Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
According to the Austrian General Civil Code (ABGB), a person under the age of 18 is considered a ‘minor’, a person under the age of 14 is considered an ‘underage’, and a person under the age of 7 is considered a ‘child’ under Austrian law.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
The UNCRC has not been directly incorporated into Austrian law, i.e. it is not directly applicable. Rather, it is fulfilled through a variety of national laws.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
- The Austrian Ombudsman Board (‘Volksanwaltschaft’) generally acts as an ombudsman in Austria according to the Federal Constitution and the Ombudsman Act.
- For children and minors, there is the Ombuds Office for Schools in the Ministry of Education, Science and Research.
- In Addition, there is a Federal Advocacy for Children and Youth as well as an Office of the Attorney for Children and Youth in every federal state in Austria.
- The Association for Consumer Information (‘Verein für Konsumenteninformation – VKI’) is “an independent, non-profit consumer organization for the promotion of consumer interests
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
- The Austrian Ombudsman Board ‘Volksanwaltschaft’ investigates suspected abuses (e.g. human rights violations) in the public administration. Its competence extends only to investigations of complaints taken against public bodies insofar as such complaints relate to adverse treatment of a child. As such, it does not have competence as regards the investigation of such complaints against private entities.
- Pupils can turn to the Ombuds Office for Schools in Austria if they have questions or problems that cannot be resolved at school. It is therefore not responsible for enforcing the rights of children and young people on the Internet.
- The Offices of the Attorney for Children and Youth was established based on the UNCRC to specifically protect the interests of children and young people. They offer advice and support for children and young people and campaign for children's rights in general (including on the internet). This is done primarily through legislative proposals, public relations work and regular contact with politicians.
- However, the Association for Consumer Information (‘Verein für Konsumenteninformation – VKI’) conducts tests to promote the enforcement of consumer rights, consumer information cases and organizes class actions. Companies that use unlawful clauses or attract negative attention due to unfair business practices (which can also jeopardize the interests of children on the Internet) are formally warned and, if necessary, VKI also takes legal action in such cases. The VKI is legally entitled to take legal action against such activities.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard.
Please note that apart from consent to data processing other age limits apply for the valid conclusion of a contract or for the permitted use of an offered good or service.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Section 4(4) of the Austrian Data Protection Act (DSG) states that the age of digital consent is 14 years.
The prevailing doctrine in Austria is of the opinion that for minors aged above 14, additional consent must nevertheless be obtained from the legal guardian if special categories of personal data are being processed.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific-laws in this regard; see more information on the GDPR-level requirements here.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific-laws in this regard; see more information on the GDPR-level requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
All children (i.e. persons below the age of 18) require the consent of their legal guardians in order to exercise their rights in relation to their personal data in proceedings before the Austrian Data Protection Authority or administrative courts.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
No.
All children (i.e. persons below the age of 18) require the consent of their legal guardians in order to make complaints to the Austrian Data Protection Authority.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
a) processing specific types of children’s personal data;
If consent is relied upon for the processing of data of special categories of personal data, the consent of the minor’s legal representative must also be obtained.
b) carrying out specific processing activities involving children’s personal data; and/ or
According to the Austrian Regulation of the Data Protection Authority on processing operations for which a Data Protection Impact Assessment must be carried out (DPIA-V), a data protection impact assessment (‘DPIA’) must be carried out if personal data of minors is processed and at least one of the following conditions is also met:
- extensive processing of special categories of personal data pursuant to Article 9 GDPR or of personal data relating to criminal convictions and offences pursuant to Article 10 GDPR;
- collection of location data;
- the merging and/or comparison of data sets from two or more processing operations carried out for different purposes and/or by different controllers in the context of data processing that goes beyond the processing operations normally expected of a data subject, provided that these are carried out for purposes for which not all of the data to be processed were collected directly from the data subject.
c) using children’s personal data for specific purposes.
There are no national specific regulations in this regard. However, according to the Austrian Children's Rights Act (‘BVG Kinderrechte’), the best interests of the child are a fundamental principle of all data processing. In practice, this means that higher standards of protection apply to the processing of minors' data (e.g. profiling, dark patterns, etc.). In addition, digital service providers who rely on their legitimate interests to process certain children's data for commercial purposes must ensure that these interests do not conflict with, run counter to, or in any way adversely affect the best interests of the child.
See more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To date, there have been no relevant enforcement actions that have resulted in sanctions for the processing of children's personal data.
However, please note the following decisions of the Austrian Data Protection Authority (DSB) regarding the data processing of children’s personal data:
- Minors above 14 years can effectively submit declarations of consent within the meaning of the Austrian Data Protection Act and the GDPR, but in proceedings before the Austrian Data Protection Authority or the administrative courts they still require the consent of their legal guardians. The legal representative cannot effectively authorise the procedural actions of a minor complainant. Instead, each individual procedural act must be carried out on behalf of the minor complainant.
