Austrian data protection authority cuts operations amid budget constraints

The Austrian Data Protection Authority (DSB) has implemented significant operational restrictions that began in July 2025, according to its newsletter published in 2025. The measures stem from budget constraints that prevented the authority from maintaining current staffing levels despite facing an expanding workload.

Budget figures reveal the financial pressures confronting the authority. According to the DSB newsletter, the organization received 5.7 million euros in 2024. The 2025 budget allocates 6.1 million euros, with 2026 funding set at 5.9 million euros. While the core staff of 51 full-time equivalents remains unchanged, rising operational costs effectively reduce the authority's real purchasing power, particularly affecting material expenses.

The budget constraints forced the authority to eliminate most of its administrative internship positions starting in July 2025. The DSB employed approximately 20 administrative interns on full-time and part-time basis. These positions are classified as material expenses under Austrian administrative law and must be terminated after 12-month periods. The loss of these positions created a personnel reduction despite unchanged permanent staffing numbers.

This staffing reduction came as the authority faces expanding responsibilities. New obligations include information freedom legislation, artificial intelligence oversight, political advertising targeting regulations, and platform work directive implementation. The workload increase conflicts directly with reduced capacity.

The authority implemented a contingency planning approach to address these limitations. Priority has shifted toward complaint processing, where legal obligations require response to individual grievances. "Delays in processing are inevitable," the DSB stated in its newsletter.

Investigative procedures now face significant restrictions. Ex officio investigations will only commence when submissions present "sufficiently concrete suspicion of serious GDPR or DSG violations." The authority prioritizes vulnerable groups including children and employees. The DSB increasingly uses awareness letters rather than formal investigations.

Annual focus inspections continue with modified procedures. The authority announces yearly inspection themes in January without revealing specific sectors. Actual inspection launches are announced separately, typically around May.

Data breach notifications under Article 33 GDPR receive content review, but the authority now only contacts data controllers when follow-up measures are necessary or notifications remain incomplete. The DSB previously provided more comprehensive guidance on breach responses.

Telephone accessibility has been limited. New hours restrict calls to Monday through Wednesday and Friday from 09:00 to 12:00, plus Thursday from 13:00 to 15:30. Written legal guidance requests now receive responses directing inquiries to the authority's website information rather than personalized responses.

Staff participation in external events faces restrictions, even for speaking engagements. The authority limits attendance at European Data Protection Board subcommittee meetings to topics of essential Austrian interest. Business travel has been reduced to absolutely necessary levels.

Legislative consultation responses now occur only for proposals addressing fundamental data protection questions. This reduction in policy input comes as digitalization creates increasing regulatory needs across government sectors.

These measures represent a mathematical reality, according to DSB leadership. "The number of available staff stands in direct relation to the number of tasks to be completed," stated Dr. Matthias Schmidl, head of the DSB.

The restrictions highlight Austria's enforcement challenges compared to European peers. GDPR enforcement data shows significant disparities across authorities, with only 1.3% of cases resulting in fines between 2018 and 2023.

Germany's standardization of fine procedures demonstrates alternative approaches to enforcement consistency. German authorities established unified guidelines in June 2025 to harmonize GDPR penalties across federal and state levels.

Marketing industry implications extend beyond Austrian borders. Cross-border processing mechanisms under GDPR Articles 60 and 65 rely on cooperation between national authorities. Austrian capacity limitations have delayed multinational marketing compliance reviews and created bottlenecks for companies with Austrian operations.

The DSB maintains its commitment to fundamental obligations despite operational constraints. Complaint processing remains the primary focus due to individual rights protections under European law. However, processing delays appear unavoidable given resource limitations.

Other notable developments include DSB leadership appointments to European bodies. On May 5, 2025, the European Data Protection Board elected the Austrian authority's head among five representatives to the Digital Markets Act High Level Group. This European role occurs alongside domestic capacity reductions.

The authority has published comprehensive guidance on Austria's Information Freedom Act, which took effect in September 2025. Thirteen full-day training sessions occurred across federal states and administrative academies. The DSB processed extensive stakeholder feedback during the legislation's consultation phase.

Technology compliance issues continue generating enforcement actions. The authority addressed Meta's data usage for AI training through public notifications. These technology oversight responsibilities expand as artificial intelligence regulation develops across European jurisdictions.

Recent enforcement decisions demonstrate the authority's analytical capacity. Several cases from early 2025 addressed citizen journalism privacy rights, municipal authority video surveillance, employee data transparency, and dashcam usage in private disputes. The February 24, 2025 decision marked the first interpretation of new media privilege provisions under Section 9(1a) DSG.

Court developments affect Austrian enforcement patterns. The Federal Administrative Court confirmed DSB approaches to Schengen Information System deletion rights in July 2025. The Supreme Administrative Court established precedents for excessive complaint procedures, requiring demonstrated abuse intent for case rejection under Article 57(4) GDPR.

Timeline

• 2024: DSB budget totaled 5.7 million euros
• January 2025: Budget adopted for 2025-2026 period with 6.1 million euros allocated for 2025
• February 24, 2025: DSB issued first decision interpreting new media privilege provisions under Section 9(1a) DSG
• May 5, 2025: DSB head elected to Digital Markets Act High Level Group at European Data Protection Board plenary session
• June 17-18, 2025: Sixth annual public data protection officers conference held in Innsbruck
• July 2025: Operational restrictions begin with administrative intern position eliminations
• July 22, 2025:Federal Administrative Court confirmed DSB position on Schengen Information System deletion rights
• September 2025: Information Freedom Act takes effect with comprehensive DSB guidance
• 2026: DSB budget reduces to 5.9 million euros with continued operational limitations

Summary

Who: The Austrian Data Protection Authority (DSB) led by Dr. Matthias Schmidl, affecting 9 million Austrian residents and organizations processing personal data within Austrian jurisdiction.

What: Major operational restrictions including elimination of approximately 20 administrative intern positions, reduced investigation capacity, limited legislative consultation, and restricted staff participation in external activities.

When: Restrictions begin July 2025 and continue through 2026, following budget adoption for the 2025-2026 period and implementation of the Information Freedom Act in September 2025.

Where: Austria, with implications for cross-border GDPR enforcement affecting the European Economic Area through cooperation mechanisms and multinational company compliance procedures.

Why: Budget constraints despite rising costs and expanding responsibilities including information freedom, artificial intelligence oversight, political advertising regulation, and platform work directives create mathematical impossibility between available staff and required tasks.