Data Protection
The protection of personal data is a high priority for the Federal Ministry of Finance (BMF) and all departments of the Ministry of Finance responsible for data protection. We take care to process personal data in accordance with all applicable European and Austrian statutory provisions and take our responsibility very seriously.
We want you to know for what purposes and on what legal basis we collect personal data and how we process this data. We would also like to inform you about your rights in data protection matters and tell you who you can contact in this regard.
As changes to the privacy policy may become necessary over time, we recommend that you read it again from time to time.
Table of contents
- Download the Data Protection Statement General information on data protection in Austria
- General information on data protection in Austria
- What is regulated by the General Data Protection Regulation?
- What does the Austrian Data Protection Act regulate?
- What are personal data?
- What does the term “processing” mean?
- What does the term “controller” mean?
- What does the term “processor” mean?
- Where can you find further information on data protection?
- Processing of personal data in the finance department
- For what purposes and on what legal bases does processing of personal data take place?
- Exercise of duties in the public interest
- Legal obligation
- Contract fulfilment
- Consent
- Who is responsible for the processing?
- Who are your contact persons?
- Who is the Data Protection Officer in the finance department?
- What personal data are being processed?
- Where do the personal data come from?
- To whom are personal data disclosed?
- How long are personal data going to be stored?
- Is there any automated decision-making, e.g. profiling?
- Which security standards is the data processing subject to?
- Data Protection Rights
- How can you submit your application?
- How long does it take to process your application?
- How will your application be answered?
- Who is responsible for the processing?
Download the Data Protection Statement
Download the Data Protection Statement (PDF, 175 KB) in PDF format, as of 1 February 2021
General information on data protection in Austria
Data protection is a fundamental right enshrined in the Charter of Fundamental Rights of the European Union and in § 1 of the DSG (Austrian Data Protection Act). From 25 May 2018 on, the General Data Protection Regulation (GDPR) is in force in the European Union. At the same time, the new Austrian Data Protection Act (Datenschutzgesetz, DSG) enters into force in Austria.
What is regulated by the General Data Protection Regulation
The GDPR is a regulation of the European Union and applies directly in every member state, including Austria. The GDPR contains regulations on the processing of personal data, such as the principles for processing, the rights of the data subject and the obligations of controllers and processors.
What does the Austrian Data Protection Act regulate?
The DSG is an Austrian law and contains provisions supplementing the GDPR as well as regulations implementing Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, as well as for the purposes of national security, intelligence and military self-defence.
What are personal data?
Personal data is any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified directly or indirectly, e.g. by reference to a name or an identification number (e.g. tax number, social security number and account number).
This can be found in Article 4(1) GDPR.
What does the term “processing” mean?
The term "processing" means any operation carried out with or without the aid of automated procedures in connection with personal data. This includes, for example, the collection, recording, organisation, structuring, storage, modification or alteration, retrieval, consultation, use, disclosure by transmission, circulation or provision in any other way, alignment or combination, restriction, erasure or destruction of personal data.
This can be found in Article 4(2) GDPR.
What does the term “controller” mean?
The term "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
This can be found in Article 4(7) GDPR.
What does the term “processor” mean?
The term "processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
This can be found in Article 4(8) GDPR
Where can you find further information on data protection?
The entire text of the GDPR can be found on EUR-Lex at eur-lex.europa.eu. The entire text of the DSG and the entire text of the Austrian Fiscal Penal Code as most recently amended can be found in the federal legal information system at www.ris.bka.gv.at. Further information on data protection can also be found on the website of the data protection authority at www.dsb.gv.at.
Processing of personal data in the finance department
The fulfilment of the tasks of the organisational units of the Finance Department is based on legal foundations, i.e. on national laws and ordinances as well as on directly applicable provisions of the European Union. Our fundamental task is to safeguard the financial interests of the Republic of Austria and the European Union and thus, in particular, to collect the taxes and contributions regulated by federal law and to grant family allowances and other benefits.
The Federal Fiscal Court is responsible for deciding on appeals pursuant to Art. 130 para. 1 clauses 1 to 3 of the Federal Constitutional Law, in particular in legal matters relating to public charges insofar as these are handled by tax offices, customs offices, the Federal Ministry of Finance and the Municipality of the City of Vienna.
Please note that the purposes, legal bases and processing modalities listed below are a general list. For individual and detailed information about your personal data, you have the right to information. You can find out who you can contact about this in the Data protection rights section.
For what purposes and on what legal bases does processing of personal data take place?
We process personal data within the scope and for the purpose of fulfilling our legal duties.
