Data Protection

Protection and privacy of personal data is a matter of great importance for the Federal Ministry of Finance (BMF) and all competent bodies of the finance department responsible for data protection. We take care to process all personal data in accordance with all applicable European and Austrian statutory provisions, and we take our responsibility very seriously. 

We want you to know for what purposes and on what legal bases we collect personal data, and how we process these data. We also want to inform you about your rights in data protection matters and the contact persons available for you in this respect. 
As changes to the Data Protection Statement may become necessary over the course of time, we encourage you to revisit the same from time to time. 

Table of contents

Download the Data Protection Statement 

Download the Data Protection Statement (PDF, 175 KB) in PDF format, as of 1 February 2021

General information on data protection in Austria

Data protection is a fundamental right enshrined in the Charter of Fundamental Rights of the European Union and in § 1 of the DSG (Austrian Data Protection Act). From 25 May 2018 on, the General Data Protection Regulation (GDPR) is in force in the European Union. At the same time, the new Austrian Data Protection Act (Datenschutzgesetz, DSG) enters into force in Austria. 

What is regulated by the General Data Protection Regulation

The GDPR is a regulation of the European Union and is directly effective in every Member State, thus including Austria. The GDPR comprises rules on the processing of personal data, such as the principles of processing, the rights of the data subjects and the responsibilities of the controllers and processors. 

What does the Austrian Data Protection Act regulate?

The DSG is an Austrian law and comprises provisions supplementing the GDPR and stipulations for the implementation of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the processing of personal data by competent authorities for purposes of the prevention, detection, investigation or prosecution of criminal offenses or the execution of criminal penalties, including protection from and prevention of threats to public safety, as well as for purposes of national security, intelligence and military intrusion prevention. 

What are personal data?

Personal data are any information that relates to an identified or identifiable natural person (“data subject”). A natural person is deemed identifiable if he or she can be identified directly or indirectly, for example by means of a name or an identification number (e.g. tax identification number, social security number and account number).

For further information, please see Article 4 (1) of the GDPR

What does the term “processing” mean?

The term “processing” means any process involving personal data that is carried out with or without the aid of automated procedures. These include, for example, collecting, recording, organising, sorting, storing, adapting or modifying, reading out, querying, using, divulging through transmission, dissemination or any other form of disclosure, matching or merging, restricting, deleting or destroying personal data.

For further information, please see Article 4 (2) of the GDPR

What does the term “controller” mean?

The term “controller” means the person or entity, public authority, agency or other body that, alone or in cooperation with others, decides on the purposes and means of processing personal data. 

For further information, please see Article 4 (7) of the GDPR

What does the term “processor” mean?

The term “processor” means a person or entity, public authority, agency or other body that processes personal data on behalf of the controller. 

For further information, please see Article 4 (8) of the GDPR

Where can you find further information on data protection?

The full text of the GDPR  can be found on EUR-Lex at eur-lex.europa.eu. The full text of the DSG (in German) and the full text of the Austrian Code of Fiscal Offences (Finanzstrafgesetz) (in German) in the version of 25 May 2018 can be found in the legal information system of the Federal government at http://www.ris.bka.gv.at/. For more information on data protection, please see also the website of the Austrian Data Protection Authority at http://www.dsb.gv.at/.  

Processing of personal data in the finance department

The task fulfilment of the organisational units of the finance department is based on legal foundations, i.e. on national laws and regulations as well as on directly applicable regulations of the European Union. Our basic task is to ensure the financial interests of the Republic of Austria and the European Union, and thus in particular to collect federally levied charges and contributions, and to grant family allowances and other benefits. 

The Federal Fiscal Court is responsible for deciding on complaints pursuant to Art. 130 I 1 to 3 of the B-VG (Federal Constitutional Law), especially in legal matters of public tax affairs, insofar as these are provided by tax offices, customs offices, the Federal Ministry of Finance and the Municipal Authority of the City of Vienna. 

Please note that the following purposes, legal bases and processing modalities are a general listing. For individual and detailed information about your personal data, you have the right to information. The person to contact for this purpose is listed in the Data Protection Rights section. 

