Notification

General Information

Please note that this page is provided in English for information. The actual notification must be made in German (this is laid down in Art. 8 of the Austrian Federal Constitutional Law).

Section 17 para. 1 DSG 2000 imposes an obligation to notify to the data protection authority [Datenschutzbehörde] for the purpose of registration in the data processing register [Datenverarbeitungsregister]. The duty to notify also applies to all circumstances that subsequently lead to the incorrectness or incompleteness of a former notification.

Who has to Notify?

Every controller [Auftraggeber] shall notify before commencing a data application [Datenanwendung]. The controller [Auftraggeber] is, simply put, whoever decides to process data. You can look up the definition in section 4 sub-para. 4 DSG 2000.

What is to be Notified?

All data applications [Datenanwendungen] are subject to notification, unless an exception applies (see below). A data application [Datenanwendung] encompasses all categories of data [Datenarten] (e.g. name, address, salary) processed about certain categories of data subjects [Betroffenenkreise] (e.g. employees, customers). The notification has to state the categories of recipients [Empfängerkreise] - including possible recipient states abroad - as well as the legal basis for the transmission.

How do I Notify?

There is a web application, as well as instructions on the procedure. The notification must be made in German (this is laid down in Art. 8 of the Austrian Federal Constitutional Law (HTML 2 kB)). You will absolutely need a German-speaking person to fill out the online forms and submit your notification.

What Exceptions Exist?

Data applications are not subject to notification if the data application contains solely published data (such as information made public by a company); or concerns the management of registers and catalogues that are by law open to access by the public; or contains only indirectly personal data (a special case where the identity of the data subject is not known to this particular controller, but the person is not really anonymous); or is carried out by natural persons for entirely personal reasons or concerns just the person's family life; or is carried out for journalistic purposes.

If a large number of data controllers [Auftraggeber] carry out the same data applications in a similar fashion which, due to the purpose of the use and the processed categories of data, is unlikely to be a risk to the data subjects' interest in secrecy, these applications can be declared Standard Applications [Standardanwendungen]. These are not subject to notification either. The current Standard Applications [Standardanwendungen] can be found in the Standard- und Muster-Verordnung 2004 (StMV 2004), Federal Law Gazette II No. 312/2004.

Certain data applications concerning state security and crime prevention are also exempt from the duty to notify. All the exceptions are regulated in section 17 para. 2 and 3 DSG 2000.

How Much Does it Cost?

Nothing. Under section 53 DSG 2000, all applications for notification and for statements of the notified entry on the register are exempt from fees.

When can I Start to Process?

Certain data applications can only be initiated after prior checking of the notification by the data protection authority [Datenschutzbehörde] has led to a positive result. The applications which require a prior checking by the authority are detailed in section 18 para. 2 and include especially applications which involve sensitive data or data concerning data subjects' creditworthiness.

All other data applications my be initiated immediately after the notification has been submitted to Data Processing Register [Datenverarbeitungsregister].

What is a DVR Number?

Read more on our page about the DVR number.

Do I have to Appoint a Personal Data Protection Official?

No. The EC Data Protection Directive 95/46/EC presents in Art. 18 (2) several options for the member states for simplification of or exemption from notification. The personal data protection official is an option Austria did not use. Instead, we have Standard Applications [Standardanwendungen] and other simplifications and exemptions (see above).

Germany adopted the personal data protection official (Datenschutzbeauftragter in German) as the standard rule.

Do I need a Lawyer?

No. You can make your notification without a lawyer.

What can happen if I fail to notify?

Failure to notify is punishable with a fine of up to 9 445 Euro pursuant to section 52 para. 2 sub-para 1 DSG 2000.