With regard to the processing of personal data, this includes in particular:
- the Federal Tax and Customs Administration
in particular the collection of income tax, corporate income tax, value added tax, property tax, real estate transfer tax, foundation entrance tax, capital gains tax, employer contributions (Section 41 et seq. Family Burden Compensation Act 1967), standard consumption tax, chamber levy (§§ 122 and 126 Economic Chamber Act 1998), stamp duties and legal fees, capital transfer tax, insurance tax, fire insurance tax, casino levy, licence fee, gambling levy, air transport tax, import and export duties, excise duty and the inherited burdens contribution, the payment of family allowances (Sections 11 ff of the Family Burdens Equalisation Act 1967), combating fraud, supervision, for statistical purposes or risk management. - the fiscal penalty authorities
for the purpose of preventing, investigating, detecting or prosecuting financial offences and enforcing fiscal penalties under the Austrian Fiscal Penal Code - the Federal Fiscal Court
in particular appeal proceedings in relation to tax offices, customs offices, the Federal Ministry of Finance and the Municipality of the City of Vienna in tax matters - the budget management of the federal government
the fulfilment of federal budget management tasks in accordance with Sections 2 and 3 of the Federal Budget Act 2013 - the transparency database
in particular the processing of data on benefits received, which are communicated by the providing bodies or in respect of which it is possible to query them - communication and IT coordination
in particular operational implementation of employee communication, organisation and support of events, development and provision of communication media, editing, media support and citizen service, organisation of IT infrastructure and IT procedures as well as office and registry automation, organisation of data protection and information security
Performance of tasks in the public interest
Performance of tasks in the public interest
Where we perform our statutory tasks and the processing of personal data is necessary for the fulfilment of these tasks, this is done on the basis of the performance of tasks in the public interest or the exercise of official authority within the meaning of Article 6(1)(e) GDPR and Section 38 DSG.
Legal obligation
Where we are subject to legal obligations to process personal data, such as statutory documentation and retention obligations, this is done on the basis of the fulfilment of a legal provision within the meaning of Article 6(1)(c) GDPR.
The legal basis and legal framework are derived from numerous laws and ordinances, such as the Federal Constitution Act, the Federal Ministries Act 1986, the Austrian Federal Tax Code, the Austrian Fiscal Penal Code, the Code of Criminal Procedure, the Customs Law Implementation Act, the Tax Administration Organisation Act 2010, the Ordinance of the Federal Minister of Finance on the Implementation of the Tax Administration Organisation Act 2010, the Federal Fiscal Court Act, the Austrian Accounts Register and Accounts Inspection Act, the EU Administrative Assistance Act, the Common Reporting Standard Act, the Transfer Pricing Documentation Act, the Family Burden Compensation Act 1967, the Civil Servants Service Act 1979, the Contractual Employees Act 1948, the Federal Budget Act 2013, the Federal Budget Act 2013, the Gambling Act, the Transparency Database Act 2012, the General Data Protection Regulation, the Data Protection Act, the Information Security Act, the FinanzOnline Ordinance 2006, the Cash Register Security Ordinance, the e-Invoicing Ordinance, the COVID-19 Funding Audit Act and the COFAG Reorganisation and Settlement Act.
Contract fulfilment
Where processing of personal data is necessary for the conclusion of contracts, e.g. in the case of contracts with suppliers and service providers or in the case of funding contracts with contractual partners, this is done on the basis of contract fulfilment or the implementation of pre-contractual measures within the meaning of Article 6(1)(b) GDPR.
Consent
In addition, in certain cases we process personal data on the basis of the consent of the data subject within the meaning of Article 6(1)(a) GDPR, e.g. when ordering publications and forms or when registering for newsletters and events. The scope and content of the processing always result from the respective consent. In these cases, there is no obligation to provide personal data, and you naturally have the right to withdraw your consent at any time. However, the revocation does not affect the legality of the processing carried out until the revocation. In addition, we will not be able to process your request if you withdraw your consent.
Who is responsible for the processing?
F
The subject-matter and locally competent tax or fiscal penalty authorities are responsible for the processing of personal data for the purpose of the Tax and Customs Administration and for the purpose of preventing, investigating, detecting or prosecuting financial offences and enforcing financial penalties. These are
- the Tax Authority Austria,
- the Customs Authority Austria,
- the Tax Authority for Large Entities,
- the Anti-Fraud Office,
- the Service for Payroll levies and contributions and
- the Central Services.
The Federal Ministry of Finance is responsible for managing the affairs of the supreme federal administration in accordance with the Federal Ministries Act 1986.
