Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — ATStylized flag-color motif for editorial reference. Not an official symbol.AT
Austria Republik Österreich

WEB ANALYTICS · COOKIE COMPLIANCE · WESTERN EUROPE · AT

Austria — analytics & cookie compliance reference

First EU DPA to rule Google Analytics 4 unlawful (DSB D155.027, Dec 2021). Single federal regulator — strict TIA enforcement, German-language privacy notices, lower child-consent age (14).

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Austria. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

DSG  Stricter
Datenschutzgesetz
Federal implementation of GDPR opening clauses + employee data + image processing + criminal-investigation derogations + child-consent age. Article 1 retains constitutional rank (Bundesverfassungsgesetz) — fundamental right to data protection independent of GDPR.
  • § 4(4) Child consent — age lowered to 14 (vs GDPR default 16)
  • § 11 Employee data — purpose limitation to employment relationship
  • § 12 Image processing (Bildverarbeitung) — CCTV / video surveillance specific regime
  • § 24 Right to lodge a complaint with the DSB — single federal authority
  • § 30 DPO appointment — follows GDPR Art 37 thresholds (no national lower bar)
DSG 2018 (BGBl. I Nr. 165/1999, recast for GDPR by BGBl. I Nr. 24/2018), latest amendment BGBl. I Nr. 2/2024
TKG § 165  Stricter
Telekommunikationsgesetz 2021
Cookies + terminal-equipment access + electronic communications privacy. § 165(3) transposes ePrivacy Art 5(3) — prior informed consent required for any non-strictly-necessary storage or read access.
  • § 165(3) Storage/access on terminal equipment requires prior informed consent — analytics, marketing, A/B testing all in scope
  • § 165(4) Strictly-necessary exception — narrowly construed; user-requested service delivery only
  • § 107 Direct electronic marketing — prior express opt-in (double-opt-in standard) for email/SMS
BGBl. I Nr. 190/2021 (in force 1 Nov 2021) — replaces TKG 2003 § 96
ArbVG § 96
Arbeitsverfassungsgesetz
Works-council co-determination — any technical device suitable to monitor employee behaviour requires a Betriebsvereinbarung (works-council agreement). Touches most analytics, HR, and IT-monitoring tools that can observe staff.
  • § 96(1) Z 3 Mandatory co-determination — monitoring devices affecting human dignity require works-council consent
  • § 96a Personnel data systems — works-council co-determination on automated personal-data processing
BGBl. Nr. 22/1974 as amended

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
DSB · Österreichische Datenschutzbehörde
Single federal regulator — supervises all controllers and processors in Austria across public and private sectors. No state-level DPAs.
https://www.dsb.gv.at/

Coordination body

DSB Newsletter & Anlassberichte · Datenschutzbehörde — laufende Stellungnahmen
DSB issues Newsletter and Anlassberichte (case-driven positions). Austria participates in EDPB at EU level but has no domestic federal-state coordination body (no Bundesländer DPAs to coordinate with).
  • 2021-12-22 · Google Analytics — DSB D155.027/2021 — first EU DPA to rule Google Analytics unlawful. IP truncation + standard SCCs deemed insufficient given FISA 702 / EO 12333 access risk. Triggered the EDPB taskforce that propagated the position EU-wide in 2022.
  • 2022-04-22 · Google Analytics — implementation guidance — Follow-up DSB clarification: server-side / hashed deployments do not cure the underlying transfer defect absent Schrems II supplementary measures.
  • 2024-03 · Cookie consent + dark patterns — DSB sweep of consent banners — equal-prominence reject button required, pre-ticked boxes invalid, 'reject all' must be one click from accept.
https://www.dsb.gv.at/dam-jcr/

Notable enforcement

Austria has a single federal regulator (DSB) with national jurisdiction — there are no state DPAs. DSB punches above its weight in EU jurisprudence: the December 2021 GA4 ruling (D155.027) was the first of its kind in Europe and seeded the EDPB taskforce that propagated the position to France, Italy, the Netherlands, and beyond. Headline fines are smaller than in Germany or France in absolute terms, but DSB is consistently among the most active EU DPAs per capita and willing to publish strict legal positions ahead of EDPB consensus.

  1. 2019-10 €18.0M
    Österreichische Post AG DSB · Art 5, 6, 9 reduced-on-appeal

    Sale of voter-affinity profiles (party-preference inference from address data) without legal basis. Largest Austrian GDPR fine. Reduced on appeal but reinstated logic via subsequent rulings.

GA4 status

Austria was the first EU member state to rule Google Analytics unlawful (DSB D155.027, Dec 2021). Post EU-US DPF (Jul 2023) the DSB accepts adequacy for DPF-certified US importers in principle, but the practical posture remains: opt-in consent is required under TKG § 165 regardless, and a documented Transfer Impact Assessment is expected even with DPF. Loss of DPF certification reverts the recipient to the pre-DPF strict posture established by D155.027.

