Austria 2026, How Businesses Must Comply with the EU Data Act and the New Austrian Data Protection Act (DSG)

Austrian businesses now face a dual compliance challenge unlike anything since the GDPR took effect in 2018. The Austrian Data Protection Act (Datenschutzgesetz, or DSG), the national law that supplements and localises the GDPR, continues to impose Austria-specific obligations on controllers and processors, while the EU Data Act (Regulation (EU) 2023/2854), which became directly applicable across all Member States on 12 September 2025, has introduced an entirely new layer of data-access and data-sharing rules. For in-house counsel, DPOs and compliance officers operating in Austria, the practical question is no longer whether these rules apply but how to reconcile them in day-to-day operations.

This guide sets out the step-by-step obligations, key deadlines and an actionable checklist designed for Austrian and cross-border companies seeking data protection compliance in Austria during 2026.

Last reviewed: 12 May 2026.

Executive Summary, What Austrian Businesses Must Do Now

The following six priority actions capture the most urgent compliance tasks arising from the interplay between the DSG, GDPR and the EU Data Act. Each is expanded in detail later in this guide.

• Complete a data inventory. Map every category of personal and non-personal data your organisation holds, generates or receives, including IoT device telemetry, SaaS usage data and employee records.
• Classify your role. Determine whether you are a “data holder,” “data user” or “data recipient” under the EU Data Act, and whether you are a controller or processor under the GDPR/DSG.
• Audit and update contracts. Review vendor, customer, OEM and platform agreements for Data Act fairness requirements and GDPR-compliant data processing clauses.
• Evaluate DPO obligations. Assess whether your organisation must appoint a DPO under DSG Austria thresholds or GDPR Article 37 criteria.
• Implement Access-by-Design. Build technical interfaces (APIs, data export functions) that enable lawful data access and sharing under the Data Act without breaching GDPR or trade-secret protections.
• Prepare for enforcement. Establish incident-response and audit-readiness protocols for the Austrian Data Protection Authority (Datenschutzbehörde, DSB) and any competent authority designated to enforce the Data Act in Austria.

Quick Timeline, Key Legislative Dates and Deadlines for the Austrian Data Protection Act and EU Data Act

Understanding the regulatory calendar is essential for resource planning. The table below consolidates the dates that matter most for businesses operating under the Austrian data protection act framework in 2026.

Businesses should monitor the Austrian Federal Legal Information System (RIS) and the DSB for any further DSG amendments or implementing guidance published during 2026.

The DSG (Austrian Data Protection Act), Scope and Key National Differences vs GDPR

The DSG is Austria’s national data protection law. It supplements the GDPR by exercising the “opening clauses” that allow Member States to introduce country-specific rules. Any organisation that processes personal data of individuals in Austria, whether the organisation is established in Austria or not, must comply with both the GDPR and the DSG Austria provisions simultaneously.

Scope and Relationship with the GDPR

The DSG does not replace the GDPR; it operates alongside it. Where the GDPR permits national variation, for example, in the areas of employment data processing, public-sector obligations and certain administrative penalties, the DSG fills the gap. The Austrian Data Protection Authority (DSB) supervises compliance with both instruments. According to the Federal Ministry of Finance (BMF), all European and Austrian statutory provisions on data protection must be observed in parallel.

Notable National Provisions

Several DSG provisions create obligations that go beyond or differ from the general GDPR framework. Compliance teams must be aware of these Austria-specific rules:

• Employee data processing (§ 11 DSG). The DSG includes specific conditions for processing employee personal data, requiring a proportionality assessment and, in many cases, works-council involvement (Betriebsrat). Employers must document the legal basis for each category of employee data they handle.
• Video surveillance (§ 12 DSG). Austria imposes dedicated rules on image-processing (Bildverarbeitung). CCTV operators must demonstrate that surveillance is proportionate, mark monitored areas with clear signage, and delete footage within defined retention periods unless a longer period is justified for specific security purposes.
• Administrative fines under the DSG. In addition to GDPR fines (up to €20 million or 4 % of annual global turnover), the DSB may issue administrative fines of up to €50,000 for breaches of national DSG provisions. These national penalties apply to areas such as unlawful video surveillance, failure to cooperate with the DSB and certain registration obligations.
• Right to secrecy (§ 1 DSG). The DSG enshrines a constitutional right to data secrecy (Grundrecht auf Datenschutz), providing a level of protection rooted in Austrian constitutional law that goes beyond the GDPR’s rights catalogue.