The Federal Ministry of Finance and the Lawyer and legal advisor of the Republic of Austria jointly process personal data of clients, opposing parties, legal representatives and other parties to proceedings or persons to whom the mandate of the Lawyer and legal advisor of the Republic of Austria's Office relates in connection with the mandates accepted by the Lawyer and legal advisor of the Republic of Austria's Office. The Federal Fiscal Court is responsible for the processing of personal data in fulfilment of the tasks assigned to it, which are primarily complaints procedures concerning tax and customs offices.
The Federal Ministry of Finance is jointly responsible with the Federal Chancellery for the processing of personal data in the state aid procedure.
The budgetary bodies pursuant to Section 6 of the Federal Budget Act 2013 and the Austrian Federal Financing Agency in cooperation with the Federal Ministry of Finance, Department II/11 are responsible for the processing of personal data for the purpose of federal budget management:
- Federal Chancellery
- Federal Ministry for Art, Culture, Public Service and Sport
- Federal Ministry of Education, Science and Research
- Federal Ministry for European and International Affairs
- Federal Ministry of Labour and Economic Affairs
- Federal Ministry of Finance
- Federal Ministry of the Interior
- Federal Ministry of Defense
- Federal Ministry of Justice
- Federal Ministry for Climate Protection, Environment, Energy, Mobility, Innovation and Technology
- Federal Ministry of Agriculture, Forestry, Regions and Water Management
- Federal Ministry of Social Affairs, Health, Care and Consumer Protection
The Federal Ministry of Finance is responsible for the processing of personal data for the purpose of communication and IT coordination.
Who are your contact persons?
Questions and concerns in data protection matters can be addressed to the heads of the respectively competent body responsible for the processing of your personal data, or to the Data Protection Officer of the Ministry of Finance, to the extent that the judicial activities of the Federal Fiscal Court are not affected.
The contact details of the Federal Ministry of Finance can be found at https://www.bmf.gv.at/ in the “Contact” section. The contact details of the tax offices and customs offices are likewise to be found at http://www.bmf.gv.at/ in the province-specific overviews under the heading “Offices and Authorities” (in German). The contact details of the Federal Fiscal Court can be found at www.bfg.gv.at in the “Contact” section. For the contact details of other jointly responsible bodies, please refer to the respective linked websites.
Who is the Data Protection Officer in the finance department?
The Data Protection Officer of the Federal Ministry of Finance acts as Data Protection Officer for the entire Finance Department and is available to answer your questions on data protection matters.
Contact details:
Dr Stefan Lang
Johannesgasse 5, 1010 Vienna
E-mail: datenschutz@bmf.gv.at
Web: www.bmf.gv.at
What personal data are being processed?
In the area of the Tax and Customs Administration, we process the following personal data in particular:
- Personal identification and contact information
e.g. name, title, address, date and place of birth, main and secondary residence, country of residence, nationality, residence permit, area-specific personal identification number, VAT identification number, social security number, tax account number, company register number, trade information system number, criminal record number, proof of identity - Personal contact information of tax representatives
e.g. name or designation and company, title, professional address, telephone and fax number and other information required for addressing and representation. - Information required for the tax or financial criminal proceedings
e.g. gender, marital status, date of death, name and title of spouse, occupation or gainful employment, legal form, bank details, offsetting notes, remarks, decisions, tax types and accounts, payment amounts, tax assessment bases, operating expenses, income-related expenses, insolvencies, blocks, list of authorised representatives, attachments, competent office, history and changes of all account or custody account holders and their authorised representatives, trustees or beneficial owners, type of account/deposit, data on the opening and closing of the account/deposit, classification terms of the credit institution for accounts and custody accounts
In the area of the Federal Fiscal Court, we process the data provided by the Tax and Customs Administration, the Municipality of the City of Vienna or the Federal Ministry of Finance on the occasion of a complaint submission as well as other information required for the complaint procedure.
We collect special categories of personal data, also referred to as sensitive data, if this is necessary for the procedure and the legal basis for this exists. For example, we need information on religious denomination in order to take church tax payments into account.
In the area of the budget management, we process the following personal data in particular:
- Personal identification and contact information
e.g. name, address, telephone and fax number, area-specific personal identifier, business partner number, tax number and tax office, VAT identification number, tax account number, company register number. - Personal contact information of legal representatives and contact persons
e.g. name or designation and company, title, professional address, telephone and fax number and other information required for addressing and representation.
