Page 1

1 of 31

FEDERAL LEGISLATION
FOR THE REPUBLIC OF AUSTRIA
Vintage 2017

Issued July 31, 2017

120th Federal Law:

part One

Data Protection Amendment Act 2018
(NR: GP XXV RV 1664 AB 1761 p. 190. BR: 9824 AB 9856 p. 871.)
[CELEX No .: 32016L0680]

120th Federal Act amending the Data Protection Act 2000 (data protection
Amendment Act 2018)
The National Council decided:
The Federal
Acttext
on the Protection of Personal Data (Data Protection Act 2000 Original
DSG 2000), Federal Law Gazette I No. 165/1999, last amended by the Federal Law, Federal Law Gazette I No. 83/2013 and the
Anpassungsgesetz
2018)
Announcement
in Federal Law Gazette
I No. 132/2015 is changed as follows:
Contribute a better translation
1. The title is:

"Federal law for the protection of natural persons when processing personal
Data (Data Protection Act - DSG) "
2. The entries for Art. 2 in the table of contents read:
"Article 2
1st main piece
Implementation of the General Data Protection Regulation and supplementary regulations
1st section
General provisions
§ 4.
§ 5.
§ 6.

Scope and implementation regulation
Data protection officer
Data secrecy
2nd section
Data processing for specific purposes

§ 7.

Processing for archival purposes in the public interest, scientific
or historical research purposes or statistical purposes
Provision of addresses for notification and questioning of
affected persons
Freedom of expression and information
Processing of personal data in the event of a disaster
Processing of personal data in the employment context

§ 8th.
§ 9.
§ 10.
§ 11.

3rd section
Image processing
§ 12.
§ 13.

Admissibility of the image acquisition
Special data security measures and labeling

www.ris.bka.gv.at

Page 2
BGBl. I - Issued on July 31, 2017 - No. 120

2 of 31

2nd main piece
organs
1st section
Data Protection Council
§ 14.
§ 15.
§ 16.
§ 17.

Establishment and duties
composition
Chair and management
Meetings and resolutions
2nd section
Data protection authority

§ 18.
§ 19.
§ 20.
§ 21.
§ 22.
§ 23.

Facility
independence
Head of the data protection authority
tasks
Powers
Activity report and publication of decisions
3rd section
Remedies, liability and penalties

§ 24.
§ 25.
§ 26.
§ 27.
§ 28.
§ 29.
§ 30.

Complaint to the data protection authority
Accompanying measures in the complaint procedure
Public and private managers
Complaint to the Federal Administrative Court
Representation of data subjects
Liability and right to compensation
General conditions for the imposition of fines
4th section
Supervisory authority according to Directive (EU) 2016/680

§ 31.
§ 32.
Section 33.
§ 34.

Data protection authority
Tasks of the data protection authority
Powers of the data protection authority
General provisions
5th section
Special powers of the data protection authority

§ 35.
3rd main piece
Processing of personal data for the purposes of the security police including the
police state protection, military self-protection, reconnaissance and persecution
of criminal offenses, the execution of sentences and the execution of measures
1st section
General provisions
§ 36.
§ 37.
§ 38.
§ 39.
§ 40.
§ 41.

Scope and definitions
Principles for data processing, categorization and data quality
Lawfulness of processing
Processing of special categories of personal data
Processing for other purposes and transmission
Automated decision-making in individual cases
2nd section
Rights of the data subject

§ 42.
§ 43.
§ 44.
§ 45.

Principles
Informing the data subject
Right of the data subject to be informed
Right to correct or delete personal data and to
Restriction of processing

www.ris.bka.gv.at

Page 3
BGBl. I - Issued on July 31, 2017 - No. 120

3 of 31

3rd section
Controller and processor
Section 46.
Section 47.
Section 48.
Section 49.
Section 50.
§ 51.
§ 52.
Section 53.
Section 54.
§ 55.
Section 56.
Section 57.

Responsible Person's Responsibilities
Jointly responsible
Processors and supervision of processing
Directory of processing activities
Logging
Cooperation with the data protection authority
Data protection impact assessment
Prior consultation with the data protection authority
Data security measures
Reporting violations to the data protection authority
Notifying the data subject of injuries
Appointment, position and tasks of the data protection officer

4th section
Transfer of personal data to third countries or international organizations
§ 58.
§ 59.
Section 60.
Section 61.

General principles for the transfer of personal data
Data transfer to third countries or international organizations
Come into effect
Transitional provisions
4th main piece
Special criminal provisions

§ 62.
Section 63.

Administrative penal provision
Data processing with the intention of profit or loss
5th main piece
Final provisions

Section 64.
Section 65.
Section 66.
Section 67.
Section 68.
Section 69.
Section 70.

Implementation and implementation of EU legal acts
Linguistic equality
Issuing ordinances
References
Completion
Transitional provisions
Come into effect"

3. In Art. 2, the 1st, 2nd, 3rd, 4th, 5th and 6th section, the designation and the heading of the are omitted
7th section, the heading to § 35, §§ 36 to 44 including headings, the 8th, 9th, 9a. and
10th section, the designation and the heading of the 11th section, §§ 53 to 59 including
Headings, § 61 Paragraphs 1 to 3 and 5 to 10 as well as §§ 62 to 64 including the headings.
4. After the designation "Article 2" , the following 1st main part, the following designation and
Heading of the 2nd main part, the following 1st, 2nd, 3rd and 4th section as well as the following heading and
Name of the 5th section inserted:

"1. Main piece
Implementation of the General Data Protection Regulation and supplementary regulations
1st section
General provisions
Scope and implementation regulation
§ 4. (1) The provisions of Regulation (EU) 2016/679 for the protection of natural persons in the
Processing of personal data, for the free movement of data and for the cancellation of the
Directive 95/46 / EC (General Data Protection Regulation), OJ No. L 119 of 4.5.2016 p. 1, (hereinafter:
GDPR) and this federal law apply to fully or partially automated processing
personal data as well as for the non-automated processing of personal data that
are or are to be stored in a file system, unless the more specific ones
The provisions of Chapter 3 of this federal law.
www.ris.bka.gv.at

Page 4
BGBl. I - Issued on July 31, 2017 - No. 120

4 of 31

(2) Can the correction or deletion of automatically processed
personal data are not provided immediately because they are for economic or technical reasons
Reasons can only be carried out at certain times, the processing is the
relevant personal data with the effect according to Art. 18 Para. 2 GDPR up to this
Time to restrict.
(3) The processing of personal data via judicial or administrative authorities
criminal acts or omissions, in particular on suspicion of the commission of
Criminal offenses, as well as criminal convictions or preventive measures is in compliance
of the requirements of the GDPR, if
1. an express legal authorization or obligation to process such data
exists or
2. Otherwise the permissibility of the processing of this data is based on legal duties of care
results or the processing to safeguard the legitimate interests of the person responsible or
of a third party is required in accordance with Art. 6 Para. 1 lit.f GDPR, and the manner in which the
Data processing is carried out in order to safeguard the interests of the data subject
guaranteed by the GDPR and this federal law.
(4) In the case of an offer of information society services made directly to a child
is the consent in accordance with Art. 6 Para. 1 lit. a GDPR for the processing of personal data
Data of the child lawful when the child has reached the age of fourteen.
(5) As far as manual, ie. Files managed without automation support for the purposes of such
Matters exist in which the competence to legislate is a federal matter, they are considered as
Data processing within the meaning of the GDPR and this federal law.
Data protection officer
§ 5. (1) The data protection officer and the persons working for him are without prejudice to others
Confidentiality obligations in the fulfillment of the tasks to secrecy. this applies
in particular with regard to the identity of data subjects who contact the data protection officer
have applied, as well as circumstances that allow conclusions to be drawn about these persons, unless it
there was an express release from secrecy by the person concerned. The
Data protection officers and the persons working for them may use the information made available
exclusively for the fulfillment of the tasks and are to be used even after the end of their work
Committed to secrecy.
(2) If a data protection officer becomes aware of data during his work for which one of the
Control of the data protection officer subject employed person a legal
If you have the right to refuse to give evidence, this right is also available to the data protection officer and the for
persons working on it insofar as the person who is entitled to the statutory right to refuse to testify,
has made use of it. To the extent of the data protection officer’s right to refuse to testify
his files and other documents are subject to a ban on freezing and seizure.
(3) The data protection officer in the public sector is responsible for the exercise of his duties
free of instructions. The supreme body has the right to inquire about the objects of management at
To instruct data protection officers in the public sector. This is from the data protection officer
only to the extent that this does not reflect the independence of the data protection officer within the meaning of
Art. 38 para. 3 GDPR contradicts.
(4) Within the sphere of activity of each Federal Ministry, taking into account the type and scope
of the data processing as well as one or more depending on the institution of the Federal Ministry
Provide data protection officers. These must be submitted to the respective Federal Ministry or the
belong to the respective subordinate agency or other institution.
(5) The data protection officers in the public sector in accordance with Paragraph 3 maintain a regular
Exchange of experience, especially with a view to ensuring a uniform
Data protection standards.
Data secrecy
§ 6. (1) The person responsible, the processor and their employees - these are employees
(Employees) and persons in an employee-like (employee-like) relationship have personal data from data processing that is solely based on their
have been entrusted to professional employment or have become accessible, without prejudice to other
statutory confidentiality obligations to keep secret, unless there is a legally permissible reason for

www.ris.bka.gv.at

Page 5
BGBl. I - Issued on July 31, 2017 - No. 120

5 of 31

there is a transfer of the entrusted or accessible personal data
(Data secrecy).
(2) Employees are only allowed to provide personal data on the basis of an express order of theirs
Of the employer (employer). The controller and the processor have, if
such an obligation of their employees does not already exist by law to contractually
oblige to give personal data from data processing only on the basis of orders
and the data secrecy even after termination of the employment relationship
(Employment relationship) to the controller or processor.
(3) The controller and the processor have those affected by the order
Employees about the transfer orders that apply to them and about the consequences of a violation
to instruct the data secrecy.
(4) Without prejudice to the constitutional right to issue instructions, an employee from the
Refusal to comply with an order for inadmissible data transmission is not a disadvantage
grown up.
(5) A statutory right to refuse to testify in favor of a person responsible may
not through the use of a processor working for this, in particular not through
the seizure or confiscation of documents processed with automated support is circumvented
become.

