Twitter Logo Youtube Circle Icon LinkedIn Icon

The Legal 500 Hall of Fame Icon The Legal 500 Hall of Fame highlights individuals who have received constant praise by their clients for continued excellence. The Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. In Europe, Middle East and Africa, the criteria for entry is to have been recognised by The Legal 500 as one of the elite leading lawyers for seven consecutive years. These partners are highlighted below and throughout the editorial.
Click here for more details

Austria > Legal Developments > Law firm and leading lawyer rankings


Austrian "White List"

Exceptions from the OBLIGATION TO CARRY OUT A data protection impact assessment

Immediately on 25 May, the GDPR-day, the Austrian Data Protection Authority published its White List brining some clarity concerning the obligation to carry out a data protection impact assessment. As expected, especially standardized data processing activities and already registered processing operations that have to be approved by the authority in advance do not require an impact assessment.

 for Austria and we can only hope that it will be issued soon as well.

On 25 May, the Austrian Data Protection Authority issued a regulation containing a list of processing operations for which no data protection impact assessment is required ("White List"; full text available in German language here). This list determines processing activities that are usually not deemed of resulting in a high risk for data subjects. Therefore, records of processing activities have to be maintained and other obligations of the GDPR and the Austrian Data Protection Act must be fulfilled but no additional data protection impact assessment has to be carried out.

In summary, the White List of the Austrian Data Protection Authority is rather extensive and particularly covers standardized data processing activities. Thus, especially the following basic processing operations do not require an impact assessment:

Customer administration (CRM tools)


·HR administration

·Access control management

·CCTV (limited to own property and a maximum storage time of 72 hours)

·Scientific research and statistics

·Records management

·Event management

Overall, the catalogue of exceptions covers 22 data processing activities.

Besides these precisely defined standardized data operations, all data applications that were already approved by the Austrian Data Protection Authority before 25.5.2018 as well as the former standard applications of the Austrian Standard and Model Decree do not require an impact assessment.

The Austrian White List now also has to be submitted to the European Data Protection Board. Through that coordination mechanism, a Europe-wide standardisation of the obligation to carry out data protection impact assessments shall be obtained. Thus, the catalogue of exceptions might be changed in one way or another.

However, for the time being, Austrian companies have a certain legal security and don't have to carry out data protection impact assessments for the processing activities stated in the regulation of exceptions.


Additionally to the White List the data protection authorities shall also establish a list of data processing operations which are definitely subject to the requirement for a data protection impact assessment ("Black List"). As of now, there is no information available on when such list will follow

Interview with...

Law firm partners and practice heads explain how their firms are adapting to clients' changing needs

International Law Firm Networks

International comparative guides

Giving the in-house community greater insight to the law and regulations in different jurisdictions.

Select Practice Area

GC Powerlist -

International Law Firm Networks