- Information required for the contractual relationship
e.g. billing address, delivery address, business premises, data on goods and services that are the subject of a transaction, reason for payment, payment blocks, bank details, logistics information, statistical data such as industry and region, technical organisational assignments, individual payment amounts including components, surcharges or deductions, balances, correspondence languages, other agreements and keys for data exchange, due date or default data, conditions, dunning and complaint data, reason for payment and settlement
In the area of communication and IT coordination, we process the following personal data in particular:
- Information from submitters of applications, requests, notifications, complaints and other communications that are submitted within the scope of the Federal Ministry of Finance and require processing
e.g. name, title, telephone and fax number, authorised representative and address for service, case number, subject matter, enclosures (e.g. scanned documents, certificates), process (file history), notes and memos, comments on inspection, text of processing - Information for client, user and authorisation management
e.g. name, address and contact data, such as telephone numbers, fax numbers, employer's address, location, assigned devices, logbook entries for company vehicles, assigned procedures, various user IDs, configuration number, access rights and restrictions, log and documentation data. - Information for network management
e.g. information on the system user, identifier, configuration number, assigned IP address, assigned certificate for authentication, log and documentation data. - Information for access management
e.g. name, personnel number, access rights, log and documentation data
Where do the personal data come from?
Most of the personal data we process are collected directly from the data subject concerned, e.g. through tax and customs procedures or through business relationships. In addition, we collect personal data from third parties, especially if this is legally required.
These include in particular:
- Central population register, central civil status register, trade register, register of companies, cadastral register, building association, system of budget accounting, Federation of Austrian Social Insurance Providers and social insurance providers, chambers, data union of the universities, economic databases, insurance supervision, European Commission, Austrian agrarian market, Austria statistics, tax representatives
Furthermore, we receive tax-relevant information from other authorities or through inter-governmental information exchange, in particular in the context of mutual assistance requests and automatic exchange of information. In the Transparency Database, we store data on benefits received, which are communicated by the providing bodies or with regard to which there is the possibility of querying. We also process publicly available information, such as online and offline media, public registers or public announcements.
To whom are personal data disclosed?
As a matter of principle, we are only forward personal data if forwarding of certain data is provided for by law, e.g. within the scope of legal information obligations, in compliance with the respective legal requirements or if you have consented to forwarding of data.
The data will be forwarded in particular to:
- intended recipients in the context of tax, customs and monopoly proceedings as well as financial criminal proceedings,
e.g. federal tax authorities, fiscal penalty authorities, Federal Fiscal Court, public prosecutors' offices and criminal courts, Constitutional Court, Supreme Administrative Court, European Court of Justice, security authorities, district administrative authorities, foreign tax and criminal prosecution authorities (EU, OECD and USA), Europol, Eurojust, European Commission, customs administrations of the member states, central excise liaison offices or liaison offices of the member states, tax representatives, trade authorities, municipalities, labour market service, Main Association of Austrian Social Security Institutions, regional health insurance funds, labour inspectorate, state archives, insurance supervisory authority, Statistics Austria, master data register authority - intended recipients in the context of federal budget management,
such as banks for the processing of payment transactions, recipients of statutory reports, budget management bodies, auditing bodies (Court of Audit, Federal Accounting Agency), BAWAG P.S.K., Austrian National Bank, tax offices in the context of the urgent notification procedure, courts, Lawyer and legal advisor of the Republic of Austria and other legal representatives, federal funding agencies, social insurance institutions, master number register authority - authorised entities within the scope of the transparency database,
such as federal and state funding agencies - designated processors,
such as the Bundesrechenzentrum GmbH (Austrian Federal Computing Centre) and the Federal Accounting Office
How long are personal data going to be stored?
We generally store personal data for as long as is necessary to fulfil the respective processing purposes. The criteria for this are the statutory retention obligations and limitation periods.
The deadlines for storage or deletion are given in the relevant legal provisions, e.g. the Austrian Federal Tax Code, the Austrian Fiscal Penal Code and the Federal Budget Act.
Is there any automated decision-making, e.g. profiling?
As a matter of principle, we take legally binding decisions on the basis of automated processing of personal data only if this is legally required, such as in the case of automated employee tax assessment pursuant to § 41 of the Austrian Income Tax Act of 1988.
What security standards is data processing subject to?
We process personal data with the utmost care and have taken extensive technical and organisational security measures to ensure that the applicable data protection regulations are observed and complied with by all responsible parties as well as by the processors commissioned by us.
This applies in particular to the protection of personal data against unauthorised or unlawful processing, accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed. The security measures correspond to the current state of the art and include the use of modern security technologies and encryption procedures, physical access controls and precautions to defend against attacks.
