GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
We're actively expanding our directory. In the meantime, use the lawyer wizard — it'll match you to the best available firm for your situation.
Use the Lawyer Wizard → Suggest a FirmLeading Austrian law firm with strong international practice. Large team, corporate and commercial focus.
Major international law firm with Vienna headquarters. Extensive corporate and commercial expertise.
Global magic circle firm with strong Vienna office. Full-service corporate practice.
Global law firm with Vienna office. International corporate and commercial focus.
Global firm with Vienna presence. Covers major practice areas for corporate clients.
Large European law firm with Vienna office. Strong in corporate and commercial matters.
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across Austria's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsAustria implements the EU General Data Protection Regulation (DSGVO/GDPR, Regulation 2016/679) through the Datenschutzgesetz 2018 (DSG 2018). The supervisory authority is the Datenschutzbehoerde (DSB), an independent authority with investigation, enforcement, and fining powers. Austria has a comparatively high rate of GDPR complaints per capita in the EU.
| Obligation | Deadline/Threshold | Legal Basis |
|---|---|---|
| Data breach notification to DSB | 72 hours of becoming aware | DSGVO Art. 33 |
| Notification to affected data subjects | Without undue delay (if high risk) | DSGVO Art. 34 |
| Data Protection Officer (DSB-Beauftragter) mandatory | Public authorities; large-scale special category processing; large-scale monitoring | DSGVO Art. 37 |
| Data Protection Impact Assessment (DSFA) | Prior to high-risk processing | DSGVO Art. 35 |
| Records of processing (Verarbeitungsverzeichnis) | Ongoing (min 250 employees or high-risk processing) | DSGVO Art. 30 |
| Case | Fine | Year | Violation |
|---|---|---|---|
| Austrian Post AG | EUR 18,000,000 (reduced on appeal to EUR 9.5M) | 2019 | Unlawful processing of political affinity data of ~2.2 million Austrians; sold to advertisers without consent (DSGVO Art. 6, Art. 9) |
| Austrian Post (Google Analytics) | EUR 10,000 | 2022 | First EU ruling that Google Analytics transfers to US violated DSGVO Art. 44 - landmark Schrems II application; DSB ruling widely cited across EU |
| Austrian bank (unnamed) | EUR 5,000 | 2023 | Failure to respond to data subject access request (DSGVO Art. 15) within 1 month |
| Austrian municipality CCTV | EUR 4,800 | 2023 | Excessive CCTV coverage capturing public street without adequate legal basis |
Key national rules: Employee monitoring requires Betriebsvereinbarung (works agreement) or individual consent for covert monitoring - DSG 12 prohibits performance-related covert monitoring. Video surveillance in workplaces: covered by DSG 12 and ArbVG 96 Abs 1 Z 3 (mandatory works council approval). Age of consent for online services: 14 years (DSG 4 - lower than DSGVO default of 16).
An Austrian online retailer with 180,000 customers implemented a pre-ticked cookie consent banner using a dark pattern. The DSB received 14 complaints. Investigation found: consent not freely given (DSGVO Art. 7), consent records inadequate, and analytics data transferred to a US provider without valid SCCs post-Schrems II. The DSB issued a Bescheid ordering remediation within 30 days and imposed a EUR 45,000 fine calculated on 2% of Austrian-market revenue. The company switched to a compliant CMP (Consent Management Platform) and signed updated SCCs within the deadline.