2nd section
Data processing for specific purposes
Processing for archival purposes in the public interest, scientific or
historical research purposes or statistical purposes
§ 7. (1) For archiving purposes in the public interest, scientific or historical
Research purposes or statistical purposes that are not aimed at personal results,
the controller may process all personal data that
1. are publicly accessible,
2. it has legitimately determined for other investigations or other purposes or
3. Personal data pseudonymised for him are and the person responsible is the identity of the
cannot determine the data subject with legally permissible means.
(2) In the case of data processing for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes that do not fall under Paragraph 1
personal data only
1. in accordance with special statutory provisions,
2. with the consent of the data subject or
3. with the approval of the data protection authority in accordance with Paragraph 3
are processed.
(3) Approval from the data protection authority for the processing of personal data
for archival purposes in the public interest, scientific or historical
Research purposes or statistical purposes is at the request of the person responsible for the investigation
grant if
1. Obtaining the consent of the person concerned is impossible due to the fact that they cannot be reached
or otherwise means a disproportionate effort,
2. there is a public interest in the requested processing and
3. the professional suitability of the person responsible is made credible.
If special categories of personal data (Art. 9 GDPR) are to be determined, a
there is an important public interest in the investigation; Furthermore, it must be guaranteed that the
personal data is only processed by the person responsible for the investigation
that are subject to a statutory obligation of confidentiality with regard to the subject of the investigation
or whose reliability in this regard is otherwise plausible. The data protection authority has the
To link approval to the fulfillment of conditions and requirements, insofar as this is to maintain the
legitimate interests of the data subject is necessary.
(4) An application according to Paragraph 3 is in any case a request from the authorized person regarding the data stocks,
from which the personal data are to be determined, to attach a signed declaration,
www.ris.bka.gv.at

Page 6
BGBl. I - Issued on July 31, 2017 - No. 120

6 of 31

that he makes the data for the investigation available to the person responsible. Instead of
This declaration can also be replaced by an enforcement title (Section 367 (1) of the
Execution order - EO, RGBl. No. 79/1896).
(5) Also in those cases in which the processing of personal data for purposes of
Scientific research or statistics in personal form is permitted is the
Encrypt personal reference immediately if in individual phases of the scientific or
statistical work with personal data in accordance with Paragraph 1 No. 3 is sufficient
can. Unless otherwise expressly provided by law, the data is personal
to be completely eliminated as soon as it is no longer necessary for scientific or statistical work
is.
(6) Legal restrictions on the permissibility of the use of personal data
other, in particular copyright reasons, remain unaffected.
Provision of addresses for notification and questioning of those affected
people
§ 8. (1) Unless otherwise expressly stipulated by law, the transmission of
Address data of a certain group of data subjects for the purpose of their notification or
Survey of the consent of the data subjects.
(2) If, however, an impairment of the confidentiality interests of the persons concerned
in view of the selection criteria for the group of affected persons and the subject of the notification
or questioning is unlikely, no consent is required if
1. data of the same person responsible are processed or
2. if the address data is intended to be transmitted to third parties
a) there is also a public interest in the notification or questioning, or
b) none of the data subjects after having been informed about the occasion and content of the
Has objected to the transmission within a reasonable period of time.
(3) If the prerequisites of Paragraph 2 are not met and the consent of the
data subjects require a disproportionate effort in accordance with Paragraph 1, is the transmission
of the address data is permitted with the approval of the data protection authority in accordance with Paragraph 4, if the transmission
to third parties
1. for the purpose of notification or questioning out of an important interest of the person concerned
self,
2. from an important public notification or questioning interest or
3. to interview the persons concerned for scientific or statistical purposes
should take place.
(4) At the request of a person responsible who processes address data, the data protection authority has the
To grant approval for transmission if the applicant confirms the existence of the conditions specified in Paragraph 3
makes credible the above-mentioned conditions and overriding confidentiality interests worthy of protection
of the persons concerned do not oppose the transmission. The data protection authority has the
To link approval to the fulfillment of conditions and requirements, insofar as this is to maintain the
legitimate interests of the data subjects.
(5) The transmitted address data may only be processed for the approved purpose
are and are to be deleted as soon as they are no longer required for the notification or survey
become.
(6) Insofar as it is permitted in accordance with the above provisions, the name and address of
People who belong to a certain group of affected persons may also transfer the for the purpose
The processing necessary for the selection of the address data to be transmitted is carried out.
Freedom of expression and information
§ 9. As far as this is necessary for the right to protection of personal data with the
To reconcile freedom of expression and information, especially in the
With regard to the processing of personal data by media companies, media services
or their employees directly for their journalistic activities within the meaning of the Media Act MedienG, Federal Law Gazette No. 314/1981, Chapter II (Principles) of the GDPR, with the exception of
Art. 5, Chapter III (rights of the data subject), Chapter IV (controller and
Processors), with the exception of Articles 28, 29 and 32, Chapter V (transfer of personal
Data to third countries or international organizations), Chapter VI (Independent
www.ris.bka.gv.at

Page 7
BGBl. I - Issued on July 31, 2017 - No. 120

7 of 31

Supervisory Authorities), Chapter VII (Cooperation and Consistency) and Chapter IX (Regulations for
special processing situations) to the processing, which for journalistic purposes or to
scientific, artistic or literary purposes, no application. Of the
Provisions of this federal law apply in such cases to Section 6 (data secrecy).
Processing of personal data in the event of a disaster
§ 10. (1) Those responsible for the public sector and aid organizations are im
Authorized in the event of a disaster to jointly process personal data, insofar as this is
Assistance for the people directly affected by the disaster, to locate and
Identification of the departed and deceased and for the information of relatives is necessary.
(2) Anyone who legally has personal data may transfer them to those responsible for the
to the public sector and aid organizations, provided that they provide the personal data for
Need to deal with the disaster for the purposes stated in Paragraph 1.
(3) A transfer of personal data abroad is permitted, provided this is for the
Fulfillment of the purposes mentioned in paragraph 1 is absolutely necessary. Data that is the
Criminal charges against the person concerned may not be transmitted, unless this is for
Identification is absolutely necessary in individual cases. The data protection authority is initiated by the
Transmissions and the more detailed circumstances of the circumstances giving rise to immediately
communicate. The data protection authority has additional rights to protect data subjects
To prohibit data transmissions if the interference in the
The basic right to data protection due to the special circumstances of the disaster situation is not
is justified.
(4) Based on a specific request from a close relative of an actual or presumed
persons directly affected by the disaster are authorized to inform the inquirer
personal data on the whereabouts of the person concerned and the status of the research
submit if the relative can credibly demonstrate their identity and the close relationship. Special
Categories of personal data (Art. 9 GDPR) may only be transmitted to close relatives
if they can prove their identity and the status of a family member and the transfer to the
Protection of their rights or those of the data subject is necessary. The social security agencies
and authorities are obliged to those in charge of the public sector and aid agencies
to support, insofar as this is necessary to check the information provided by the inquirer.
(5) Parents, children and spouses are registered as close relatives within the meaning of this provision
Understand partners and domestic partners of the persons concerned. Other relatives are allowed to
are given the information mentioned under the same conditions as close relatives if they
a particularly close relationship to that of the catastrophe, either actually or presumably immediately
make the person concerned credible.
(6) The personal data processed for the purpose of dealing with the disaster
are to be deleted immediately if they are no longer required for the fulfillment of the specific purpose
become.
Processing of personal data in the employment context
§ 11. The Labor Constitution Act - ArbVG, Federal Law Gazette No. 22/1974, is, as far as it is processing
regulates personal data, a regulation within the meaning of Art. 88 GDPR. According to the works council
the powers to which the ArbVG is entitled remain unaffected.

3rd section
Image processing
Admissibility of the image acquisition
§ 12. (1) An image recording within the meaning of this section refers to the use
technical equipment for image processing made determination of events in
public or non-public space for private purposes. Taking pictures is also part of it
processed acoustic information. This section applies to such an image recording insofar
is not specifically determined by other laws.
(2) Taking into account the requirements of Section 13, taking a picture is permitted if
1. it is necessary in the vital interests of a person,
2. the data subject has consented to the processing of their personal data,

www.ris.bka.gv.at

Page 8
BGBl. I - Issued on July 31, 2017 - No. 120

8 of 31

3. it is ordered or permitted by special legal provisions, or
4. In individual cases, overriding legitimate interests of the person responsible or a third party
exist and the proportionality is given.
(3) In accordance with para. 2 no. 4, taking a picture is particularly permissible if
1. They provide preventive protection for people or property on private property, which
used exclusively by the person responsible, and not spatially via the
Property extends beyond, with the exception of one that is possibly unavoidable to achieve the purpose
Inclusion of public traffic areas,
2. They for the preventive protection of persons or property in publicly accessible places, which
are subject to the house rules of the person responsible, due to legal violations that have already occurred
or a special hazard potential inherent in the nature of the location is required
and no less suitable remedy is available, or
3. It pursues a private interest in documentation that does not apply to the identifying recording
uninvolved persons or the targeted detection of objects that are indirect
Identification of such persons is directed.
(4) Is inadmissible
1. an image recording without the express consent of the person concerned in their
highly personal area of ​life,
2. a picture taken for the purpose of checking employees,
3. the automated comparison of images obtained by means of image recordings
personal data with other personal data or
4. the evaluation of personal data obtained by means of image recordings on the basis of
special categories of personal data (Art. 9 GDPR) as selection criteria.
(5) Personal data determined by means of a permissible image recording may be im
required extent if one of the requirements of the
Paragraph 2 nos. 1 to 4 is given. Paragraph 4 applies accordingly.
Special data security measures and labeling
§ 13. (1) The person responsible has the risk of the intervention adapted
Take data security measures and ensure that there is access to image acquisition and
a subsequent change of the same by unauthorized persons is excluded.
(2) Except in the case of real-time monitoring, the person responsible has everyone
To log the processing operation.
(3) Recorded personal data are to be deleted by the person responsible if they are for
The purpose for which they were determined is no longer required and no other legal requirement
provided retention obligation exists. It must be stored for longer than 72 hours
be proportionate and must be recorded and justified separately.
(4) Paragraphs 1 to 3 do not apply to image recordings in accordance with Section 12 (3) no.3.
(5) The person responsible for an image recording must appropriately mark it. From the
In any case, the person responsible must clearly identify the label, unless this is the person responsible
affected persons already known after the circumstances of the case.
(6) The labeling requirement does not apply in the cases of Section 12 (3) no.3 and for strictly timed
Limiting processing in individual cases, the purpose of which is exclusively by means of a concealed
Identification can be achieved on condition that the person responsible has adequate guarantees
to protect the interests of those affected, in particular by subsequently informing the
affected persons.
(7) If, contrary to Paragraph 5, insufficient information is provided, anyone can ask one of them
Processing of potentially affected persons by the owner or authorized user of a property or
of a building or other object from which such processing apparently originates,
Request information about the identity of the person responsible. The unfounded failure to issue a
Such information is equivalent to a refusal to provide information in accordance with Art. 15 GDPR.