- When assessing the lawfulness of data processing on the basis of legitimate interests, the provisions of the Austrian Civil Code (ABGB) can be used, according to which minors are subject to the special protection of the law.
Are there specific rules concerning electronic direct marketing to children?
Yes.
The following e-mail marketing requirements are not specifically directed at communications made to children, but apply regardless of whether the communication is sent to an adult or a child:
- Sec 174 of the Austrian Telecommunications Act (TKG) requires upfront consent for e-mail marketing.
- In theory, Sec 174 Para 4 TKG allows for a "soft-opt-in" mechanism. Nevertheless, this is rarely used in practice and carries a high level of risk as the formal requirements are to be met cumulatively and strictly.
However, the consent to receive direct messages is not the same as consent to data processing according to Section 4(4) of the Austrian Data Protection Act (DSG). There are no explicit rules or case law regarding the age of consent for receiving direct messages. However, generally speaking, the standard rules for determining capacity to understand apply for effective consent:
- For minors who lack the capacity to understand and make decisions, only a legal representative can give legal consent. Therefore, for children under 7, the consent of their legal representative only is required.
- Minors who have the capacity to understand and to make decisions can give their consent. The capacity to understand and make decisions is presumed to exist at the age of 14 (see Section 4(4) of the DSG). However, this presumption is applied on a case-by-case basis and may be deemed to apply at a younger age in some cases.
Further, under Section 36 Austrian Federal Act on Audiovisual Media Services (Audiovisuelle Mediendienste-Gesetz – AMD-G) commercial audiovisual communication must not lead to minors' physical, mental or moral impairment. Thus, such communication must not
- contain a direct call to buy or rent a certain product or to pressure parents to purchase advertised goods;
- abuse minors' trust in their confidants; or
- showcase minors in dangerous situations without legitimate reason.
In any case, the best interests of the child must be a fundamental principle, according to the Austrian Children's Rights Act (BVG Kinderrechte).
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard. In any case, the best interests of the child must be a fundamental principle. according to the Austrian Children's Rights Act (BVG Kinderrechte). In practice, this means that higher standards of protection apply to the processing of minors' data (e.g. profiling, dark patterns, etc.). In addition, digital service providers who rely on their legitimate interests to process certain children's data for commercial purposes must ensure that these interests do not conflict with, run counter to, or in any way adversely affect the best interests of the child. Additionally, see more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
No.
From a data protection perspective, there are no national specific laws regarding online contextual advertising, unless it is based on the processing of personal data of minors.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To date, there have been no relevant enforcement actions that have resulted in sanctions for the processing of children's personal data.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Austrian law distinguishes between several levels of legal capacity:
- Children under the age of 7 are generally completely legally incapable and may not enter into any transactions apart from typical purchases for their age group (e.g. buying, sweets, cinema tickets).
- Persons between the ages of 7 and 14 have limited legal capacity and may make typical purchases for this age group without parental consent – so-called pocket money transactions (e.g. buying books or CDs) and accept gifts.
- Persons between the ages of 14 and 18 have limited legal capacity and may freely dispose of income from their own earnings (e.g. apprenticeship income) and freely dispose of items that have been given to them for their free disposal (e.g. pocket money).
- Persons aged 18 and over have full legal capacity and can conclude transactions independently.
Do consumer protection rules apply to children?
Yes.
A consumer is anyone who enters into a transaction that is not part of their business. The regulations regarding consumer protection therefore apply to children. The provisions of the Austrian Consumer Protection Act (KSchG) regulate the conclusion of contracts, warranties and combats unfair business practices.
In addition, consumers are subject to comprehensive information obligations and cancellation rights in accordance with the Austrian Federal Act on Distance and Off-Premises Contracts (Fern- und Auswärtsgeschäfte-Gesetz - FAGG).
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
A direct invitation to children to buy a product or a direct invitation to children to persuade their parents or other adults to buy a product for them is not permitted in any case.
The Austrian Supreme Court assumes that all children up to the age of 14 are protected by this provision. In any case, any direct invitation formulated in the imperative (e.g. ‘Come and buy’, ‘Get your sticker book now’) is unlawful.
Advertising must also not directly encourage minors to ask their parents or third parties to buy the advertised products (goods or services) and must not exploit the special trust that minors have in parents, teachers and other trusted persons.
Note that in the case of an infringement of Article 14 of the Digital Services Act, an administrative penalty of up to 6% of the worldwide turn-over may apply (Section 5 and 6 DSA Accompanying Act).
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Supreme Court (4Ob110/12y) ruled on the inadmissibility of direct sales solicitations to children. It ruled that the entrepreneur should refrain from this behaviour and on the publication of the judgment. No compensation or penalty was imposed.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
Under Austrian law, there are various laws that make access to certain goods and services subject to a certain age limit. This applies regardless of whether the products or services are offered physically or online:
- Gambling
- Computer Games and Social Media
- Adult content
- Tobacco, cigarettes, vaping and alcohol
Are there any specific requirements relating to online/ digital safety for children?