For what purposes and on what legal bases does processing of personal data take place?

We process personal data in the context and for the purpose of fulfilling our statutory duties. 
With regard to the processing of personal data, these include in particular:

  • the tax and customs administration of the Federal government
    in particular the collection of income tax, corporate income tax, turnover tax, real estate tax, real estate transfer tax, foundation entrance tax, capital returns tax, employer’s contributions (§§ 41 et seq. of the Austrian Family Assistance Equalisation Act of 1967), standardised consumption tax, chamber contribution (§§ 122 and 126 of the Austrian Economic Chamber Act of 1998), stamp tax and legal fees, capital transfer tax, insurance tax, fire insurance tax, gambling hall tax, concession levy, gambling tax, flight tax, import and export duties, consumption tax and legacy contribution, payment of family allowances (§§ 11 et seq. of the Austrian Family Assistance Equalisation Act of 1967), anti-fraud, supervision, for statistical purposes or risk management
  • the Financial Penal Authorities
    for purposes of preventing, investigating, detecting or prosecuting financial offenses and executing financial penalties under the Austrian Code of Fiscal Offences (Finanzstrafgesetz)
  • the Federal Fiscal Court
    in particular complaint proceedings concerning tax offices, customs offices, the Federal Ministry of Finance and the Municipal Authority of the City of Vienna in fiscal matters
  • the budget management of the Federal government
    the dispatch of tasks of budget management of the Federal government in accordance with §§ 2 and 3 of the Austrian Federal Budget Act of 2013
  • the Transparency Database
    in particular the processing of the data on benefits received, which are communicated by the providing bodies or with regard to which there is the possibility of querying
  • the Transparency Database
    in particular operative implementation of employee communication, organisation and supervision of events, development and provision of communication media, editing, media support and citizen service, organisation of IT infrastructure and IT procedures, as well as office automation, organisation of data protection and information security

Exercise of duties in the public interest

Where we fulfil our statutory duties and the processing of personal data is required for the fulfilment of these duties, this is done on the basis of the exercise of duties in the public interest or the exercise of official authority within the meaning of Article 6 (1) (e) of the GDPR and § 38 of the DSG

Legal obligation

Where we are under legal obligation to process personal data, such as statutory documentation and retention obligations, this is done on the basis of the fulfilment of a legal provision within the meaning of Article 6 (1) (c) of the GDPR and the COVID-19 Subsidies Review Act.

The legal bases and legal framework conditions arise from numerous laws and regulations, such as the Austrian Federal Constitutional Law, the Austrian Federal Ministries Act of 1986, the Austrian Federal Tax Code, the Austrian Code of Fiscal Offences, the Austrian Code of Criminal Procedure, the Austrian Customs Law Implementation Act, the Austrian Tax Administration Organisation Act of 2010, the Ordinance of the Federal Minister of Finance on Implementation of the Tax Administration Organisation Act of 2010, the Austrian Federal Finance Court Act, the Austrian Accounts Register and Account Inspection Act, the EU Convention on Mutual Assistance in Criminal Matters, the Austrian Common Reporting Standard Act, the Austrian Transfer Pricing Documentation Act, the Austrian Family Assistance Equalisation Fund Act of 1967, the Austrian Civil Servants Act of 1979, the Austrian Contract Employees Act of 1948, the Austrian Federal Budget Act of 2013, the Austrian Federal Budget Ordinance of 2013, the Austrian Gambling Act, the Austrian Transparency Database Act of 2012, the General Data Protection Regulation, the Austrian Data Protection Act, the Austrian Information Security Act, the FinanzOnline Ordinance of 2006, the Austrian Cash Register Security Ordinance and the Austrian e-Invoicing Ordinance.

Contract fulfilment

Where processing of personal data is required for the conclusion of contracts, such as in contracts with suppliers and service providers, this takes place on the basis of the fulfilment of the contract or the performance of pre-contractual measures within the meaning of Article 6 (1) (b) of the GDPR.