www.ris.bka.gv.at

Page 9
BGBl. I - Issued on July 31, 2017 - No. 120

9 of 31

2nd main piece
organs
1st section
Data Protection Council
Establishment and duties
§ 14. (1) A data protection council has been set up at the Federal Chancellery. This takes questions from
of fundamental importance for data protection position, promotes the uniform further development of the
Data protection and advises the federal government on legal policy matters on data protection law
relevant project.
(2) In order to fulfill its tasks according to Paragraph 1
1. The Data Protection Council can make recommendations in terms of data protection law to the
Judge the federal government and the federal ministers;
2. The Data Protection Council can prepare or commission reports;
3. The Data Protection Council has the opportunity to comment on draft laws
Federal Ministries, insofar as these are of importance under data protection law, as well as to
Ordinances in the enforcement area of ​the federal government, the essential questions of data protection
concern to give;
4. the data protection council has the right to obtain information and
To request reports, insofar as this is necessary for the assessment of projects under data protection law
essential impact on data protection in Austria is necessary;
5. The Data Protection Council can publish its observations, concerns and suggestions and
bring to the attention of those responsible for the public sector.
(3) Paragraph 2 subparagraphs 3 and 4 do not apply insofar as internal affairs of the recognized churches and
Religious societies are affected.
composition
§ 15. (1) The data protection council includes:
1. Representatives of the political parties: Twelve members send the political parties to the
D'Hondt's system in relation to their mandate in the main committee of the National Council.
Every political party represented in the main committee of the National Council has the right to
Data Protection Council to be represented. A party represented in the main committee of the National Council, the
According to the above calculation, there is no member, a member can name;
2. One representative each from the Federal Chamber for Workers and Salaried Employees and the Chamber of Commerce
Austria;
3. two representatives of the countries;
4. One representative each from the association of municipalities and the association of towns;
5. a federal representative to be sent by the Federal Chancellor;
6. a representative to be sent by the Federal Government from among the
Data protection officer of the federal ministries;
7. two national or international to be named by the data protection council after its constitution
Experts in the field of data protection.
(2) The representatives named in Paragraph 1 should have knowledge and experience in the areas of
Data protection law, Union law and fundamental rights.
(3) A substitute member is to be sent for each member according to Paragraph 1 Z 1 to 6, who is to be assigned to
Prevention of the member takes his place. The posting of members and substitute members
must be reported to the Federal Chancellery in writing.
(4) Members of the Federal Government or a member of the Data Protection Council may not belong to the Data Protection Council
State government as well as state secretaries and also persons who are not eligible for election to the National Council.
(5) The term of office of the members and substitute members according to Paragraph 1 Z 1 to 6 begins with
whose posting to the Data Protection Council and ends
1. With the dismissal by the sending office (Paragraph 1) by means of a written notification
to the Federal Chancellery with the simultaneous naming of a new member or
Substitute member,

www.ris.bka.gv.at

Page 10
BGBl. I - Issued on July 31, 2017 - No. 120

10 of 31

2. with the announcement of the departure by the member or substitute member by way of a
written notification to the Federal Chancellery or
3. at the latest with the new election of the main committee of the National Council according to §§ 29 and 30 of the
Rules of Procedure Act 1975, Federal Law Gazette No. 410/1975.
Item 3 applies to members of the Data Protection Council named in accordance with Paragraph 1 Item 7.
(6) After the new election of the main committee of the National Council (para. 5 subparagraph 3), the previous one takes the lead
Presidium according to § 17 para. 4 the business until the constituent meeting of the newly appointed members
and substitute members. Within a period of two weeks from the new election of the
In the main committee of the National Council, the sending bodies have an office corresponding to Paragraph 1
To announce the number of members and substitute members to the Federal Chancellery in writing. The
Re-appointment of members and substitute members is permitted.
(7) The constituent meeting of the Data Protection Council takes place no later than six weeks after the election
of the main committee of the National Council and is to be convened by the Federal Chancellery.
(8) The activities of the members and substitute members of the Data Protection Council are honorary.
Members and substitute members of the Data Protection Council who live outside of Vienna have in the case of
Participation in meetings of the data protection council entitled to reimbursement of reasonable travel expenses
In accordance with the federal travel fee regulations. The remuneration and reimbursements are in
Subsequently to be instructed quarterly by the Federal Chancellery.
Chair and management
§ 16. (1) With a resolution, the data protection council issues rules of procedure.
(2) In the constituent meeting, the Data Protection Council made the available nominations
with a simple majority from among its members, a chairman and two deputy chairmen
choose. Runoff elections are permitted. The election proposals are to the members and substitute members
to be announced at the same time as the invitation to the constituent meeting. The re-election is
permissible.
(3) The term of office of the chairman and the deputy chairman ends
1. when one of the requirements of Section 15 (5) 1 to 3 is met,
2. with the announcement of the resignation of the function by the chairman or one of the
Deputy Chair by means of a declaration at the meeting of the Data Protection Council
or a written notification to the Federal Chancellery or
3. after being voted out by the Data Protection Council with a simple majority of the votes cast and
Presence of more than two thirds of its members or substitute members.
After the end of the term of office of the chairman or a deputy chairman is
to elect a new chairman or a new deputy chairman immediately.
(4) The chairman elected in accordance with Paragraph 2 represents the data protection council externally.
(5) The Federal Chancellery is responsible for managing the Data Protection Council. The Chancellor
has to provide the necessary personnel for this. In her work for the Data Protection Council
the employees of the Federal Chancellery are subject to the instructions of the chairman of the
Data Protection Council bound.
Meetings and resolutions
§ 17. (1) The meetings of the data protection council are convened by the chairman as required.
Each member of the data protection council can call the data protection council in writing, stating
covet the desired subject of negotiation. If there is such a request, he has
The chairman to schedule the meeting in such a way that it can take place no later than four weeks after receipt of the
Desire takes place.
(2) Each member of the Data Protection Council is - except in the case of justified prevention obliged to attend the meetings of the data protection council. Only if the member is unable to attend
the substitute member takes part in the meeting.
(3) For deliberations and resolutions in the data protection council, the presence of more than
Half of its members or substitutes required. The simple one is sufficient to pass a resolution
Majority of the votes cast. In the event of a tie, the chairman has the vote
Rash. Abstention is not permitted. Minority votes are allowed.

www.ris.bka.gv.at

Page 11
BGBl. I - Issued on July 31, 2017 - No. 120

11 of 31

(4) In urgent matters, the chairman can appoint the deputy chairman and each
a representative of the political parties (Section 15, Paragraph 1, Item 1) for an extraordinary meeting (Presidium)
invite.
(5) The Data Protection Council may form permanent or temporary working committees from among its members,
to whom he can delegate the preparation, assessment and processing of individual matters. He
is also entitled to the management, preliminary assessment and the processing of individual
To delegate matters to a single member (rapporteur).
(6) The head of the data protection authority is entitled to participate in the meetings of the data protection council or
to participate in its working committees. He is not entitled to vote.
(7) If necessary, the chairman may attend the meetings of the Data Protection Council or to
Involve working committees. Also to prepare for meetings of the Data Protection Council or
The Chairman of the Data Protection Council can appoint working committees experts in the respective specialist field
consult if this is necessary to clarify questions of particular importance for data protection
is required.
(8) The deliberations in the meetings of the Data Protection Council are, unless it is otherwise
decides not to be public. The members and substitute members of the Data Protection Council, the head of the
The data protection authority as well as his deputy and the experts consulted for the meeting are to be used
Confidentiality about all of them exclusively from their work in the data protection council
committed to facts that have become known.

2nd section
Data protection authority
Facility
§ 18. (1) The data protection authority is the national supervisory authority according to Art. 51 GDPR
set up.
(2) The data protection authority is headed by a head. In his absence, his deputy heads the
Data protection authority. The regulations regarding the head of the data protection authority can be found on him
Application.
independence
§ 19. (1) The data protection authority is a service authority and a personnel office.
(2) For the duration of his office, the director may not exercise any activity which
1. Create doubts about the independent performance of his office or his impartiality
could,
2. hinders him in the performance of his official duties or
3. essential business interests endangered.
He is obliged to carry out activities that he carries out in addition to his work as head of the data protection authority,
to bring it to the attention of the Federal Chancellor immediately.
(3) The Federal Chancellor can contact the head of the data protection authority about the objects of
Teach management. The head of the data protection authority only has to comply with this to the extent that
than this is not the complete independence of the supervisory authority within the meaning of Art. 52 GDPR
contradicts.
Head of the data protection authority
§ 20. (1) The head of the data protection authority is appointed by the Federal President on the proposal of the
Federal government appointed for a period of five years; reappointment is permitted. The
Proposal has to precede an advertisement for general application.
(2) The head of the data protection authority has
1. to have completed a law degree,
2. personal and professional aptitude through appropriate previous training and relevant
Professional experience in matters of concern to the data protection authority
to have
3. have excellent knowledge of Austrian data protection law, Union law and
of fundamental rights and
4. have at least five years of legal professional experience.

www.ris.bka.gv.at

Page 12
BGBl. I - Issued on July 31, 2017 - No. 120

(3) The following may not be appointed as head of the data protection authority:
1. Members of the federal government, state secretaries, members of a state government, members
of the National Council, the Federal Council or any other general representative body or the
European Parliament, also ombudsmen and the President of the Court of Auditors,
2. Persons who have exercised a function named in item 1 within the last two years, and
3. Persons who are excluded from eligibility for membership in the National Council.
(4) The dismissal of the head is at the suggestion of the Federal Government by the Federal President
to undertake.
(5) The deputy of the head of the data protection authority is appointed by the Federal President
Proposal appointed by the Federal Government in accordance with Paragraphs 1 to 3. On the removal of the
Paragraph 4 applies to the deputy.

12 of 31

tasks
§ 21. (1) The data protection authority advises the committees of the National Council and the Federal Council which
The federal government and the state governments at their request via legislative and administrative
Activities. The data protection authority is prior to the enactment of federal laws and ordinances in
To hear federal enforcement areas that directly affect data protection issues.
(2) The data protection authority has the lists according to Art. 35 Para. 4 and 5 GDPR by way of a
To announce the regulation in the Federal Law Gazette.
(3) The data protection authority has the criteria to be determined in accordance with Art. 57 Paragraph 1 lit.
To announce ways of a regulation. It also acts as the only national accreditation body
according to Art. 43 Para. 1 lit. a GDPR.
Powers
§ 22. (1) The data protection authority can contact the person responsible or the processor of the
Checked data processing, in particular, request all necessary clarifications and inspect
Desire data processing and related documents. The person in charge or
The processor has to provide the necessary support. The control activity is under
The greatest possible protection of the rights of the person responsible or the processor and third parties
exercise.
(2) For the purpose of inspection, the data protection authority, after notifying the owner, is the
Premises and the person responsible or the processor is entitled to use rooms in which
Data processing is carried out, to enter, to put data processing systems into operation,
to carry out the processing to be checked as well as copies of data carriers in the for the
Exercise of control powers to establish the extent absolutely necessary.
(3) Information that the data protection authority or its agents at the
Control activity may only be used for control in the context of execution
data protection regulations are used. In addition, there is an obligation to
Confidentiality also towards courts and administrative authorities, in particular tax authorities;
This, however, with the proviso that if the inspection raises the suspicion of a criminal act
according to Section 63 of this Federal Act or according to Sections 118a, 119, 119a, 126a to 126c, 148a or Section 278a of the
Criminal Code - StGB, Federal Law Gazette No. 60/1974, or a crime with a prison sentence, whose
Exceeds a maximum of five years, results, is to be reported and with regard to such crimes and
Also violate requests according to Section 76 of the Code of Criminal Procedure - StPO, Federal Law Gazette No. 631/1975
is.
(4) If the operation of data processing poses a significant direct hazard
confidential interests of the data subjects worthy of protection (imminent danger), the
Data protection authority to continue the data processing with notification according to § 57 para. 1 of
General Administrative Procedure Act 1991 - AVG, Federal Law Gazette No. 51/1991. If this
technically possible, sensible with regard to the purpose of data processing and to eliminate the
If the threat seems sufficient, the continuation can only be partially prohibited. As well
the data protection authority can restrict processing at the request of a data subject
order according to Art. 18 GDPR with notification according to § 57 Para. 1 AVG, if the person responsible is a
does not comply with the obligation in this regard in a timely manner. A prohibition will not be issued immediately
If this has been done, the data protection authority must proceed in accordance with Art. 83 (5) GDPR.
(5) The data protection authority is responsible for the imposition of fines within the scope of its competence
towards natural and legal persons.