DPAStance
DSBSingle federal regulator — first-mover on GA4 unlawfulness in 2021. Post-DPF practical posture: opt-in still required under TKG § 165, TIA documentation still expected, German-language consent layer.

Cross-border transfers + Schrems II

Austria carries the most skeptical national track record on US transfers — DSB D155.027/2021 was the first EU GA4 ruling and seeded the broader EDPB taskforce position. Post-DPF (10 Jul 2023) DSB accepts adequacy for DPF-certified US importers, but still expects controllers to document a Transfer Impact Assessment, particularly for FISA 702 / EO 12333 risk. Loss of DPF certification immediately reverts the recipient to the pre-DPF strict posture.

EU 2021/914 SCCs are the fallback when DPF certification is absent or revoked. DSB scrutinizes Module 2 onward-transfer clauses heavily and looks for documented supplementary measures (encryption, pseudonymization, contractual).

Topic: International transfers

Employee data

Key thresholds

Child consent age
14 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Austria vs Germany
COMPARE
Austria vs Switzerland

Common questions

Is Google Analytics legal in Austria in 2026?
Yes, conditionally. The DSB ruled GA unlawful in Dec 2021 (D155.027) — the first such ruling in the EU. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. In practice, GA4 still requires prior, explicit, granular opt-in consent under TKG § 165, plus a documented Transfer Impact Assessment. Loss of DPF certification reverts to the strict pre-DPF posture immediately.
Do I need a DPO in Austria?
DSG follows GDPR Art 37 thresholds — no national lower bar (unlike Germany's BDSG § 38 ≥20-employee rule). Mandatory only when (a) a public authority, (b) core activities require regular and systematic monitoring of data subjects on a large scale, or (c) core activities involve large-scale processing of special-category or criminal data. Austrian SMBs typically do not need a DPO unless they fit these triggers.
Which DPA is competent for my company?
There is only one — the Datenschutzbehörde (DSB) at federal level. Unlike Germany, Austria has no Bundesländer DPAs. The DSB supervises all public and private controllers and processors in Austria. Cross-border processors with multiple EEA establishments use the GDPR One-Stop-Shop lead-DPA mechanism — DSB serves as Austria's representative.
What's the difference between DSG and GDPR?
GDPR is the EU regulation; DSG (Datenschutzgesetz) is Austria's national implementation. Austria-specific rules: DSG § 4(4) lowers child consent age to 14 (GDPR default 16), DSG §§ 11–12 govern employee and image processing, DSG Article 1 keeps the constitutional fundamental right to data protection (Bundesverfassungsgesetz status — independent of GDPR). DSG does NOT impose a sub-GDPR DPO threshold.
What changed with the TKG 2021?
Effective 1 November 2021, TKG 2021 (BGBl. I Nr. 190/2021) replaced TKG 2003 § 96. The cookie/tracking rule moved to § 165(3): prior informed consent for any non-strictly-necessary storage or read access on terminal equipment. Substantively aligned with ePrivacy Art 5(3); DSB enforcement intensified post-2021. § 107 retains the prior-express-opt-in rule for direct electronic marketing (double-opt-in standard).
Is 'legitimate interest' a valid basis for analytics in Austria?
No, for non-essential analytics that store or read on terminal equipment. TKG § 165(3) is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. § 165 governs the cookie/tracking layer; GDPR governs subsequent processing of the resulting data.
What about the Betriebsrat (works council) and analytics tools?
ArbVG § 96(1) Z 3 (Arbeitsverfassungsgesetz) gives works councils mandatory co-determination over any 'technical device suitable to monitor' employee behaviour — covering most analytics, productivity, HR, and IT-monitoring tools. Deployment requires a Betriebsvereinbarung (works-council agreement). This is independent of GDPR consent and frequently overlooked in Austrian rollouts touching staff dashboards or internal tools.
Do I need an Austrian Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behaviour of people in Austria (or any EEA state), unless the small-business exception in Art 27(2) applies. The DSB has actively pursued non-designation cases. A representative may be appointed in any EEA state where data subjects whose data you process are located — Austria is a valid choice.
What language must my privacy notice be in?
DSB position: notices in German for Austrian-targeted sites — English-only is insufficient. The targeting test mirrors GDPR Art 3(2) — German-language website, .at domain, EUR pricing, German-language marketing, etc. all signal targeting. Austrian German is acceptable; standard German (de-DE) is also accepted.
At what age can a child consent in Austria?
14, under DSG § 4(4) — Austria lowered the GDPR default from 16. Below 14, parental authorization is required for information-society services. This is one of the lowest digital-consent ages in the EU and matters for ed-tech, gaming, and social platforms targeting Austrian minors.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Austria's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.