Data protection and information security were already a high priority for us before 25 May 2018. For this reason, we implemented an information security management system (ISMS) back in 2008, which is certified in accordance with the international security standard ISO 27001 and is reviewed annually. This made us the first federal ministry in Europe to achieve such certification. Since December 2020, we have also been the first organisation in Austria to have our data protection management system (DMS) certified in accordance with the international data protection standard ISO 27701. Among other things, the ISMS and the DSMS ensure that existing risks are systematically identified, assessed and dealt with by means of suitable measures. It also ensures that the effectiveness of the measures is regularly reviewed, assessed and evaluated.
Data Protection Rights
The GDPR and the DPA also regulate the data protection rights of data subjects, i.e. those whose personal data is processed. The data subject's legal claim is directed against the controller, i.e. the organisation responsible for data processing.
What data protection rights do you have?
Under the GDPR and the DPA, you have various rights, in particular:
- the right to withdraw your consent to the processing of your personal data at any time if the processing by us is based on your consent.
- the right to information as to whether personal data concerning you is being processed by us and what the content of this data is, as well as the right to rectification or completion and to deletion of your personal data, to restriction of processing, to objection to processing and to data portability, provided that the legal requirements for this are met.
The respective legal requirements as well as any exceptions and restrictions to these rights are set out in Articles 12 to 22 GDPR and Sections 42 to 45 DSG as well as the statutory provisions on which the respective data processing is based. Pursuant to Section 48f of the Austrian Federal Tax Code (FFC) and Section 57b of the Austrian Fiscal Penal Code, the right of access to personal data processed on the basis of the FFC or the Austrian Fiscal Penal Code and contained in a file exists exclusively in accordance with Section 90 of FFC or Section 79 of Austrian Fiscal Penal Code (inspection of files). The inspection of files grants you the right to request the inspection and copying of your files (parts of files), knowledge of which is necessary to safeguard your rights and fulfil your obligations in the context of tax and financial criminal proceedings. Further specific data protection provisions and restrictions arise in particular from Sections 48d to 48i FFC and Sections 57c and 57d of the Austrian Fiscal Penal Code.
In those cases in which there are legal exceptions or restrictions to these rights, we may not fulfil your request or only fulfil it to a limited extent. If this is legally permissible, we will inform you of the reason for the refusal or restriction in this case.
How can you submit your request?
You can submit your request to assert your data protection rights to the controller responsible for processing your personal data in the following ways:
- by letter or fax
a copy of an official photo ID (e.g. passport or identity card) must be enclosed. - by means of FinanzOnline
in tax law matters - in person
this requires the presentation of an official photo ID (e.g. passport or identity card)
Please make your request as specific as possible. This is the only way we can process it efficiently and quickly. Please also note that within the area of application of the Austrian Tax Procedure Law (FFC), requests for information pursuant to Section 48f FFC must specify the information or processing operations to which the request for information relates.
Insofar as the request for information relates to personal data contained in a file, the file inspection procedure of the FFC applies in accordance with Section 48f (2) FFC. Requests can therefore only be submitted electronically via FinanzOnline. The procedure for the right to rectification pursuant to Art. 16 GDPR must also be carried out in accordance with the provisions of the FFC in the cases of Section 48g (1) FFC.
We also ask for your understanding that in cases of doubt we may need to request further information about your identity. This serves exclusively to protect your personal data and is intended to ensure that only you yourself receive information about your personal data.
How long does it take to process your application?
We will provide you with the relevant information on the measures as soon as possible, but in any case within one month of receiving your request.
Please note that this deadline may be extended by an additional two months if necessary, taking into account the complexity or number of requests. However, we will inform you of any extension of the deadline and the reasons for it within one month of receiving your request.
How will your application be answered?
Personal data is a matter of trust. As an unencrypted e-mail cannot be classified as secure and is more comparable to a postcard than a letter, we will never send a reply to your request by e-mail. You will therefore receive the reply by post (RSa) or in tax matters possibly by means of the FinanzOnline Databox.
What complaint options do you have?
If you have any questions, suggestions or complaints regarding data protection matters, please contact the Data Protection Officer of the Federal Ministry of Finance.
If you are of the opinion that the processing of your personal data by us violates data protection regulations or your data protection claims have otherwise been violated in any way, you can lodge a complaint with the competent supervisory authority. In Austria, this is the data protection authority.
Contact details:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Telephone: +43 1 52 152 0
E-mail: dsb@dsb.gv.at
Web: www.dsb.gv.at
If you are of the opinion that the Federal Fiscal Court has violated your rights under the General Data Protection Regulation in the exercise of its judicial competences, you can lodge a complaint with the Federal Fiscal Court in writing or by fax.
Contact details:
Federal Fiscal Court
Hintere Zollamtsstraße 2b
1030 Vienna
Telephone: +43 (0) 50250 577100
Fax: +43 (0) 50250 5977100
Status: 1 August 2024