Consent

Furthermore, in certain cases, we process personal data on the basis of the consent of the data subject within the meaning of Article 6 (1) (a) of the GDPR, e.g. when ordering publications and forms, or when registering for newsletters and events. The scope and content of the processing always result from the respective consent. In these cases, there is no obligation for the provision of personal data, and of course there is the right to revoke the consent at any time. However, the revocation does not affect the legality of the processing done until revocation. In addition, we cannot process your request further in case of revocation. 

Who is responsible for the processing?

For the processing of personal data for purposes of the tax and customs administration of the Federal government and for purposes of preventing, investigating, detecting or prosecuting financial offenses as well as for the execution of financial penalties, responsibility rests with the competent and locally responsible tax or financial penal authorities. These are:

  •  the Tax Authority Austria,
  •  the Customs Authority Austria,
  •   the Tax Authority for Large Traders
  •  the Anti-Fraud Office,
  •  the Auditing Service Wage-Related Taxes and Contributions, and
  •  the Central Services.

The Federal Ministry of Finance is responsible for managing the affairs of the supreme Federal administration in accordance with the Federal Ministries Act of 1986. 

The Federal Fiscal Court is responsible for the processing of personal data in the fulfilment of the tasks entrusted to it; these are primarily complaint proceedings concerning financial and customs offices. 

As part of the processing of personal data in the grant procedure, the Federal Ministry of Finance shares responsibility with the Federal Chancellery. 

For the processing of personal data for purposes of the budget management of the Federal government, the budgetary authorities in accordance with § 6 of the Austrian Federal Budget Act of 2013 and the Austrian Federal Financing Agency in cooperation with the Federal Ministry of Finance, Dept. II / 11 are responsible:

The Federal Ministry of Finance is responsible for the processing of personal data for the purpose of communication and IT coordination. 

Who are your contact persons?

Questions and concerns in data protection matters can be addressed to the heads of the respectively competent body responsible for the processing of your personal data, or to the Data Protection Officer of the Ministry of Finance, to the extent that the judicial activities of the Federal Fiscal Court are not affected.

The contact details of the Federal Ministry of Finance can be found at https://www.bmf.gv.at/ in the “Contact” section. The contact details of the tax offices and customs offices are likewise to be found at http://www.bmf.gv.at/ in the province-specific overviews under the heading “Offices and Authorities” (in German). The contact details of the Federal Fiscal Court can be found at www.bfg.gv.at in the “Contact” section. For the contact details of other jointly responsible bodies, please refer to the respective linked websites. 

Who is the Data Protection Officer in the finance department?

The data protection officer of the Federal Ministry of Finance acts as the data protection officer for the entire finance department and is available to answer questions on data protection matters. 

Contact data:
Dr Stefan Lang
Johannesgasse 5, A-1010 Vienna
Email: datenschutz@bmf.gv.at
Web: www.bmf.gv.at

What personal data are being processed?

In the area of the Tax and Customs Administration of the Federal government, we process in particular the following personal data:

  • Personal identification and contact information
    e.g., name, title, address, date and place of birth, principal and secondary residence, country of residence, nationality, residence permit, area-specific personal identification number, VAT identification number, social security number, tax account number, commercial register number, commercial information system number, number of the list of penalties, proof of identity
  • Personal contact information of tax representatives
    e.g., name or designation and company name, form of address, professional address, telephone and fax number and other information required for addressing and representation
  • Information required for fiscal or financial criminal proceedings
    e.g. gender, marital status, date of death, name and title of spouse, occupation/employment, legal form, bank details, accounting notes, endorsements, decisions, types and accounts of taxes, amounts of payment, taxation bases, business expenses, income-related expenses, insolvencies, bans, list of powers of attorney, presentations, responsible office, history and changes of all account or depot owners as well as their authorised persons, trustors or beneficial owners, type of account / depository, data for opening and dissolution of the account / depository, terms of the credit institution for accounts and depositories

In the field of activity of the Federal Fiscal Court, we process on the one hand the data provided by the tax and customs administration of the Federal government, the Municipal Authority of the City of Vienna or the Federal Ministry of Finance on the occasion of a complaint submission, as well as further information required for complaint proceedings. 

We collect special categories of personal data, also known as sensitive data, if this is necessary for the procedure, and the legal basis for this is available. For example, we need information about the religious denomination to account for church tax payments.