www.ris.bka.gv.at

Page 13
BGBl. I - Issued on July 31, 2017 - No. 120

13 of 31

(6) Existence in the course of a lawsuit based on Section 29 by a data subject who has moved from a
Institution, organization or association within the meaning of Art. 80 Para. 1 GDPR has doubts
on the existence of the relevant criteria, the data protection authority meets at the request of the
Relevant findings of the collection court with notification. This establishment, organization or
Association has party status in the proceedings. You are against a negative notification of assessment
Complaint to the Federal Administrative Court open.
Activity report and publication of decisions
§ 23. (1) The data protection authority shall have until March 31 of each year one to Art. 59
To create a GDPR activity report and submit it to the Federal Chancellor. The report
must be submitted by the Federal Chancellor to the Federal Government, the National Council and the Federal Council. The
Data Protection Authority published the report to the public, the European Commission, the
European Data Protection Committee (Art. 68 GDPR) and the Data Protection Council.
(2) Decisions of the data protection authority of fundamental importance for the general public
are by the data protection authority in compliance with the requirements of official secrecy in
to publish in a suitable manner.

3rd section
Remedies, liability and penalties
Complaint to the data protection authority
§ 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they
is of the opinion that the processing of personal data relating to her is contrary to the GDPR
or violates Section 1 or Article 2, 1st main part.
(2) The complaint must contain:
1. the designation of the law deemed to have been infringed,
2. Insofar as this is reasonable, the designation of the legal entity or body to which the claim was made
Infringement is attributed (respondent),
3. the facts from which the infringement is derived,
4. the reasons on which the allegation of illegality is based,
5. the request to establish the alleged infringement and
6. the information necessary to assess whether the complaint was filed in a timely manner
is.
(3) A complaint may include the underlying application and a possible one
To join the respondent's response. The data protection authority has in the event of a complaint
to provide further assistance at the request of the person concerned.
(4) The right to a complaint being dealt with expires if the person intervening does not answer it within
one year after becoming aware of the complaining event, but no later than within
three years after the event allegedly took place. Late
Complaints are to be rejected.
(5) If a complaint proves to be justified, it must be followed up. Is an injury
to be attributed to a person responsible in the private sector, this is to be instructed to respond to the applications of
Complainant to information, correction, deletion, restriction or data transfer in
to the extent necessary to remedy the established legal violation.
If the complaint proves to be unjustified, it must be dismissed.
(6) A respondent can until the conclusion of the procedure before the data protection authority the
Eliminate alleged infringement retrospectively by responding to the complainant's motions
corresponds to. If the data protection authority considers the complaint to be irrelevant, it has the
To hear complainants about this. At the same time he is to be made aware that the
The data protection authority will informally terminate the procedure if it does not respond within a reasonable time
Deadline justifies why he continues at least partially to the originally alleged infringement
deemed not to have been eliminated. If the complainant makes such a statement, the matter becomes theirs
Essentially changed (Section 13 (8) AVG), the original complaint is withdrawn
and the simultaneous filing of a new complaint. This is also the case in this case
to discontinue the original complaint procedure informally and the complainant acknowledges it
communicate. Late statements are not to be taken into account.

www.ris.bka.gv.at

Page 14
BGBl. I - Issued on July 31, 2017 - No. 120

14 of 31

(7) The complainant will be removed from the data protection authority within three months
Submission of the complaint informed of the status and the result of the investigation.
(8) Any person concerned can appeal to the Federal Administrative Court if the
Data protection authority does not deal with the complaint or the data subject not within
has informed about the status or the result of the complaint lodged for three months.
(9) The data protection authority can - if necessary - official experts in the procedure
call in.
(10) The decision period according to § 73 AVG does not include:
1. the time during which the procedure is up to the final decision on a preliminary question
is exposed;
2. the time during a procedure according to Art. 56, 60 and 63 GDPR.
Accompanying measures in the complaint procedure
Section 25. (1) If the complainant makes a substantial complaint
Impairment of his confidential interests worthy of protection through the processing of his
credible personal data, the data protection authority can proceed according to § 22 para. 4.
(2) If the correctness of personal data is disputed in a proceeding, then from
To attach a notice of objection to the respondent until the end of the proceedings.
If necessary, the data protection authority has this with a notice at the request of the complainant
to be ordered in accordance with Section 57 (1) AVG.
(3) If a person responsible appeals to the data protection authority on a restriction in
Within the meaning of Art. 23 GDPR, this has the legality of the application of the restrictions
check. If she comes to the conclusion that the confidentiality of processed personal
Data to the data subject was not justified, the disclosure of the
to apply personal data with notification. Will be within the notification of the data protection authority
eight weeks have not been met, the data protection authority has to disclose the personal
To provide data to the data subject himself and to provide him with the requested information
or to inform her which personal data has already been corrected or deleted.
(4) Notices with which the transfer of personal data abroad is authorized
are to be revoked if the legal or factual requirements for the grant
approval no longer exist.
Public and private managers
Section 26. (1) Those responsible for the public sector are all those responsible
1. which are set up in forms of public law, in particular also as an organ of a
Local authority, or
2. Insofar as it is active in the enforcement of laws despite its establishment in forms of private law
are.
(2) Those responsible in the public sector are parties to proceedings before the data protection authority.
(3) Those responsible in the public sector can lodge a complaint with the Federal Administrative Court
and appeal to the Administrative Court.
(4) Those responsible not subject to paragraph 1 are deemed to be responsible for the private
Area within the meaning of this federal law.
Complaint to the Federal Administrative Court
Section 27. (1) The Federal Administrative Court decides through the Senate on complaints against
Notices because of the violation of the duty to inform according to § 24 Paragraph 7 and the
Duty of the data protection authority to make decisions.
(2) The Senate consists of a chairman and an expert lay judge each from the
Employers and employees. The knowledgeable lay judges are on
Proposal by the Austrian Chamber of Commerce and the Federal Chamber for Workers and Salaried Employees
ordered. Appropriate precautions must be taken to ensure that a sufficient number of
knowledgeable lay judges.
(3) The competent lay judges must have at least five years of relevant professional experience
and have special knowledge of data protection law.

www.ris.bka.gv.at

Page 15
BGBl. I - Issued on July 31, 2017 - No. 120

15 of 31

(4) The chairman has all the documents relevant to the decision to the competent lay judges
to be transmitted immediately or, if this is impractical or to protect the confidentiality of
Documents is absolutely necessary to be made available.
(5) If there is a procedure against the decision of the data protection authority, the one
Opinion or decision of the European Committee under the consistency mechanism
has preceded, the data protection authority shall forward this opinion or this decision to the
Federal Administrative Court to.
Representation of data subjects
§ 28. The person concerned has the right to set up an institution, organization or association without
Profit-making intent that is properly established, its statutory objectives in the public
Interests and those in the area of ​protecting the rights and freedoms of data subjects
With regard to the protection of your personal data, to commission, on their behalf, a
To lodge a complaint, to exercise the rights mentioned in §§ 24 to 27 on your behalf and
to claim the right to compensation according to § 29.
Liability and right to compensation
Section 29. (1) Any person who, because of a violation of the GDPR or Section 1 or Article 2
1. Main item has suffered material or immaterial damage, is entitled to compensation
against the person responsible or against the processor according to Art. 82 GDPR. In detail
The general provisions of civil law apply to this claim for damages.
(2) For actions for damages, the first instance is the exercise of jurisdiction in
civil legal matters entrusted regional court, in whose district the plaintiff
(Applicant) has his / her habitual residence or registered office. Lawsuits (motions) can also be filed with
the regional court in whose district the defendant has his habitual residence
or has its registered office or branch.
General conditions for the imposition of fines
§ 30. (1) The data protection authority can impose fines on a legal person if
Violations of the provisions of the GDPR and § 1 or Article 2 1st main part by persons
committed acting either alone or as part of an organ of the legal person
and a leadership position within the legal entity
1. the power to represent the legal person,
2. the power to make decisions on behalf of the legal person, or
3. A control authority within the legal person
hold.
(2) Legal persons can, because of violations of the provisions of the GDPR and § 1
or Article 2 1st main part also be held responsible if insufficient supervision or
Control by a person named in paragraph 1 of the commission of these violations by a for the
legal person, provided that the act does not constitute an offense in the
The jurisdiction of the courts for the criminal offense.
(3) The data protection authority has of the punishment of a responsible person according to § 9 of
Administrative Penal Act 1991 - VStG, Federal Law Gazette No. 52/1991, to be waived if for the same violation
an administrative penalty is already imposed on the legal person and no special one
Circumstances exist that prevent the punishment from being waived.
(4) The fines imposed in accordance with Section 22 (5) flow to the federal government and are subject to the
Introduce provisions on the collection of judicial fines. Legally binding
Notices from the data protection authority are enforcement titles. The approval and execution of the execution
is on the basis of the enforcement title of the data protection authority at the district court, in its district
the obligated party has his general place of jurisdiction in disputes (§§ 66, 75 of the jurisdiction norm JN, RGBl. No. 111/1895), or at the execution court designated in §§ 18 and 19 EO
apply for.
(5) No fines may be imposed on authorities or public bodies.

