What is the difference between the GDPR, the DSG and the BDSG?

The GDPR is the EU-wide General Data Protection Regulation, which applies directly in all member states. The Austrian Data Protection Act (DSG) and the German Federal Data Protection Act (BDSG) supplement the GDPR with national provisions permitted by the GDPR's so-called opening clauses – for example, in the areas of employee data protection or processing by public authorities.

Is GPS tracking of employees permitted in Austria and Germany?

Yes, under strict conditions. GPS tracking is only permissible during working hours, only for legitimate operational purposes, and only when employees are transparently informed. In Austria, a works agreement pursuant to § 96 ArbVG is mandatory; in Germany, the consent of the works council pursuant to § 87 BetrVG is required. Continuous monitoring without specific cause is prohibited in both countries.

When do I need a data protection officer?

In Germany, a data protection officer is mandatory when at least 20 people are permanently engaged in the automated processing of personal data (§ 38 BDSG). In Austria, there is no comparable national threshold – the GDPR itself requires the appointment of a data protection officer in cases of large-scale processing of sensitive data or systematic monitoring (Art. 37 GDPR). For many SMEs, voluntary appointment is recommended.

Does a small company also need a records of processing activities?

Yes, in most cases. The exemption for companies with fewer than 250 employees only applies if the processing poses no risk to data subjects, does not take place on a regular basis, and does not involve special categories of data. Since almost every business regularly processes employee and customer data, the records of processing activities required under Art. 30 GDPR are in practice mandatory for all companies.

Data Protection & GDPR in Austria and Germany 2025

Q: What penalties are imposed for GDPR violations?

For minor violations (e.g. missing data protection notices), fines of up to €10 million or 2% of global annual turnover may be imposed. For serious violations – such as unlawful data processing or infringement of data subjects' rights – fines of up to €20 million or 4% of annual turnover are possible. In addition, data subjects may claim compensation for damages.

GDPR: Uniform Law – Different Implementation

Since May 2018, the General Data Protection Regulation (GDPR) has applied directly across Europe – in Austria as well as in Germany. This means that the core obligations for companies are identical in both countries. Nevertheless, there are national particularities that make a significant difference in practice: Austria has made use of national opening clauses through the Data Protection Act (DSG), Germany through the Federal Data Protection Act (BDSG).

Anyone operating in both countries – or employing staff in both countries – must keep both sets of rules in mind. This article gives you a practical overview.

The 7 GDPR Principles: The Foundation for Everything

Every processing of personal data must be compatible with the seven principles of the GDPR. These apply equally in Austria and Germany:

� Lawfulness, fairness and transparency: Data may only be processed on a legal basis and in a comprehensible manner.
� Purpose limitation: Data may only be used for the purpose for which it was collected.
� Data minimisation: Only as much data may be collected as is necessary for the purpose.
� Accuracy: Data must be kept up to date and correct.
� Storage limitation: Data may not be stored for longer than necessary.
� Integrity and confidentiality: Data must be protected by appropriate measures.
� Accountability: The controller must be able to demonstrate compliance.

Legal Bases: When Am I Allowed to Process Data?

Without a legal basis, any data processing is unlawful. The GDPR recognises six possible legal bases (Art. 6 GDPR). In practice, three are particularly relevant for companies:

1. Consent (Art. 6(1)(a) GDPR)

The data subject gives their consent freely, in an informed manner and unambiguously. In the employment relationship, consent must be viewed critically – due to the power imbalance between employer and employee, voluntary consent is often called into question. Strict standards apply in both Austria and Germany.

2. Performance of a contract (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of a contract – for example, processing bank details for payroll or address data for delivery.

3. Legitimate interests (Art. 6(1)(f) GDPR)

The controller has a legitimate interest that overrides the interests of the data subject. This balancing exercise must always be documented on a case-by-case basis and is particularly relevant in the context of employee monitoring (GPS, email monitoring, video surveillance).

Employee Data Protection: Special Obligations in the Employment Relationship

The processing of employee data is one of the most sensitive areas of the GDPR – and at the same time one in which particularly many violations occur. What employers must bear in mind:

Austria: § 11 DSG

The Austrian Data Protection Act contains a specific provision in § 11 for the processing of employee data. Under this provision, processing is permissible if it is necessary for the fulfilment of the employment contract, is based on a works agreement, or if interests worthy of protection do not prevail. Works agreements under the ArbVG can serve as a legal basis for data processing – an important instrument that does not exist in this form in Germany.