In the area of the budget management of the Federal government, we process in particular the following personal data:

  • Personal identification and contact information
    e.g., name, address, telephone and fax number, area-specific personal identification number, business partner number, tax identification number and tax office, VAT identification number, tax account number, commercial register number
  • Personal contact information of legal representatives and contact persons
    e.g., name or designation and company name, form of address, professional address, telephone and fax number and other information required for addressing and representation
  • Information required for the contractual relationship
    e.g., billing address, delivery address, business premises, data on goods and services that are the subject of a transaction, reason for payment, payment stoppages, bank details, logistics information, statistics data such as industry and region, technical organisational assignments, individual payment amounts including components, surcharges or deductions, balances, correspondence languages, other agreements and keys for data exchange, due dates or arrears data, conditions, dunning and complaint data, reason for payment and settlement

In the area of communication and IT coordination, we process in particular the following personal data:

  • Information from submitters of applications, requests, notifications, complaints and other communications that are submitted within the sphere of action of the BMF and require handling
    e.g. name, title, telephone and fax number, authorised recipient and address for sending, number of business, subject, attachments (e.g. scanned and other documents), process (file), notes and notices, inspection notes, completion notes
  • Information for client, user and authorisation management
    e.g. name, address and contact data, such as telephone numbers, fax numbers, address of the employer, location, assigned devices, logbook entries for company vehicles, assigned procedures, various user IDs, configuration number, access rights and restrictions, protocol and documentation data
  • Information for network administration
    e.g. information about the system user, identification, configuration number, assigned IP address, assigned certificate for authentication, log and documentation data
  • Information for access management
    e.g. name, personnel number, access rights, log and documentation data 

Where do the personal data come from?

Most of the personal data we process are collected directly from the data subject concerned, e.g. through tax and customs procedures or through business relationships. In addition, we collect personal data from third parties, especially if this is legally required. 

These include in particular:

  • Central population register, central civil status register, trade register, register of companies, cadastral register, building association, system of budget accounting, Federation of Austrian Social Insurance Providers and social insurance providers, chambers, data union of the universities, economic databases, insurance supervision, European Commission, Austrian agrarian market, Austria statistics, tax representatives

Furthermore, we receive tax-relevant information from other authorities or through inter-governmental information exchange, in particular in the context of mutual assistance requests and automatic exchange of information. In the Transparency Database, we store data on benefits received, which are communicated by the providing bodies or with regard to which there is the possibility of querying. We also process publicly available information, such as online and offline media, public registers or public announcements. 

To whom are personal data disclosed?

As a matter of principle, we disclose personal data only if the transfer of certain data is legally required, e.g. within the scope of legal information obligations, in compliance with the respective legal requirements, or if you have consented to the disclosure. 

Disclosure is made in particular to:

  • Designated recipients in the context of tax, customs and monopoly proceedings as well as financial criminal proceedings,
    e.g., tax authorities of the Federal government, financial penal authorities, the Federal Fiscal Court, public prosecutors and criminal courts, the Constitutional Court, the Administrative Court, the European Court of Justice, security authorities, district administrative authorities, foreign tax and law enforcement authorities (EU, OECD and USA), Europol, Eurojust, the European Commission, customs administrations of the Member States, central consumption tax liaison offices or bodies of the Member States, tax representatives, trade authorities, municipalities, the labour market service, the Federation of Austrian Social Insurance Providers, regional insurance providers, the labour inspectorate, state archives, the insurance supervision, Statistik Austria, SourcePIN Register Authority
  • Designated recipients within the framework of the budget management of the Federal government,
    e.g. banks for the handling of payment transactions, addressees of legally required reports, organs of budget management, auditing bodies (Court of Auditors, Federal Accounting Office), BAWAG P.S.K , the Austrian National Bank, tax offices in the context of the urgent notification procedure, courts of law, the Finanzprokuratur (statutory lawyer and legal advisor of the Republic of Austria) and other legal representatives, Federal funding agencies, social insurance providers, SourcePIN Register Authority
  • Designated offices or bodies entitled to query in the context of the Transparency Database,
    e.g., funding agencies of the Federal government and of the States
  • Designated processors,
    such as the Bundesrechenzentrum GmbH (Austrian Federal Computing Centre) and the Federal Accounting Office 

How long are personal data going to be stored?