www.ris.bka.gv.at

Page 16
BGBl. I - Issued on July 31, 2017 - No. 120

16 of 31

4th section
Supervisory authority according to Directive (EU) 2016/680
Data protection authority
Section 31. (1) The data protection authority is the national supervisory authority for the data set out in Section 36 (1)
mentioned area of ​application. The data protection authority is not responsible for supervision
on the processing carried out by courts in the context of their judicial activity.
(2) With regard to the independence, the general conditions and the establishment of the
Art. 52, 53 and 54 GDPR as well as § 18 para. 2, §§ 19 and 20 apply accordingly
Application.
Tasks of the data protection authority
Section 32. (1) In the scope of Section 36 (1)
1. the application of § 1 and the regulations enacted in Chapter 3 as well as
Implementing regulations for Directive (EU) 2016/680 of the protection of natural persons
in the processing of personal data by the competent authorities for the purpose of
Preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences
as well as on the free movement of data and the repeal of the framework decision 2008/977 / JHA des
Councils, OJ No. L 119, 4.5.2016 p. 89, to monitor and enforce;
2. the public for the risks, regulations, guarantees and rights related to the
To raise awareness of processing and to educate them about it;
3. the tasks set out in Art. 57 Para. 1 lit. c to e, g, h and t GDPR with regard to the
3. main piece to meet;
4. deal with complaints from a data subject or a body, an organization or a
Association pursuant to Section 28 to deal with the subject of the complaint in an appropriate manner
To investigate the scope and to inform the complainant within a period of three months
to inform about the progress and the result of the investigation, especially if a
further investigation or coordination with another supervisory authority is necessary;
5. to check the lawfulness of the processing in accordance with Section 42 (8) and the data subject
within a reasonable period of time about the result of the review in accordance with Section 42 (9)
inform or inform her of the reasons why the review was not carried out
has been;
6. Follow relevant developments, insofar as they relate to the protection of personal
Data
affect
especially
the
development
Communication technology,

the

Information

and

7. To provide advice in relation to the processing operations referred to in Section 53, and
8. the rights of the data subject in the cases of Sections 43 (4), 44 (3) and 45 (4)
exercise.
(2) The data protection authority facilitates the submission of complaints mentioned in Paragraph 1 No. 4
through measures such as the provision of a complaint form, which can also be electronically
can be filled in without excluding other means of communication.
(3) Art. 57 Para. 3 and 4 GDPR apply accordingly.
Powers of the data protection authority
Section 33. (1) In the scope of Section 36 (1), the data protection authority has the to
Effective investigative powers required to carry out their area of ​responsibility. These
include in particular the powers specified in Section 22 (2).
(2) In the area of ​application of Section 36 (1), the data protection authority has the to
Effective remedial powers required to carry out their duties. At least that counts
the powers which permit it
1. to warn a controller or a processor that intended
Processing operations are likely to violate those within the scope of the directive
(EU) 2016/680 violate regulations;
2. to instruct the controller or the processor to carry out processing operations
certain way and within a certain period of time, with those within the scope of the
Directive (EU) 2016/680 to bring the regulations into line, in particular through the

www.ris.bka.gv.at

Page 17
BGBl. I - Issued on July 31, 2017 - No. 120

17 of 31

Ordering the correction or deletion of personal data or restriction of the
Processing according to § 45;
3. any temporary or permanent restriction on processing, including one
Prohibition to impose.
(3) In the area of ​application of Section 36 (1), the data protection authority has the to
Enforcement required effective advisory powers that permit it, according to the procedure
the prior consultation according to § 53 to advise the person responsible and to answer any questions that may arise in the
Are related to the protection of personal data, of their own accord or upon request
Statements to the National Council or the Federal Council, the federal or state government or to
to address other institutions and bodies as well as to the public.
(4) The exercise of the powers conferred on the supervisory authority is based on
Scope of application Section 36 (1) in accordance with Article 58 (4) GDPR.
(5) Section 22 (3) second sentence applies mutatis mutandis to violations within the scope of Section 36 (1).
General provisions
Section 34. (1) Those responsible have to take effective precautions within the scope of Section 36 (1)
Meet to encourage confidential reports of violations. With this in mind, those responsible have
in particular to put in place appropriate procedures to enable violations of the
To report the provisions of Chapter 3 to a suitable body.
(2) The precautions listed in Paragraph 1 include at least
1. specific procedures for receiving reports of infringements and following up on them;
2. The protection of personal data for both the person reporting the violations and
for the natural person who is allegedly responsible for a violation;
3. clear rules that ensure the confidentiality of the identity of the person reporting the violations,
guarantee, unless the disclosure of the identity in the context of a
public prosecutor's office, judicial or administrative proceedings
has taken place.
(3) In the context of the activity report according to § 23, the data protection authority has to deal with the activities
to report after the 4th and 5th section. The requirements of Art. 59 GDPR and Section 23 for the
Activity reports and the publication of decisions apply mutatis mutandis.
(4) Mutual administrative assistance within the scope of § 36 Paragraph 1 applies to Art. 61 Paragraph 1 bis
7 GDPR will apply accordingly.
(5) The provisions of Section 3 of the
2nd main part - with the exception of § 30 - apply accordingly.

5th section
Special powers of the data protection authority "
5. Section 35 (1) reads:
"(1) The data protection authority is in accordance with the more detailed provisions of the GDPR and this
Federal law to safeguard data protection. "

www.ris.bka.gv.at

Page 18
BGBl. I - Issued on July 31, 2017 - No. 120

18 of 31

6. According to § 35 the following designation and heading of the 3rd main part, the following 1st, 2nd and
3rd section, the following heading and designation of the 4th section as well as the following §§ 58 and 59 together
Headings inserted:

"3. Main piece
Processing of personal data for security police purposes including
police state protection, military self-protection, reconnaissance and
Prosecution of criminal offenses, the execution of sentences and the execution of measures
1st section
General provisions
Scope and definitions
Section 36. (1) The provisions of this main part apply to the processing of personal data
Data held by competent authorities for the purpose of prevention, investigation, detection or tracking
of criminal offenses or the execution of sentences, including protection against and averting danger
for public security, as well as for the purpose of national security, intelligence and
the military self-protection.
(2) For the purposes of this main part, the term means:
1. "Personal data" any information that relates to an identified or
refer to an identifiable natural person (hereinafter "data subject"); as
A natural person is considered identifiable, directly or indirectly, in particular
by means of assignment to an identifier such as a name, to an identification number
Location data, an online identifier or one or more special features,
the expression of physical, physiological, genetic, psychological, economic,
cultural or social identity of this natural person can be identified;
2. "Processing" means any operation carried out with or without the aid of automated processes or
any such series of operations in connection with personal data such as the collection,
recording, organizing, arranging, storing, adapting or changing,
reading, querying, use, disclosure through transmission, dissemination
or any other form of provision, comparison or linking that
Restriction, deletion or destruction;
3. "Restriction of processing" the marking of stored personal data with
the aim of limiting their future processing;
4. "Profiling" any type of automated processing of personal data contained therein
insists that this personal data is used to identify certain personal
To evaluate aspects that relate to a natural person, in particular aspects
regarding work performance, economic situation, health, personal preferences, interests,
Reliability, behavior, whereabouts or change of location of this natural person
analyze or predict;
5. “Pseudonymization” the processing of personal data in such a way that the
personal data without the use of additional information is no longer one
specific data subjects can be assigned, provided that these additional
Information is kept separately and technical and organizational measures
subject to ensuring that the personal data is not an identified or
be assigned to an identifiable natural person;
6. "File system" means any structured collection of personal data, which according to certain
Criteria are accessible, regardless of whether this collection is centralized, decentralized or according to
is managed according to functional or geographical aspects;
7. "Competent Authority"
a) a government agency responsible for the prevention, investigation, detection or prosecution of
Criminal offenses or the execution of sentences, including protection against and defense against
Public Safety Hazards, Responsible, or
b) any other body or body that is exercised by the law of the Member States
public authority and sovereign powers to prevent, investigate, or detect
Prosecution of criminal offenses or for the execution of sentences, including protection against and
the defense against threats to public safety has been entrusted;

www.ris.bka.gv.at

Page 19
BGBl. I - Issued on July 31, 2017 - No. 120

19 of 31

8. “Responsible” the competent authority which alone or jointly with others over the
Decides the purposes and means of processing personal data;
9. "Processor" means a natural or legal person, authority, agency or other
Body that processes personal data on behalf of the controller;
10. "Recipient" a natural or legal person, authority, institution or other body,
to which personal data is disclosed, regardless of whether it is
acts a third party or not. Authorities in the context of a specific
Investigation order due to laws may contain personal data
received, but not counted as a recipient; the processing of this data by the named
Authorities takes place in accordance with the applicable data protection regulations in accordance with the purposes
processing;
11. "Personal data breach" means a security breach leading to
Destruction, loss or alteration, whether unintentional or unlawful, or for
unauthorized disclosure of or unauthorized access to personal
Holds data that has been transmitted, stored or otherwise processed;
12. “genetic data” personal data relating to the inherited or acquired genetic
Characteristics of a natural person who have unique information about the physiology or
provide the health of this natural person and in particular from the analysis of a
biological samples of the natural person concerned have been obtained;
13. “Biometric data” personal data obtained using special technical processes
to the physical, physiological or behavioral characteristics of a natural one
Person who enables or confirms the unique identification of this natural person,
such as facial images or dactyloscopic data;
14. "Health data" personal data that relate to the physical or mental
Health of a natural person, including the provision of
Health services, obtain and from which information about their
State of health;
15. "supervisory authority" is the data protection authority;
16. “international organization” an organization under international law and its subordinate bodies
or any other body established by one between two or more states
Agreement or was created on the basis of such an agreement.
Principles for data processing, categorization and data quality
Section 37. (1) Personal data
1. must be processed lawfully and in good faith,
2. Must be collected for specified, explicit and legitimate purposes and not in a with
are processed in a manner that cannot be agreed for these purposes,
3. must correspond to the processing purpose and must be relevant and may relate to it
not be excessive on the purposes for which they are processed,
4. must be factually correct and, if necessary, up to date; everyone is there
take reasonable steps to ensure that personal data that is processed with regard to the
Purposes of their processing are incorrect, deleted or corrected immediately,
5. may not be longer than is necessary for the purposes for which they are processed in a
Stored in a form that enables the identification of the data subjects,
6. Must be processed in a manner that provides reasonable security for the
personal data, including protection from unauthorized or
unlawful processing and accidental loss, accidental destruction
or unintentional damage through suitable technical and organizational measures.
(2) For processing for archiving purposes in the public interest, for scientific purposes
or historical research purposes or for statistical purposes within the scope of Section 36 (1)
§ 38 applies.
(3) The person responsible is responsible for compliance with paragraphs 1 and 2 and must comply with them
Can demonstrate compliance.
(4) As far as possible and reasonable, between the personal data is in particular
distinguish between the following categories of data subjects:
1. Persons who are specifically suspicious on the basis of certain facts, a criminal act
having committed
www.ris.bka.gv.at