Germany: §§ 26, 87 BDSG / BetrVG

In Germany, § 26 BDSG governs the processing of employee data. Particularly noteworthy: data may only be processed for the purpose of detecting criminal offences if there are actual indications and proportionality is maintained. Under § 87 BetrVG, the works council has extensive co-determination rights regarding technical monitoring equipment – including time-tracking systems, GPS tracking and video cameras.

GPS Tracking of Employees: What Is Permitted?

GPS tracking in field operations, on company vehicles or for delivery services is widespread – but is only legally permissible under strict conditions. The following principles apply in Austria and Germany:

� GPS tracking exclusively during working hours – not during leisure time
� Transparent information for employees about the type, scope and purpose
� Proportionality: The purpose must justify the tracking (e.g. route planning, proof of deployment times)
� In Austria: works agreement required (ArbVG § 96(1)(3))
� In Germany: works council approval under § 87(1)(6) BetrVG
� Continuous monitoring without specific cause is impermissible in both countries

Practical tip: Document the purpose of GPS tracking in writing, specify who has access to the location data and define deletion periods. A missing works agreement can render the entire system unlawful – even if the technology is already in use.

Video Surveillance in the Workplace

Cameras on business premises are only permitted under strict conditions. In both countries, the following applies: open video surveillance (i.e. cameras visible to employees) for legitimate purposes such as protection against break-ins or cash register monitoring can be permissible – covert surveillance is fundamentally prohibited.

In Austria, the DSG in conjunction with the ArbVG governs the video surveillance of employees. A works agreement is mandatory if the surveillance affects human dignity (§ 96(1)(3) ArbVG). In Germany, the works council must be involved under § 87(1)(6) BetrVG. Without its consent, the recorded data may under certain circumstances be inadmissible as evidence in proceedings.

GDPR in the Home Office: Data Protection Does Not End at the Office Door

Those who work from home often process data just as sensitive as in the office – but without the physical security infrastructure of the company. Employers remain responsible for the home workplace as well. The most important measures:

� VPN requirement for access to company systems
� Only company-issued or MDM-secured devices for processing business data
� Screen locks and secure passwords mandatory
� No private cloud services (Google Drive, Dropbox, etc.) for work documents
� Store physical documents securely – no third-party access to sensitive materials
� Issue a data protection policy for the home office in writing and have it confirmed by the employee

The Records of Processing Activities: Mandatory for Every Business

Every company with more than 250 employees is required under Art. 30 GDPR to maintain a record of all processing activities. Smaller businesses are only exempt if their processing activities pose no risk to data subjects and do not take place on a regular basis – in practice, this exemption hardly applies to any business.

The record must contain for each processing activity: the purpose, categories of data subjects and data, recipients, third-country transfers, deletion periods as well as technical and organisational measures (TOMs).

Data Protection Officer: When Is One Mandatory?

In Germany, a Data Protection Officer (DPO) is mandatory when at least 20 persons are permanently engaged in the automated processing of personal data (§ 38 BDSG). In Austria, the DSG does not recognise a comparable national threshold – the GDPR obligation (Art. 37) applies in cases of large-scale processing of sensitive data or systematic monitoring. In practice, the supervisory authorities of both countries recommend that small and medium-sized businesses voluntarily appoint a DPO.

Fines: What Penalties Are at Stake for Violations?

The GDPR provides for substantial penalties. Depending on the severity of the violation, fines of up to €10 million or 2% of global annual turnover (for less serious violations) or up to €20 million or 4% of turnover (for serious violations such as unlawful data processing or infringement of data subjects' rights) may be imposed.

The competent supervisory authorities are the Data Protection Authority (DSB) in Austria and the respective state data protection authorities in Germany (e.g. BayLDA, LfDI Baden-Württemberg, DSK at federal level). Both authorities have significantly intensified their supervisory activities in recent years.

Conclusion: Data Protection Is Not a Project – It Is an Ongoing Operation

GDPR compliance is not a one-off task that can simply be ticked off. Data processing activities change, new tools are added, employees come and go, home office arrangements expand. Those who understand data protection as an ongoing process – with a well-maintained record of processing activities, regular training and clear policies – protect not only their customers and employees, but also the company itself from costly consequences.

Invest in data protection before an incident occurs. The cost of a sound GDPR structure is a fraction of what a single violation can cost.

Data Protection & GDPR in Austria and Germany: What Companies Need to Know