Practical Implications for Austrian Controllers and Processors

For day-to-day data protection compliance in Austria, organisations should treat the DSG as a binding overlay. Where it imposes stricter requirements, such as the video-surveillance rules or the employment-data regime, those stricter rules prevail over more general GDPR provisions. Internal privacy policies, records of processing activities and data protection impact assessments should all reference both the GDPR articles and the corresponding DSG sections.

EU Data Act Austria, What It Requires of Businesses

The EU Data Act (Regulation (EU) 2023/2854) became directly applicable across the EU on 12 September 2025. It regulates who can access and use data generated by connected products and related services, and it introduces fairness controls for data-sharing contracts. For Austrian businesses, this creates new obligations that sit alongside, but do not replace, GDPR and DSG duties.

Who Is a Data Holder vs a Data User?

Under the Data Act, a data holder is any natural or legal person that has the right or obligation to make data available, typically the manufacturer of a connected product or the provider of a related service. A data user is the person or entity that is entitled to access and use that data. Businesses must classify their role accurately because obligations differ significantly between the two categories.

Core Obligations, Access, Fairness, Model Terms and Trade-Secret Protection

The Data Act imposes several interconnected obligations reflecting EU data sharing rules:

• Data access by design. Products must be designed and manufactured so that data generated by their use is easily accessible to the user, directly or via the data holder.
• Fair, reasonable and non-discriminatory (FRAND) terms. Data holders must make data available to data users on terms that are fair, transparent and non-discriminatory. Model contractual terms recommended by the European Commission serve as a baseline.
• Trade-secret protection. Where shared data includes trade secrets, the data holder may impose proportionate confidentiality measures but cannot use trade-secret claims as a blanket refusal to share.
• Prohibition of unfair contract terms. The Data Act lists specific contractual clauses that are deemed unfair in B2B data-sharing agreements, for example, clauses that unilaterally exclude liability for intentional or grossly negligent conduct.
• Public-sector access. In cases of exceptional need (such as public emergencies), public bodies may request data from data holders on specific terms.

Sectoral Highlights, IoT, Telecoms, Connected Vehicles and SaaS

Certain industries face heightened exposure under the EU Data Act in Austria. Manufacturers of IoT devices and connected vehicles must ensure that telemetry data is made accessible to users and, upon request, to third parties nominated by those users. Telecoms providers generating large volumes of network and usage data should review whether they qualify as data holders. SaaS and cloud providers face specific switching and portability obligations (with full applicability from September 2027) and must begin preparing interoperability roadmaps now.

GDPR vs Data Act vs DSG, Comparison and Where Conflicts Arise

One of the most common questions for Austrian compliance teams is how these three instruments interact, and which takes precedence when they overlap. The comparison below maps the key areas where obligations may differ or create tension.

Conflict resolution in practice: The Data Act explicitly states that it is without prejudice to the GDPR. Where a Data Act access request would require the disclosure of personal data, the data holder must still verify that a valid GDPR legal basis exists. Industry observers expect that Austrian businesses will need to implement a two-step verification process: first confirm Data Act entitlement, then confirm GDPR-compliant legal basis and safeguards before releasing any personal data.

Practical Compliance Roadmap for Data Protection Compliance in Austria, Step by Step

Turning legal obligations into operational reality requires a phased approach. The roadmap below is structured around 30-, 90- and 180-day milestones, enabling Austrian businesses to prioritise and resource their compliance programmes effectively.

First 30 Days, Quick Triage

1. Conduct a comprehensive data inventory. Catalogue all personal and non-personal data your organisation collects, generates, stores or shares. Include IoT telemetry, device logs, SaaS usage analytics and employee records. Map data flows between internal systems, external partners and cloud providers.
2. Classify your regulatory role. For each data category, determine whether you are a controller, processor, data holder, data user or data recipient. Document these classifications in a central register.
3. Identify high-risk contracts. Flag vendor, customer and OEM agreements that involve data sharing, device data access or cloud-service switching. Prioritise contracts expiring or renewing in the next six months.
4. Brief leadership and assign ownership. Ensure the C-suite, legal team and IT leadership understand the dual compliance landscape. Assign a project owner for Data Act readiness alongside your existing DPO or privacy lead.