Page 20
BGBl. I - Issued on July 31, 2017 - No. 120

20 of 31

2. Persons against whom there is reasonable suspicion based on certain facts that they are in
will commit a criminal offense in the near future,
3. convicted offenders,
4. Victims of a crime or persons for whom certain facts justify the assumption,
that they are victims of a crime, and
5. other persons in connection with a criminal offense, in particular persons who
as witnesses come into consideration, persons who can give evidence of the crime, or
Persons who are in contact or connected with the persons named in Nos. 1 to 3.
(5) As far as possible, a choice is made between fact-based and personal assessments
differentiate between personal data. Based on personal judgment
Personal data are to be marked accordingly and can be provided with a reason
which enables the assessment to be traceable.
(6) Inaccurate, incomplete, outdated or deleted personal data
may not be transmitted or made available for automated retrieval from file systems. The
For this purpose, the authority must, as far as possible, approve the data quality accordingly before transmission
check. Personal data held ready for automated retrieval are accordingly
to be kept complete and up-to-date at all times.
(7) Whenever personal data is transmitted, the data used to assess the
Up-to-dateness, correctness, completeness and reliability of the personal data by the
Enclose the recipient with the required information.
(8) If it is established ex officio or as a result of a notification from a person concerned that
personal data have been transmitted that do not meet the requirements of Paragraph 6,
the transmitting or file system managing agency and authority informs the receiving agency of this
or authority immediately. The latter immediately deleted the unlawfully transmitted
Data, the correction of incorrect data, the addition of incomplete data or a restriction
the processing.
(9) Does the receiving department or authority have reason to believe that the
personal data is incorrect or not up-to-date or has to be deleted or is being processed
should be restricted, it shall inform the transmitting service or authority immediately
about this. The latter immediately takes the necessary measures.
Lawfulness of processing
§ 38. The processing of personal data is, as far as it is not for the preservation of vital
Interests of a person is required only lawfully insofar as they are legally or directly
applicable legal provisions, which have the rank of statute within the country, provided for and for
the fulfillment of a task is necessary and proportionate to the responsibility of the competent authority
the purposes mentioned in Section 36 (1) are fulfilled.
Processing of special categories of personal data
Section 39. The processing of personal data from which the racial or ethnic origin,
political
Opinions,
religious
or
ideological
Beliefs
Union membership, as well as the processing of genetic data, biometric
Data for the unique identification of a natural person, health data or data on the
Sex life or the sexual orientation of a natural person for those named in Section 36 (1)
Purposes is only permitted if the processing is absolutely necessary and effective measures
are taken to protect the rights and freedoms of the data subjects and

or

the

1. the processing according to § 38 is permissible or
2. It relates to data that the data subject has obviously made public himself.
Processing for other purposes and transmission
§ 40. (1) Processing of personal data in accordance with the provisions of this
Mainly by the same person or someone else responsible for someone else
Processing purpose other than that for which it was collected is only permitted if this other purpose
is covered by the scope of Section 36 (1) and meets the requirements of Sections 38 and 39
are.
(2) The transmission of processed according to the provisions of this chapter
Personal data for a purpose not mentioned in Section 36 (1) is only permitted if this
by law or in directly applicable legislation that ranks nationally as a

www.ris.bka.gv.at

Page 21
BGBl. I - Issued on July 31, 2017 - No. 120

21 of 31

Law, is expressly provided and the recipient to process this
personal data is authorized for this other purpose.
(3) If the processing of personal data is subject to special conditions, the
The responsible authority transmitting the information to the recipient of the personal data
that these conditions apply and must be observed. The transmission to recipients in others
Member States or bodies and other bodies set up under Title V, Chapters 4 and 5 TFEU
may not be subject to any conditions that are not also applicable to corresponding data transfers in
Apply domestically.
Automated decision-making in individual cases
§ 41. (1) Decisions based exclusively on automatic processing
including profiling, which have adverse legal consequences for the data subject or which are significant
are only permissible to the extent that they are legally or directly applicable
Legislation that has the status of statute within the country is expressly provided for.
(2) Decisions according to Paragraph 1 may only be based on special categories of personal data
according to § 39, if and to the extent that effective measures to protect rights and freedoms and
the legitimate interests of the data subject were met.
(3) Decisions according to Paragraph 1, which have the consequence that natural persons on the basis of
personal data from which the racial or ethnic origin, political opinions,
religious or ideological beliefs or trade union membership,
genetic data, biometric data for unique identification, health data or data
Being discriminated against in terms of sex life or sexual orientation is prohibited.

2nd section
Rights of the data subject
Principles
§ 42. (1) The person responsible has all information and notifications according to the data subject
Sections 43 to 45, which relate to the processing, in the most precise, understandable and easy way possible
in an accessible form in clear and simple language. The information is in
appropriate form, in the case of an application, if possible in the same form as the application
to transfer.
(2) The person responsible has to give the data subjects the exercise of their duties in accordance with Sections 43 to 45
to facilitate the rights to which they are entitled.
(3) The person responsible shall immediately notify the data subject in writing
set how your application was dealt with.
(4) The person responsible provides the data subject with information about the data based on an application
Measures taken pursuant to Sections 44 to 45 immediately, but in any case within one month
available after receipt of the application. This period can be extended by a further two months,
if this is necessary taking into account the complexity and the number of applications. The
The person responsible will inform the data subject within one month of receipt of the application
an extension of the deadline, along with the reasons for the delay. If the person concerned provides the
If the application is made electronically, it must be informed electronically if possible, provided that it does not do anything
indicates otherwise.
(5) If the person responsible does not act at the request of the person concerned, he shall inform
the data subject without delay, but at the latest within one month after receipt of the
Request about the reasons for this and about the possibility of complaining to a supervisory authority
to appeal or to appeal to a court.
(6) Information according to § 43 as well as all notifications and measures according to §§ 44 and 45
are made available free of charge. In the case of manifestly unfounded or - especially in
Case of frequent repetition - excessive requests from a data subject can
Responsible either
1. Demand a reasonable fee that includes the administrative costs for the instruction or
the notification or the implementation of the requested measure are taken into account, or
2. refuse to act on the request.
The person responsible has evidence of the manifestly unfounded or excessive character of the
To provide the application.

www.ris.bka.gv.at

Page 22
BGBl. I - Issued on July 31, 2017 - No. 120

22 of 31

(7) The person responsible can confirm the identity of the person who submitted an application in accordance with
Sections 44 or 45, require additional information.
(8) In the cases of Sections 43 (4), 44 (3) and 45 (4), the person concerned is entitled to a
Review of the legality of the related restriction of their rights by the
To request the data protection authority. The person responsible has the data subject to this right
teaching.
(9) If the right mentioned in paragraph 8 is exercised, the data protection authority has the data subject
to at least inform that any necessary tests or a review by the
Data protection authority have taken place. The data protection authority also has the data subject over their rights
to inform the Federal Administrative Court to lodge a complaint.
Informing the data subject
Section 43. (1) The person responsible has at least the following information for the data subject
To make available:
1. the name and contact details of the person responsible,
2. if applicable, the contact details of the data protection officer,
3. the purposes for which the personal data are processed,
4. the existence of a right of appeal to the supervisory authority and their contact details,
5. the existence of a right to information and correction or deletion of personal data
Data and restriction of the processing of the personal data of the data subject
by the person responsible.
(2) In addition to the information specified in Paragraph 1, the person responsible for the data subject
Person in special cases to provide the following additional information in order to exercise the
To enable the data subject's rights:
1. the legal basis of the processing,
2. the duration for which the personal data will be stored or, if this is not the case
it is possible to set the criteria for determining this duration,
3. If applicable, the categories of recipients of the personal data, including the
Recipients in third countries or in international organizations,
4. If necessary, further information, in particular if the personal data
collected without the knowledge of the data subject.
(3) In the event that personal data are collected from the data subject, the
the data subject receives the information in accordance with the requirements of Paragraphs 1 and 2 at the time of collection
are present. In all other cases, Art. 14 Para. 3 GDPR applies. The information according to
Paragraphs 1 and 2 can be omitted if the data is not provided by questioning the person concerned, but by
Transmission of data from other areas of responsibility of the same person responsible or from
Applications of other responsible parties are determined and data processing is provided for by law.
(4) Informing the data subject in accordance with Paragraph 2 can be postponed to the extent and for as long as
restricted or omitted, as this is absolutely necessary and proportionate in individual cases
is
1. To ensure that the prevention, detection, investigation or prosecution of
Criminal offenses or the execution of sentences are not impaired, in particular by the
Obstruction of official or judicial investigations, investigations or proceedings,
2. to protect public safety,
3. to protect national security,
4. to protect the constitutional institutions of the Republic of Austria,
5. to protect the military's own safety or
6. to protect the rights and freedoms of others.
Right of the data subject to be informed
Section 44. (1) Every person concerned has the right to obtain confirmation from the person responsible
Obtain whether personal data concerning you are being processed; if this is the case, it has
Right to receive information about personal data and the following information:
1. the purposes of the processing and their legal basis,
2. the categories of personal data that are processed,

www.ris.bka.gv.at

Page 23
BGBl. I - Issued on July 31, 2017 - No. 120

23 of 31

3. the recipients or categories of recipients to whom the personal
Data have been disclosed, in particular to recipients in third countries or to
international organizations,
4. if possible, the planned duration for which the personal data will be stored or,
if this is not possible, the criteria for determining this duration,
5. the existence of a right to correction or deletion of personal data or
Restriction of the processing of personal data of the data subject by the
Responsible person,
6. the right to lodge a complaint with the data protection authority and their contact details and
7. Communication on the personal data that are the subject of the processing, as well as all
available information about the origin of the data.
(2) The periods in accordance with Art. 12 GDPR apply to the information in accordance with Paragraph 1. Limitations of the
The right to information is only permitted under the conditions set out in Section 43 (4).
(3) In the event that the information pursuant to Paragraph 2 is not provided, the person responsible has the data subject
Person immediately in writing of the refusal or restriction of the information and the
Reasons to inform. This does not apply if the provision of this information is one of the reasons listed in § 43
Paragraph 4 would run counter to the purposes mentioned. The person responsible has the data subject via the
Possibility to inform, to lodge a complaint with the data protection authority.
(4) The person responsible has the reasons for the decision not to provide the information
to be documented in accordance with Paragraph 2. This information must be made available to the data protection authority.
(5) To the extent that data processing is carried out for a data subject with regard to their
processed data can be viewed by law, this has the right to information in accordance with the stipulations
the provisions providing for the right of inspection. For the inspection procedure (including
their refusal), the more detailed regulations of the law, which provides for the right of inspection, apply. In
Paragraph 1 of a piece of information that is not covered by the right of inspection can nevertheless
be asserted according to this federal law.
Right to correct or delete personal data and to restrict the
processing
§ 45. (1) Every data subject has the right to request the controller to rectify the data without delay
incorrect personal data concerning them as well as the completion of incomplete
to request personal data. The correction or completion can
if necessary, by means of a supplementary declaration, provided that a subsequent change is included
is incompatible with the purpose of the documentation. The proof of the correctness of the data is incumbent on
Responsible parties, insofar as the personal data is not based solely on information provided by
data subject have been identified.
(2) The person responsible has personal data of his own or at the request of those concerned
Delete person immediately if
1. the personal data for the purposes for which they were collected or otherwise
have been processed, are no longer necessary,
2. the personal data has been processed unlawfully or

3. the deletion of personal data to fulfill a legal obligation
is required.
(3) Instead of deleting the personal data, the person responsible can process them
restrict if
1. the data subject disputes the correctness of the personal data and the correctness
or inaccuracy cannot be determined, or
2. the personal data for evidential purposes in the context of the perception of a him
legally assigned task must be kept.
In the case of a restriction according to item 1, the person responsible has the data subject in front of a
To notify the lifting of the restriction.
(4) The person responsible must inform the data subject in writing of a refusal by
Correction or deletion of personal data or restriction of processing and
to provide information on the reasons for the refusal. The person responsible has the data subject
to inform about the possibility to lodge a complaint with the data protection authority.

www.ris.bka.gv.at

Page 24
BGBl. I - Issued on July 31, 2017 - No. 120

24 of 31

(5) The person responsible has the correction of incorrect personal data of the
to notify the competent authority from which the incorrect personal data originate.
(6) In cases of correction, deletion or restriction of processing according to Paragraphs 1 to 3
the person responsible must inform all recipients of the personal data concerned.
The recipients are obliged to provide the personal data for which they are responsible
to correct, delete or restrict their processing immediately.
(7) Art. 12 GDPR applies accordingly.

