Data protection law

With the General Data Protection Regulation 2018 (GDPR) a new EU regulation became effective in May 2018, which is also applicable directly in the member states. The national legislator was given the possibility to nationally regulate certain areas in greater detail.

In parts this was made use of which is why the Data Protection Act 2018 (DSG 2018) became effective in May 2018 too. The substantial differences of the current legal situation especially affect the increased responsibility of the entrepreneur as the one in charge of data processing. There are no more DPR-notifications to the data protection authorities – the ball was passed to the entrepreneur. He/she is now responsible for the correctness of data processing in his/her company him/herself.

In the event of non-compliance with the regulations, sanctions up to 4% of the world-wide turnover must be expected. In order to ensure a correct implementation of the GDPR and the compliance with the regulations of the DSG 2018, it is advisable to consult an experienced lawyer. Our lawyers will gladly assist you in making your company “GDPR”-conform.

Our lawyers are happy to support you in:

  • Review of compliance with Data Protection Act
  • Review of data protection act-conform service provider contracts
  • Review of data protection act-conform information duties
  • Advice on data protection issues in the work environment

The first interview

Every situation requires an individual approach. We are happy to take the necessary time to discuss your specific situation in detail. Therefore, please make an appointment for a non-binding initial consultation. For this we allow ourselves to charge a flat fee of € 216,- gross for each hour.

By telephone: +43 1 533 70 36, Monday to Friday, 8.00 a.m. to 4.00 p.m.
By e-mail:

We will get back to you immediately.

Legal topics & focus areas

Data protection within the company

The regulations of the General Data Protection Act (DSGVO) and the Austrian Data Protection Act (DSG) in the version of the data protection amendment act 2018 are effective as from May 25th, 2018. Up to this point all data applications must be adapted to the new legal situation. What is essential is that companies make sure to implement these measures in time. Violations can result in large fines.

Elimination of the DVR notification – Keeping of registers

Due to the DSGVO (GDPR) the data processing register (DVR) must no longer be notified. If the data management is outsourced to another service provider, the new regulations state that both the person in charge as well as the processors must keep registers regarding the data processing. The extent of duty of documentation is less for the processor than for the person in charge. Data applications which have already been registered in the DVR can serve as a reference points for documentation. Registers regarding all processing activities must be kept.

Data protection

Data protection regarding the processing of person-related data should be ensured even more effectively in future thanks to specific measures. Measures of pseudonymisation and encryption of the collected data should serve this purpose. In order to ensure safety in data processing, procedures for regular review and evaluation of the effectivity of technical and organisational measures should be applied.

In order to protect person-related data, the people in charge and the processors must – amongst other things – also consider the principles of data protection by technology (privacy by design) and in the form of data protection friendly pre-settings (privacy by default). In this connection also suitable internal strategies must be determined, and the according measures must be taken.


Data protection law

According to the GDPR, notifying the data processing register (DVR) is no longer necessary. However, for the compliance with the regulation this now stipulates keeping a register regarding data processing for companies with more than 250 employees. For companies with less than 250 members, the documentation obligation only applies if

  • The data processing represents a risk for the rights and liberties of the affected people.
  • The processing does not only occur occasionally
  • The processing contains sensitive data resp. data on criminal convictions

Violations of the documentation obligations can result in penalties of up to 10 million EUR or 2% of last year´s world-wide annual turnover.

As of May 2018, the responsible person has to carry out a data protection impact assessment in advance, if a form of processing of person-related data causes an anticipated high risk for the affected person due to type, scope, circumstances and purpose of the processing. Here, an assessment of the consequences for the protection of person-related data must be carried out already in advance. This will especially be the case when new technologies in data protection are implemented. The data protection impact assessment must at least contain the following contents:

  • A systematic description of the processing procedures and their purpose including the employers´ interests
  • A purpose-related assessment of the necessity and reasonability of the processing procedures
  • An assessment of the risks and liberties of the affected people, which can result from the type of processing
  • Planned measures of risk minimisation, such as guarantees, safety precautions and procedures to protect person-related data