Days 31–90, Contracts, Technical Controls and DPO Evaluation

1. Audit and amend contracts. Review all data-sharing agreements for compliance with the Data Act’s fairness requirements. Remove or renegotiate clauses that may now be classified as unfair. Insert model contractual terms where data-access obligations apply.
2. Evaluate technical readiness. Assess whether your products and services support data-access requirements. If APIs or data-export functions are missing, initiate development sprints with engineering teams.
3. Assess DPO obligations. Determine whether your organisation must appoint a DPO under GDPR Article 37 and the Austrian DSG. If your processing activities cross the threshold (see Section 7 below), begin recruiting or designating an internal or external DPO.
4. Update privacy notices and records of processing. Ensure that data-subject information notices reflect any new data-sharing activities triggered by Data Act obligations. Update your GDPR records of processing activities (ROPA) to include Data Act-related flows.

Days 91–180, Operationalise Access-by-Design, Logging and Training

1. Implement Access-by-Design principles. Ensure that new products and services are designed with built-in data-access mechanisms. Existing products should be retrofitted with export capabilities where feasible.
2. Establish fair-compensation models. Where the Data Act permits reasonable compensation for data access, develop transparent pricing methodologies. Document how fees are calculated to demonstrate FRAND compliance.
3. Deploy logging and audit trails. Implement technical controls that record every data-access request, response, refusal and justification. These logs will be essential for demonstrating compliance during DSB inspections or Data Act enforcement actions.
4. Train staff across all relevant functions. Run targeted training sessions for legal, commercial, product, engineering and customer-facing teams. Focus on recognising Data Act access requests, applying GDPR safeguards and escalating trade-secret conflicts.

Contractual Updates, Vendors, Customers and Device OEMs

Businesses should review and, where necessary, update three categories of agreement:

• Vendor and supplier contracts. Ensure that upstream data-processing agreements include Data Act-compliant access clauses and confirm GDPR controller-processor arrangements remain intact. Sample language: “Supplier shall make available to Customer, without undue delay and in a structured, commonly used and machine-readable format, all data generated by the use of the Product, in accordance with Regulation (EU) 2023/2854.”
• Customer and end-user agreements. Update terms of service to inform users of their right to access data generated by connected products. Sample language: “User is entitled to access data generated by their use of the Product and to request that such data be shared with a nominated third party, subject to applicable data-protection safeguards.”
• OEM and device-manufacturer agreements. Where your business embeds third-party components, ensure contractual obligations cascade to component suppliers. Sample language: “OEM shall ensure that all connected components generate data in interoperable formats and support the data-access interfaces required under Regulation (EU) 2023/2854.”

These sample clauses are illustrative starting points and should be adapted to the specific commercial context with qualified legal advice.

When to Appoint a DPO Under Austria’s DSG, Thresholds and Template Role Description

One of the most frequently asked questions from Austrian businesses concerns whether they must appoint a DPO. The answer depends on the combined criteria of the GDPR and the national Austrian data protection act provisions.

Threshold Decision Flowchart

You must appoint a DPO in Austria if any of the following conditions apply:

• Your organisation is a public authority or body (regardless of size).
• Your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
• Your core activities consist of processing special categories of data (e.g., health data, biometric data) or data relating to criminal convictions on a large scale.
• Austrian sector-specific legislation (e.g., telecoms, financial services) requires a designated data-protection function.

Even where appointment is not strictly mandatory, industry observers recommend designating a DPO as best practice, particularly for organisations that are data holders under the Data Act, as the additional compliance burden makes centralised oversight highly advisable.

Template DPO Role Description and Reporting Lines

• Title: Data Protection Officer (Datenschutzbeauftragter)
• Reports to: Directly to the highest management level (Geschäftsführung / Vorstand); operates independently in DPO function
• Key responsibilities: Monitor compliance with GDPR, DSG and the EU Data Act; advise on DPIAs; serve as contact point for the DSB; manage data-subject requests; oversee training programmes; coordinate with IT on Access-by-Design controls
• Qualifications: Expert knowledge of European and Austrian data protection law; familiarity with the organisation’s IT systems and data-processing operations
• Protection: Must not be dismissed or penalised for performing DPO duties; no conflicts of interest with other roles

Cross-Border Data Transfers and Data Sharing from Austria, Legal Steps

Data transfers from Austria remain subject to GDPR Chapter V rules, even when triggered by Data Act access obligations. Businesses must not assume that a valid Data Act request automatically authorises a cross-border transfer of personal data.

Data Act-Specific Issues, B2B Access, Trade Secrets and APIs

When a data user requests access to data that may include personal data and the data user is located outside the EEA, the data holder must verify transfer legality under the GDPR before complying. Trade-secret protections under the Data Act permit the data holder to require confidentiality agreements and technical safeguards (such as restricted API access or data-room environments) as conditions of sharing.