Yes.
In Austria, youth protection laws – including setting age limits and options for age verification – are enacted by the individual Federal States (Burgenland, Carinthia, Lower Austria, Upper Austria, Salzburg, Styria, Tyrol, Vorarlberg, Vienna). Thus, there are no uniform regulations:
- Computer Games and Social Media
The youth protection provisions regarding computer games are regulated in the respective youth protection laws of the federal states. The content of media or data carriers as well as objects and services that could jeopardize the physical, mental, moral, spiritual character or social development of children or young people may not be offered, shown, passed on or made accessible. The PEGI (Pan-European Game Information) labelling is used here for the age limit. The respective service provider must take suitable precautions (e.g. technical restrictions) to ensure that young people are excluded. What is meant by suitable precautions is not explicitly regulated.
- Gambling
The Federal Act of 28 November 1989 on the Regulation of Gambling (Gambling Act - GSpG) applies to the offering of online gambling.
Licensed online gambling providers are obliged to verify the identity of players, primarily for the purpose of preventing money laundering. According to the Financial Markets Anti-Money Laundering Act (FM-GwG), proof of identity is possible by means of an electronic ID card (i.e. a procedure provided for by law that ensures the presentation of an official photo ID). The GSpG also prohibits licensed providers of online games of chance from admitting players under the age of eighteen. How proof of age must be provided is not expressly regulated by law.
- Adult content
The Austrian Federal Act on Audiovisual Media Services (Audiovisuelle Mediendienste-Gesetz – AMD-G) obliges providers of audiovisual media content to ensure that minors are usually unable to follow harmful content (i.e. the unreflected depiction of sexual acts). The law explicitly refers to measures such as the installation of age verification systems or comparable measures.
- Tobacco and alcohol
The age limits and the requirements for the protection of minors are regulated in the respective youth protection laws.
Finally, note that as regards gambling, Austria is currently currently awaiting a first Supreme Court decision on whether loot boxes in online games are to be qualified as a game of chance (and thus forbidden under the age of 18).
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
While there is currently no specific legislation in Austria that regulates the provision of specific age verification/ age assurance requirements. See more information on the EU-level requirements here. Separately, in Austria, youth protection laws – including setting age limits and options for age verification – are enacted by the individual Federal States (Burgenland, Carinthia, Lower Austria, Upper Austria, Salzburg, Styria, Tyrol, Vorarlberg, Vienna). Thus, there are no uniform regulations. Instead, the respective youth protection laws of the federal states provide for the type and presentation of a photo ID or another "suitable method". What is meant by “suitable means” is not specified. Upper Austria is so far the only federal state to have expressly granted the option of providing proof of age digitally.
Due to the nature of e-commerce transactions and the inability to physically present a photo ID, proof of age can be provided online in a "suitable manner". There is no relevant case law in Austria as to which type of digital age verification is sufficient. An effective control system for the proof of age must be provided to the service provider in such a way that he could reasonably expect compliance with the legal requirements. In our opinion, German case law can be used here to assess the appropriateness: Sending a copy of an ID card is not sufficient as someone else's ID could be used. Concepts that use the "Post-Ident procedure" or the "Schufa identity check" for identification were deemed sufficient. In the "Post-Ident procedure", age verification is carried out by Deutsche Post AG employees. During the "Schufa identity check" Schufa compares the address and date of birth entered during the ordering process with its databases and uses previous face-to-face identifications (e.g. when opening an account). The recent Government Program foresees use of the nation digital identification method ("ID Austria") for all persons including children starting from their birth. The ID will be used in the future including for identification in the private sector.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
There are no national-specific laws in this regard. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
However, note in the presentation of Austria's Government Program: • According to the recently published government program, the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) shall become the single point of contact regarding AI Act compliance. This would also include children's rights. • Moreover, according to the Program, the government will invest in R&D in the area of use of AI to combat violence against women and girls.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
Note that the recent Government Program contains some indications of upcoming measures which the government plans to implement and which are relevant to children’s use of digital services:
- Ratification of the third additional protocol to the UNCRC.
- Measures are to be taken to enhance protection of (i) women and girls from online sexual harassment and (ii) children and youth from online violence.
- Measures to functionally restrict social media in a transparent manner to protect children and youth. This includes filters to prevent access to pornographic or violent content.
- Plans to lobby on an EU level for (i) youth protection in online games containing a gambling element, in particular loot boxes; (ii) labelling requirement of beauty filters; (iii) stricter requirements for online platforms.
- Amendments to the Children and Youth Employment Act to include requirements for online remuneration (e.g. influencers).
- Development of a national strategy for digital sovereignty for youth.
Additionally, see information on the upcoming EU-level requirements here.
Contributors
Nino Tlapak
Dorda
Axel Anderl
Dorda
Stefanie Dimbauer
Dorda
Miriam Mayer
Dorda
Feliz Zopf
Dorda
