert the rights held by consumers in court. It is unclear whether these consumer protection associations are also able to take on data protection law issues. The ECJ was due to rule in preliminary ruling proceedings (C-701/20, Avis Autovermietung Gesellschaft mbH) further to a request from the Austrian Supreme Court of Justice (“OGH”) (OGH 25 November 2020, 6 Ob77/20x) as to whether such consumer protection associations may litigate cases on the basis of the GDPR and national data protection laws.

In May of 2022, the OGH withdrew their request for a preliminary ruling after the ECJ ruled in favour of a right of actions for consumer protection associations in a similar case originating in Germany (C-319/20, Meta Platforms Ireland Limited). According to the ECJ, authorizing such associations with the litigation of cases to protect consumer interests contributes to strengthening the rights of data subjects and ensures a high level of protection. Additionally, the filing of class actions by these associations is likely to prove more effective than numerous individual lawsuits filed by individual data subjects.

In line with the above ruling, the OGH has consistently held in recent decisions that consumer protection associations are entitled to bring actions to enforce consumers' rights in relation to alleged breaches of the GDPR, for example in relation to General Terms and Conditions.

Class actions under the GDPR are thus gaining traction, meaning individuals are increasingly joining forces to assert their data protection rights collectively. In Austria, the consumer association VKI (Verein für Konsumenteninformation) has become active in pursuing representative actions, particularly in cases involving data breaches or unlawful data processing. These actions aim to simplify and strengthen consumer enforcement of GDPR rights. Further, the NGO noyb (None of Your Business), founded by privacy advocate Max Schrems, has been officially recognized as a ‘Qualified Entity’ under the EU Representative Actions Directive (EU) 2020/1828. This status empowers noyb to bring collective redress actions—effectively class actions—on behalf of consumers. As a result, both VKI and noyb are now using their legal standing to initiate GDPR enforcement on a broader, more impactful scale, posing increased legal risks for companies that fail to comply with data protection obligations.

What is more relevant in Austria: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Under Austrian tort law, any damage must be adequately caused and proven. Austrian law does not provide for punitive damages. Civil courts may impose injunctions and rule on damage compensation claims. Such damage compensation claims may involve immaterial damages as well. Immaterial damages are not related to an actual calculable damage. To date, the civil courts have imposed rather low compensation for immaterial damage.

To date, the fines imposed by the DPA seem to exceed the damage compensations awarded by civil courts, as these only assess the actual damages caused by the violation. Nevertheless, we expect the number of lawsuits brought before civil courts to continue to increase in coming years.

In January 2022, a claimant was awarded EUR 100.00 in damages by the Munich Regional Court after visiting a website using Google Fonts. The court based its decision on the fact that by dynamically implementing Google Fonts on a website, personal data (namely the IP address) of website users is transferred to the USA, which is considered a third country with inadequate level of data protection under the GDPR. An Austrian lawyer took the aforementioned decision of the Munich Regional Court as an opportunity to send thousands of threatening legal letters with similar demands to website operators in Austria that had integrated Google Fonts on their websites. The letters stated that the filing of a lawsuit and further legal action would be waived if a payment of EUR 100.00 from the website operators to the claimed data subject, who demanded compensation for the alleged breach of the GDPR, was accepted as a settlement. Two court proceedings concerning this matter were pending in Austria, one of which has been interrupted due to a case before the ECJ (C-300/21, Österreichische Post AG). In October 2023, a court of first instance in Vienna reached a decision in this regard. It held that these warning letters regarding the use of Google fonts on websites were an abuse of rights and did not award the amount demanded. However, these proceedings are not yet over, as the opposing party has filed an appeal and the proceedings are currently pending before the court of second instance.

Moreover, in January 2023, a private lawsuit was filed against the Austrian organization responsible for collecting the national broadcasting fee ("Gebühren Info Service GmbH" – “GIS"), for a data leak that occurred in 2020 and was not sanctioned by the DPA because it is considered a public entity against which the Austrian DPA by law cannot impose fines. This procedure is still ongoing.

As already mentioned above, in September 2024, the city of Baden was ordered to pay damage compensations in the amount of EUR 500.00 per person due to a data leak that occurred in 2022. 33,000 people were affected by the data breach. If they all claimed damage compensation in the amount of EUR 500.00, the total would be 16.5 million euros. The Higher Regional Court stated that a proof of actual misuse of the data is not required. This decision is in line with a ruling by the ECJ on 14 December 2023 (CJEU C-340/21), according to which companies and authorities can be held liable for data leaks even without demonstrable material damage.

Irrespective of the outcome of these cases, there is undoubtedly a trend towards data protection based litigation before civil courts in Austria. The recent case law of the European Court of Justice providing clarity on damages is also expected to further increase the number of data protection cases before civil courts.