GDPR/DSG Transfer Mechanisms Still Needed

For personal data leaving Austria, controllers and processors must rely on established GDPR mechanisms: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) or, in narrow circumstances, Article 49 derogations. The DSG does not add transfer mechanisms beyond the GDPR framework, but the DSB has indicated that it will scrutinise transfers closely, particularly those involving supplementary measures.

Sector Notes, Telecoms, Connected Devices, Finance and Public Authorities

The combined effect of the Austrian data protection act and the EU Data Act creates sector-specific risks that warrant dedicated attention:

• Telecoms and connected devices. Operators generating network telemetry and device-usage data are likely classified as data holders. They must enable user access to this data while protecting network-security trade secrets. Early indications suggest that the telecoms regulator (RTR) may coordinate with the DSB on enforcement in this sector.
• Financial services. Banks and insurers processing sensitive customer data must reconcile Data Act access requests with banking-secrecy obligations and the Austrian Banking Act (BWG). A layered approach, verifying the requester’s identity, the scope of the request and the applicable GDPR legal basis, is essential.
• Research and public authorities. Public-sector bodies may both request data under the Data Act’s exceptional-need provisions and hold data subject to DSG rules. Research institutions processing personal data must ensure ethics-committee approvals align with both GDPR Article 89 and DSG supplementary rules on scientific research.

Enforcement, Penalties and Preparing for Audits and Complaints

The DSB handles complaints and enforcement under the GDPR and the Austrian data protection act. Individuals may file complaints directly with the DSB, which has the power to order cessation of unlawful processing, impose GDPR fines (up to €20 million or 4 % of global turnover) and levy additional DSG fines of up to €50,000 for breaches of national provisions. For Data Act enforcement, Austria is expected to designate a competent authority, businesses should monitor official publications for this designation throughout 2026.

To prepare for enforcement actions, organisations should:

• Maintain complete, up-to-date records of processing activities and Data Act access logs.
• Designate an internal point of contact for DSB inquiries and audit requests.
• Run annual mock-audit exercises covering both GDPR/DSG and Data Act scenarios.
• Develop an incident-response plan that addresses data breaches, unlawful-access complaints and trade-secret disputes simultaneously.

Templates, Checklists and Further Reading

The following resources support implementation of the obligations discussed in this guide. Businesses should adapt all templates to their specific circumstances with the assistance of qualified Austrian data protection counsel.

• Data Protection Compliance Austria Checklist. A consolidated 30/90/180-day action plan covering GDPR, DSG and Data Act obligations (available for download, contact a qualified data protection lawyer through the Global Law Experts lawyer directory).
• DPO Role Template. A sample role description, reporting-line diagram and qualification checklist aligned with GDPR Article 37–39 and DSG requirements.
• Sample Data Act Contract Clauses. Three model clauses for vendor, customer and OEM agreements (see Section 6 above for illustrative language).
• Further reading. The European Commission’s official Data Act policy page, the Austrian DSB’s page on relevant data protection laws, and the Austrian RIS legal database for the full text of the DSG and its amendments.

Conclusion, What to Do Now Under the Austrian Data Protection Act

Austrian businesses operating in 2026 face a regulatory landscape where the GDPR, the Austrian data protection act (DSG) and the EU Data Act must be managed as an integrated compliance programme. The practical effect is that siloed privacy teams can no longer operate effectively, legal, technical and commercial functions must coordinate.

Your priority checklist:

1. Complete a data inventory covering personal and non-personal data.
2. Classify your role under each regulation (controller, processor, data holder, data user).
3. Audit and update contracts for Data Act fairness and GDPR compliance.
4. Evaluate and, if necessary, appoint a DPO under DSG Austria thresholds.
5. Implement Access-by-Design technical controls.
6. Prepare for DSB and Data Act enforcement with logging, documentation and mock-audit exercises.

For tailored guidance on your specific compliance obligations, find a qualified Austrian data protection lawyer through the Global Law Experts directory.

Sources

1. European Commission, Data Act Policy Page
2. Austrian Data Protection Authority (DSB), Relevant Data Protection Laws
3. Federal Ministry of Finance (BMF), Data Protection Austria
4. RIS, Austrian Legal Information System (DSG full text)
5. Orrick, The EU Data Act is in Force: What Should Businesses Do?</li