3rd section
Controller and processor
Responsible Person's Responsibilities
§ 46. The person responsible has the requirements set out in Art. 24 Paragraphs 1 and 2 as well as Art. 25 Paragraphs 1 and 2 GDPR
cited obligations in relation to the compliance of the processing with the provisions
to adhere to this main part.
Jointly responsible
Section 47. Two or more controllers who share the purposes and means of processing
are jointly responsible. They have theirs in an agreement in a transparent form
to determine the respective tasks according to this federal law, in particular what the performance of the
Concerns the rights of the data subject and who fulfills which information obligations pursuant to Section 43,
if and insofar as the respective tasks of the person responsible are not legally stipulated. In the
Agreement, a contact point for the persons concerned must be specified.
Processors and supervision of processing
§ 48. (1) If processing is carried out on behalf of a person responsible, the person responsible only cooperates
Processors who offer sufficient guarantees that suitable technical and
organizational measures are carried out so that the processing is in accordance with the
Requirements of this federal law takes place and the protection of the rights of the data subject
guaranteed.
(2) The processor does not take any further processor without prior separate one
written approval from the person responsible.
(3) The processing by a processor takes place on the basis of a contract or
of another legal instrument under Union law or on the basis of express legal
Authorization that binds the processor with regard to the controller and in
the subject and duration of the processing, the type and purpose of the processing, the type of
personal data, the categories of data subjects and the obligations and rights of the
Responsible persons are determined. This contract or this other legal instrument provides in particular
before that the processor
1. the personal data only on the documented instruction of the person responsible - also in
Regarding the transfer of personal data to a third country or an international one
Organization - processed unless it is subject to Union law or laws to which the
Processor is subject to, is obliged to do so; in such a case the
Processors provide the controller with these legal requirements prior to processing
with, provided that the law in question does not require such a notification because of an important
prohibits public interest;
2. ensures that the persons authorized to process the personal data are available
have committed to confidentiality or an appropriate statutory
Are subject to confidentiality;
3. takes all measures required in accordance with Section 54;
4. the conditions specified in paragraphs 2 and 4 for the use of the services of a
other processor complies;
5. In view of the type of processing, provide the person responsible with appropriate data if possible
technical and organizational measures are supported in fulfilling his duty
Answering requests to exercise the rights mentioned in this chapter
to comply with the data subject;

www.ris.bka.gv.at

Page 25
BGBl. I - Issued on July 31, 2017 - No. 120

25 of 31

6. Taking into account the type of processing and what is available to him
Provide information to those responsible for compliance with the provisions set out in Sections 52 to 56
Duties supported;
7. after completion of the processing services, all personal data after
Choice of the person responsible either deletes or returns, unless under Union law
or an obligation to store personal data due to laws
consists;
8. all information necessary to prove compliance with the in
Paragraphs 1 to 6 provides and reviews - including
Inspections - carried out by the person in charge or another inspector appointed by them
carried out, enables and contributes to it.
With regard to item 8, the processor informs the person responsible immediately if he is the
Considers that an instruction is against this main part or against others
Data protection regulations of the Union or legal data protection regulations violates.
(4) If the processor uses the services of another processor to complete
to carry out certain processing activities on behalf of the person responsible, this
further processors by way of a contract or another legal instrument according to the
Union law or by law imposes the same data protection obligations as in the contract
or other legal instrument between the controller and the processor in accordance with
Paragraph 3 are specified, whereby in particular sufficient guarantees must be given that
the appropriate technical and organizational measures are carried out in such a way that the
Processing is carried out according to the requirements of this main part. The next one comes
If the processor does not comply with its data protection obligations, the first processor is liable
to the person responsible for compliance with the obligations of that other processor.
(5) The contract or other legal instrument within the meaning of Paragraphs 3 and 4 is in writing
to be drafted, which can also be done in an electronic format.
(6) The processor and each person responsible or the processor
Subordinate person who has access to personal data may only access this data
Process instructions from the person responsible, unless they are based on Union law or on the basis of
Laws are obliged to process.
(7) A processor who, in violation of this main part, uses the purposes and means of
Processing is deemed to be the controller in relation to this processing.
Directory of processing activities
Section 49. (1) Each person responsible has, in accordance with Art. 30 Para. 1 to 4 GDPR, a
To keep a list of processing activities, whereby the references in Art. 30 Para. 1 lit. g and
Para. 2 lit.c GDPR refer to Section 54 and the reference to a representative of the person responsible
or the processor is irrelevant.
(2) The list according to Paragraph 1 must also contain information about
1. the use of profiling, when such use is made, and
2. the legal basis of the processing, including the transfers for which the
personal data are intended.
Logging
Section 50. (1) Each processing operation is to be recorded in a suitable manner in such a way that the
The admissibility of the processing can be traced and checked.
(2) In automated processing systems, all processing operations are automated
Log form. At least the purpose, the processed data,
the date and time of processing, identification of the person who received the personal
Has processed data, as well as the identity of any recipient of such personal data
emerge.
(3) In non-automated processing systems there are at least queries and disclosures
including transmissions, changes and deletions to be recorded. For this
Log data applies to Paragraph 2, second sentence.
(4) The logs may only be used to check the legality of the data processing
including self-monitoring, ensuring the integrity and security of the
personal data as well as in judicial criminal proceedings.

www.ris.bka.gv.at

Page 26
BGBl. I - Issued on July 31, 2017 - No. 120

26 of 31

(5) The controller and the processor have the data protection authority on their
Request to make the minutes available.
Cooperation with the data protection authority
§ 51. The person responsible and the processor are obliged to contact the
To cooperate with the data protection authority in the performance of its tasks.
Data protection impact assessment
§ 52. The person responsible has to protect the rights and legitimate interests of the
Data processing affected persons and other data subjects a data protection impact assessment
according to Art. 35 Para. 1, 2, 3, 7 and 11 GDPR, whereby the proof according to Art. 35
Paragraph 7 lit.d GDPR relates to compliance with the requirements of this main section.
Prior consultation with the data protection authority
§ 53. In accordance with Art. 36 GDPR, the person responsible has prior to processing
to consult the data protection authority of personal data in new file systems to be created,
whereby the references in Art. 36 Paragraph 1 and Paragraph 3 lit. e GDPR refer to Section 52 and the reference to the
Provisions regarding the powers of the data protection authority in Art. 36 Paragraph 2 GDPR on Section 33
and take the measures listed in Art. 36 (2) GDPR within six weeks
the possibility of an extension for a further month are to be met.
Data security measures
Section 54. (1) The person responsible and the processor, taking into account the status
the technology, implementation costs and the nature, scope, circumstances and purposes of the
Processing as well as the different probability of occurrence and severity of the risk for the
Rights and freedoms of natural persons, taking into account the different categories
according to § 37, to take suitable technical and organizational measures to avoid the risk
to ensure an appropriate level of protection, in particular with regard to the processing of special
Categories of personal data according to § 39.
(2) The controller and the processor have with regard to the automated
Processing after a risk assessment to take measures to achieve the following purposes:
1. Denial of access to processing equipment with which the processing is carried out
will, for unauthorized persons (access control);
2. Prevention of unauthorized reading, copying, modification or removal of data carriers
(Disk control);
3. Prevention of the unauthorized entry of personal data as well as unauthorized
Acknowledgment, modification and deletion of stored personal data
(Memory control);
4. Prevention of the use of automated processing systems with the help of facilities
for data transmission by unauthorized persons (user control);
5. Ensure that the use of an automated processing system
Authorized persons exclusively to those subject to their access authorization
have access to personal data (access control);
6. Ensuring that it can be checked and determined at which points
personal data transmitted with the help of devices for data transmission or for
Have been or can be made available (transmission control);
7. Guarantee that it can be subsequently checked and determined which
personal data at what time and by whom in automated processing systems
have been entered (input control);
8. Prevention of the transmission of personal data and the transport of
Data carriers the data can be read, copied, changed or deleted without authorization
(Transport control);
9. Guarantee that the systems used can be restored in the event of a fault
(Restoration);
10. Ensuring that all functions of the system are available, occurring
Malfunctions are reported (reliability) and stored personal data
cannot be damaged by system malfunctions (data integrity).

www.ris.bka.gv.at

Page 27
BGBl. I - Issued on July 31, 2017 - No. 120

27 of 31

Reporting violations to the data protection authority
§ 55. (1) The person responsible has breaches of protection in accordance with Art. 33 GDPR
to report personal data to the data protection authority.
(2) Insofar as personal data are affected by the breach of protection, which is affected by the
or have been transmitted to the person responsible in another member state of the European Union,
the information referred to in Art. 33 Para. 3 GDPR is the person responsible in that Member State
to be transmitted to the European Union immediately.
Notifying the data subject of injuries
Section 56. (1) In accordance with Art. 34 GDPR, the person responsible has the
To notify breaches of the protection of your personal data. For notification
Section 42 (4) applies.
(2) The notification according to Paragraph 1 can be given under the conditions set out in Section 43 Paragraph 4
postponed, restricted or omitted.
Appointment, position and tasks of the data protection officer
Section 57. (1) In accordance with Art. 37 Para. 5 and 7 GDPR, each person responsible has a
Appoint data protection officer. Courts are in the context of their judicial activity of the
The obligation to appoint a data protection officer is excluded. § 5 applies with regard to the
Provisions of this main part accordingly.
(2) Art. 38 GDPR applies to the appointment of the data protection officer.
(3) The data protection officer is responsible for the tasks specified in Art. 39 GDPR in relation to
compliance with the provisions of this Chapter.
(4) The person responsible must publish the contact details of the data protection officer and
to notify the data protection authority.

