Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


The Trade and Commerce Act (Gewerbeordnung 1994 or GewO1) contains the prototype of direct marketing regulation in Austria. The use of sensitive data2 by direct marketing ventures and list brokers in principle depends on the data subject's consent. The data subject can demand the erasure or barring of data stored for marketing purposes free of charge. Also, persons can enrol in a so-called "Robinson-list", administered by a sub-division of the Austrian Economic Chamber (Wirtschaftskammer Österreich), which bars them from receiving advertising material and prevents their data from being used.

The Telecommunications Act3 and the E-commerce Act (E-Commerce-Gesetz or ECG4) contain rules on unsolicited commercial communications. Calls and facsimile transmissions for marketing purposes are not permitted without prior consent of the subscriber or a person authorised to use his line. The sending of electronic mail – including SMS messages – to customers for purposes of direct marketing or addressed to more than 50 recipients is in principle not permitted without the recipients' prior consent. Exceptions exist where the sender has received the contact details in the context of a sale or service to his customers, as long as they had the opportunity to object, free of charge and in an easy manner, to the use of these contact details and are not registered with a list according to section 7 ECG.

If the identity of the sender on whose behalf the communication is transmitted is disguised or concealed or if there is no valid address to which the recipient may send a request that such communications cease, the sending of electronic communications is prohibited.

Any person violating the rules outlined above commits an administrative offence punishable by a fine of up to €37,000.5 The 2007 Supervision of Securities Act (Wertpapieraufsichtsgesetz or WAG6) extends the TKG-regime to the unsolicited advertising of financial instruments and investments.


No specific information has been provided under this section.

Online behavioural marketing and search engine privacy

No specific information has been provided under this section.

Online social networks and virtual communities

No specific information has been provided under this section

Online youth safety

No specific information has been provided under this section.

Workplace privacy

In 2006 the Supreme Court issued an injunction proscribing the use of a biometric time reading system using fingerprint scanners in a hospital. The Court held that even the use of templates (and not the biometric raw data), created a connection with specific employees and fell within the ambit of human dignity. As measures touching upon human dignity can only be introduced by an employer/works council agreement. The decision virtually put an end to the use of biometric time recording systems.7

Another issue is the use of the Internet for private purposes at work. Even though employers can prohibit the private use of the Internet, introducing a permanent control system constitutes a measure interfering; upon human dignity and therefore requires an employers/works council (or contractual) agreement. Whether a total prohibition of private use would be enforceable (justifying a dismissal etc.) is more than doubtful.

A far more delicate problem concerns employers' control of the content of employees' private e-mails. In principle, under no circumstances is the employer authorised to read private communications, not even if the private use of the Internet is entirely forbidden. However, the employer has a right to exercise (a certain amount of) control over professional communications, hence private e-mails – in order not to be read – must be clearly labelled as such. With a view to the fact that evidence gathered illegally can be produced in court, even the labelling does not reliably grant privacy.8 E-mails with critical content should therefore not be sent via an employer’s server.

The 2010 amendment to the Data Protection Act (DSG) explicitly prohibits purposeful monitoring of employees by video surveillance at their workplace.9 The surveillance of objects at the workplace for reasons other than efficiency control is not covered by this prohibition.

Health and genetic privacy

Medical records

Like most other countries, Austria has laws requiring that carriers of certain dangerous infections be reported to health authorities.10 Exceptions to the general rule of medical confidentiality can be found where serious injuries have obviously been caused by criminal activity or in cases of child abuse. Another challenge results from the exchange of health data through electronic systems. The Gesundheitstelematikgesetz (GTelG11) regulates the use of telematics in the health service sector, including data security and information management. It deviates from the DSG insofar as only direct personal data fall within the scope of this law. The DSG in particular requires identity and legitimate authority of the data recipient to be sufficiently established. In contrast, the GTelG establishes minimum identity requirements as well as mechanisms trying to prevent misuse.

Since first steps to implement the Health Reform Act 2005 (Gesundheitsreformgesetz 200512) were taken in 2006, the Electronic Health File (Elektronische Gesundheitsakte or ELGA) has been a most controversial issue. Proponents describe ELGA as a key instrument in Austrian e-health ambitions that electronically administers all relevant health data while sufficiently protecting patients' rights, especially with a view to data protection.13 It enables authorised persons to access all available health data regardless of time or location of treatment. Opponents fear the abolishment of medical confidentiality and criticise the imprecise definition of health care service providers who are granted access to ELGA. Patients have no access to the health care service provider index.14 Finally, the term "health data" is defined extremely broadly, comprising personal data on the physical and psychological well-being as well as data gathered in the course of determining that status, including accounting for health services and patients' health-related habits and environmental influences.15 ELGA is about to be introduced and implemented by the "ELGA limited" (ELGA GmbH), which was founded in 2009 and took over the agenda of "Arge ELGA" as of 1 January 2010.16

Genetic identification

The Genetic Engineering Act (Gentechnikgesetz or GTG17) requires confidentiality of personal data gathered through genetic analysis and gives the person examined a right to access as well as a right to information. The use of non-anonymous data for any other than the original purpose requires the written consent of the data subject. The GTG also contains an explicit prohibition on the use of genetic data by employers and insurance companies.18 The DSG includes specific provisions on scientific research.19 Apart from that it deals with medical data in a very general way, considering it "sensitive data", consequently benefitting from a more rigid protection.

Financial privacy

The Banking Act (Bankwesengesetz or BWG20) deals with special requirements and restrictions concerning the use of client data. The central provision concerning privacy, Section 38, which has quasi-constitutional status, guarantees bank client confidentiality. Section 38 contains a set of exceptions, covering court orders in criminal proceedings or administrative proceedings for certain fiscal offences. Austria has adopted a new anti money laundering law according to the standards of the Organisation for Economic Cooperation and Development (OECD). Banks now have to establish the identity of customers wishing to open an account or of non-customers wishing to conduct financial transactions exceeding the limit of €15, 000.21 Due to critics’ claims that Austria was creating a tax haven a 2009 law loosened the requirements for interstate cooperation.22 Banking institutions are now obliged to transmit all foreseeably relevant data (via the Austrian Ministry of Finance) upon a foreign public authority's request proving at least a reasonable suspicion of tax evasion.23 Banking institutions must also comply with the DSG. They are not allowed to use personal data obtained through client accounts for other purposes. Section 18 DSG requires the prior registration of data applications whose purpose is to give information on the data subject's creditworthiness.24

As a rule, creditworthiness ratings by private agencies are data applications open to inspection by the public.25 The service provider (i.e. the controller) has a duty to inform the data subject about the purposes for which the data is collected and the name and address of the controller. However, violating the principle of fair and lawful use26, this duty is often ignored, which makes the entry unlawful27 and is in itself sufficient to have the data erased.28 Once per year a data subject has the right – free of charge – to ask for information about the processed data, its origin, recipients, transmissions, purpose, and legal basis. If law does not mandate the inclusion of data in a data application open to inspection by the public, such as a creditworthiness database, the data subject can object at any time and without any need to give reasons. As a consequence the data must be erased within eight weeks.29 According to the Supreme Court (OGH) data subjects also have the option to object partially and demand corresponding erasure.30 Erasure means the physical (not just logical) erasure. Reorganising data is not sufficient for controllers to comply with their duty.31

The Consumer Credit Act 2010 (Verbraucherkreditgesetz or VKrG32) introduces an exception to the right to objection for joint information systems of crediting institutions registered with the Data Protection Commission (DSK), such as the "Consumer Credit Evidence" or the banking institutions' "Warning List". In these cases erasure of data is subject to considerably stricter requirements.33