4th section
Transfer of personal data to third countries or international
Organizations
General principles for the transfer of personal data
§ 58. (1) A transmission of personal data that is already being processed or after
their transmission to a third country or an international organization are to be processed by
competent authorities are only permitted if the provisions of this main part are complied with
and
1. the transmission is necessary for the purposes stated in Section 36 (1),
2. the personal data to a person responsible in a third country or a
international organization that has one responsible for the purposes specified in Section 36 (1)
Authority is to be transmitted,
3. in cases in which personal data is transferred from another EU member state
or made available if that Member State has previously authorized the transfer,
4. The European Commission passed an adequacy decision in accordance with Section 59 Paragraphs 1 and 2
has or, if there is no such resolution, suitable guarantees within the meaning of Section 59 Paragraph 3 bis
5 have been provided or exist or, if there is no adequacy decision pursuant to Section 59 (1)
and 2 is available and there are no suitable guarantees within the meaning of Section 59 Paragraphs 3 to 5,
Exceptions for certain cases according to § 59 Paragraph 6 and 7 are applicable and
5. It is ensured that a transfer to another third country or another
international organization only with the prior approval of the competent authority
Authority that made the original transfer and due
Consideration of all relevant factors, including the seriousness of the crime, of the
For the purpose of the initial transfer of personal data and the level of protection for
personal data in the third country or international organization to which
personal data are passed on is permissible.
(2) Transmission without prior approval in accordance with Paragraph 1 No. 3 is only permitted if the
Transmission is required to pose an imminent and serious threat to public safety
of a Member State or a third country or for the essential interests of a Member State

www.ris.bka.gv.at

Page 28
BGBl. I - Issued on July 31, 2017 - No. 120

28 of 31

and the prior approval cannot be obtained in time. The for the
The competent authority is to be informed immediately if the prior approval is granted.
(3) Requests a competent authority in another EU member state for approval to
Transmission of personal data that was originally transmitted from within Germany to a
Third country or an international organization according to para. 1 no.3, this is to be granted
Approval of the competent authority that originally provided the personal data
has transmitted, unless otherwise stipulated by law.
Data transfer to third countries or international organizations
§ 59. (1) The transfer of personal data to a third country or an international one
Organization is permitted if the European Commission pursuant to Art. 36 Para. 3 of
Directive (EU) 2016/680 decided by means of an implementing act that the relevant
Third country, area or one or more specific sectors in that third country or the relevant one
international organization offers an adequate level of protection. Such a data transfer is necessary
no special permit. The licensing requirement according to Section 58 (1) no.3 remains
untouched.
(2) Transfers of personal data to a third country, to an area or to or
several specific sectors in a third country or to an international organization according to the
Paragraphs 3 to 8 are adopted by a resolution pursuant to Art. 36 Paragraph 5 of Directive (EU) 2016/680
the European Commission to revoke, amend or suspend a decision
Article 36 (3) of Directive (EU) 2016/680 remains unaffected.
(3) If there is no resolution pursuant to Paragraph 1, personal data is to be transmitted to a
Third country or an international organization permitted if
1. Appropriate safeguards for the protection of individuals in a legally binding instrument
Data are provided or
2. The person responsible on the basis of an assessment of the transfer of personal data
Data relevant circumstances has come to the conclusion that appropriate safeguards for
Protection of personal data exist.
(4) If there are suitable guarantees in accordance with Paragraph 3 No. 2 for categories of transmissions, the
To inform the data protection authority about these categories.
(5) Transmissions in accordance with Paragraph 3 Z 2 must be documented and the documentation included
Date and time of transmission, information about the receiving competent authority,
Justification of the transfer and transferred personal data to the data protection authority
Requirement to provide.
(6) If there is neither an adequacy decision pursuant to Paragraphs 1 to 2 nor a suitable one
There are guarantees in accordance with Paragraphs 3 to 5, a transfer is required in accordance with Paragraph 5
Personal data to a third country or to an international organization is only permitted if the
Submission is required
1. to protect a person's vital interests,
2. if this is provided by law to safeguard the legitimate interests of the data subject,
3. to avert an immediate and serious danger to the public safety of a
Member state of the EU or a third country,
4. in individual cases for the purposes stated in Section 36 (1), or
5. in individual cases for the establishment, exercise or defense of legal claims in
In connection with the purposes mentioned in Section 36 (1).
(7) In the cases of para. 6 nos. 4 and 5, transmission is only permitted if none is public
Interest in the transmission of predominant fundamental rights and freedoms of the data subject
oppose the transmission. "

www.ris.bka.gv.at

Page 29
BGBl. I - Issued on July 31, 2017 - No. 120

29 of 31

7. After § 61 the following 4th and 5th main chapters are added:

"4. Main piece
Special criminal provisions
Administrative penal provision
§ 62. (1) If the act does not realize an offense according to Art. 83 GDPR or according to others
Is threatened with more severe penalties, commits an administrative offense that
Whoever is punished with a fine of up to 50,000 euros
1. intentionally gaining unlawful access to data processing or a
intentionally maintains recognizable unlawful access,
2. Data transmitted intentionally in violation of data secrecy (§ 6), in particular data,
which were entrusted to him in accordance with §§ 7 or 8, willfully for other inadmissible purposes
processed,
3. Deliberately procuring personal data in accordance with § 10 under false pretenses
procures,
4. Image processing contrary to the provisions of Section 3 of Main Part 1
operates or
5. refused to inspect in accordance with Section 22 (2).
(2) The attempt is punishable.
(3) Legal persons can be fined for administrative offenses according to Paragraphs 1 and 2
be imposed in accordance with Section 30.
(4) The penalty of expiry of data carriers and programs as well as image transmission and
Image recording devices can be pronounced (§§ 10, 17 and 18 VStG) if this
Objects are related to an administrative offense according to Paragraph 1.
(5) The data protection authority is responsible for decisions according to Paragraphs 1 to 4.
Data processing with the intention of profit or loss
§ 63. Anyone who intends to unlawfully enrich himself or a third party, or with
the intention to thereby damage another person's claim guaranteed by Section 1 (1),
personal data that is provided to him solely on the basis of his professional activity
entrusted or become accessible or which he has illegally obtained himself, uses,
makes it available to another person or publishes it, although the data subject has entered this data
has a legitimate interest in secrecy is if the act is not subject to another provision
A more severe sentence is threatened by the court with imprisonment for up to one year or with a fine of up to
To punish 720 daily rates.

5th main piece
Final provisions
Implementation and implementation of EU legal acts
Section 64. (1) This federal law is used to implement Regulation (EU) 2016/679 for protection
of natural persons in the processing of personal data, for the free flow of data and for
Repeal of Directive 95/46 / EC (General Data Protection Regulation), OJ No. L 119 of 4.5.2016 p. 1.
(2) This federal law also serves to implement Directive (EU) 2016/680 for protection
of natural persons in the processing of personal data by the competent authorities for
Purposes of preventing, investigating, detecting or prosecuting criminal offenses or the
Enforcement of sentences as well as the free movement of data and the repeal of the framework decision
2008/977 / JHA of the Council, OJ No. L 119, 4.5.2016 p. 89.
Linguistic equality
Section 65. To the extent that designations referring to natural persons in this Federal Act are only used in
male form, they refer to women and men in the same way. In the
The application of the terms to certain natural persons is gender-specific
Shape to use.

www.ris.bka.gv.at

Page 30
BGBl. I - Issued on July 31, 2017 - No. 120

30 of 31

Issuing ordinances
Section 66. Ordinances on the basis of this Federal Act in its current version may already
be issued from the day of the announcement of the legal provisions to be implemented
follows; however, they may not come into force before the statutory provisions to be implemented.
References
Section 67. To the extent that this federal act refers to provisions of other federal acts,
these are to be applied in their currently valid version.
Completion
Section 68. With the implementation of this Federal Act, insofar as it is not incumbent on the Federal Government,
entrusts the Federal Chancellor and the other Federal Ministers within their sphere of activity.
Transitional provisions
Section 69. (1) The period of office of
Head of the data protection authority will continue until it expires. This also applies to his
Deputy.
(2) The data processing register kept by the data protection authority is from
Data Protection Authority to continue until December 31, 2019 for archival purposes. There are no
Entries and changes in content are made in the data processing register.
Registrations in the data processing register become irrelevant. Anyone can enter the register
Take a look. In the registration act including any contained therein
Notices of approval are to be granted inspection if the inspection applicant can credibly demonstrate that he
is a data subject, and unless there are overriding legitimate confidentiality interests of
Oppose responsible persons (client) or other persons.
(3) According to §§ 17 and 18 Paragraph 2 DSG 2000 at the time this comes into force
Registration procedures pending under federal law are deemed to have been discontinued. At the time of entry into force
Proceedings pending under this Federal Act pursuant to Sections 13, 46 and 47 DSG 2000 must be continued,
if approval is required under this federal law or the GDPR. Otherwise
they are deemed to have been discontinued.
(4) At the time this federal law comes into force at the data protection authority or at
Proceedings pending in the ordinary courts of the Data Protection Act 2000 are according to the
To continue provisions of this federal law and the GDPR, with the proviso that the
The jurisdiction of the ordinary courts remains intact.
(5) Violations of the Data Protection Act 2000 at the time this came into force
Federal law has not yet been made pending, according to the legal situation after this has come into force
To judge federal law.
(6) The entries of the persons concerned according to § 24 are from the federal administrative charges
freed.
(7) The sending offices have a number of
Members and substitute members of the Data Protection Council to the Federal Chancellery within two
Weeks from May 25, 2018 to be announced in writing. The inaugural session of the
Data protection advice must be given within six weeks from May 25, 2018. Until the election of the
The previous chairman remains the new chairman and the two deputy chairmen
as well as the two previous deputy chairmen in their function.
(8) Special provisions on the processing of personal data in others
Federal or state laws remain unaffected.
(9) Before the entry into force of this federal law according to §§ 13, 46 and 47 DSG 2000 legally issued
Approvals from the data protection authority remain unaffected. Issued under the Data Protection Act 2000
Consents remain in place, provided they comply with the requirements of the GDPR.
Come into effect
§ 70. (1) The title, the table of contents, the 1st main part, the designation and heading of the
2nd main piece, the 1st, 2nd, 3rd and 4th section, the heading and designation of the 5th section, § 35
Paragraph 1, the name and heading of the 3rd main part, the 1st, 2nd and 3rd section, the heading
and designation of the 4th section, §§ 58 and 59 including headings as well as the 4th and 5th main chapters
in the version of the Federal Law Gazette I No. 120/2017 come into force on May 25, 2018. In Art. 2
the 1st, 2nd, 3rd, 4th, 5 and 6th section, the designation and the heading of the 7th section, the

www.ris.bka.gv.at

Page 31
BGBl. I - Issued on July 31, 2017 - No. 120

31 of 31

Heading to § 35, §§ 36 to 44 including headings, the 8th, 9th, 9a. and 10th section that
Name and heading of Section 11, Sections 53 to 59 including the headings, Section 61, Paragraph 1
to 3 and 5 to 10 as well as §§ 62 to 64 including headings in the version before the amendment in Federal Law Gazette I
No. 120/2017 expires on May 24, 2018.
(2) The Standard and Model Ordinance 2004 - StMV 2004, Federal Law Gazette II No. 312/2004, the
Data Processing Register Ordinance 2012 - DVRV 2012, Federal Law Gazette II No. 257/2012, and the
Data Protection Appropriateness Ordinance - DSAV, Federal Law Gazette II No. 521/1999, come into effect at the end of May 24th
Out of force in 2018. "
Van der Bellen
core

www.ris.bka.gv.at

Page 32

Signatory

serialNumber = 1026761, CN = Federal Chancellery, C = AT

Date Time

2017-11-28T11: 18: 17 + 01: 00

Test information

Information on checking the electronic seal or the electronic
You can find the signature at: https://www.signaturpruefung.gv.at
Information on checking the printout can be found at:
https://www.bka.gv.at/verification

Note

This document was officially signed.