We store personal data as long as necessary for the fulfilment of the respective processing purposes. The measures for this are the statutory retention obligations and limitation periods

The periods for retention or deletion, respectively, arise from the applicable statutory provisions, such as from the Federal Tax Code, the Austrian Code of Fiscal Offences, and the Federal Budget Act. 

Is there any automated decision-making, e.g. profiling?

As a matter of principle, we take legally binding decisions on the basis of automated processing of personal data only if this is legally required, such as in the case of automated employee tax assessment pursuant to § 41 of the Austrian Income Tax Act of 1988.

Which security standards is the data processing subject to?

We process personal data with utmost care and have taken extensive technical and organisational security measures to ensure that the applicable data protection regulations are observed and complied with by all responsible bodies as well as by the processors contractually commissioned by us. 

This applies in particular to the protection of personal data against unauthorised or unlawful processing, accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access to personal data that are transmitted, stored or otherwise processed. The security measures are state-of-the-art and include, among other things, use of advanced security technologies and encryption techniques, physical access controls and anti-intrusion measures. 

Data protection and information security were given high priority by us even before 25 May 2018. For this reason, as early as 2008 we implemented an Information Security Management System (ISMS) that is certified according to the international security standard ISO 27001 and reviewed annually. This made us the first Federal Ministry in Europe to have obtained such certification.

Since December 2020, we have also been the first organisation in Austria to have our data protection management system (DSMS) certified in accordance with the international data protection standard ISO 27701. The ISMS and DSMS ensure, inter alia, that existing risks are systematically identified, assessed and addressed by means of appropriate measures. It also ensures that the effectiveness of the measures is regularly reviewed, assessed and evaluated.

Data Protection Rights

The GDPR and the DSG also regulate the data protection rights of the data subjects, i.e. the persons whose personal data are being processed. The legal rights of the data subjects are directed against the controller, that is, against the competent body responsible for the data processing. 

What data protection rights do you have?

Under the GDPR and the DSG, you have various rights, in particular:

  • the right to revoke the consent to the processing of your personal data at any time, provided that the processing by us is based on your consent;
  • the right to information whether personal data concerning you are being processed and what their contents are, as well as the right to rectification or completion as well as to erasure of your personal data, to restriction of the processing, to objection to processing and to data portability, provided the legal requirements exist. 

Data protection and information security were given high priority by us even before 25 May 2018. For this reason, as early as 2008 we implemented an Information Security Management System (ISMS) that is certified according to the international security standard ISO 27001 and reviewed annually. This made us the first Federal Ministry in Europe to have obtained such a certification. Since December 2020, we have also been the first organisation in Austria to have our data protection management system (DSMS) certified in accordance with the international data protection standard ISO 27701. The ISMS and DSMS ensure, inter alia, that existing risks are systematically identified, assessed and addressed by means of appropriate measures. It also ensures that the effectiveness of the measures is regularly reviewed, assessed and evaluated. 

The respective legal requirements as well as any exceptions from and limitations to these rights result from Articles 12 to 22 of the GDPR and from §§ 42 to 45 of the DSG, as well as from the statutory provisions that underlie the respective data processing. Pursuant to § 48f of the Austrian Federal Tax Code (Bundesabgabenordnung, BAO) and § 57b of the Austrian Code of Fiscal Offences (Finanzstrafgesetz, FinStrG), for personal data processed on the basis of the BAO or the FinStrG and contained in a file, the right to information is based exclusively on § 90 of the BAO or § 79 of the FinStrG (access to records). Access to records permits you to demand access and receipt of a copy of your files (or parts thereof) whose knowledge is necessary to safeguard your rights and enable you to fulfil your obligations in the context of fiscal and financial criminal proceedings. Further specific data protection regulations or restrictions result in particular from §§ 48d to 48i of the BAO and §§ 57c and 57d of the FinStrG.

In cases where there are legal exceptions or limitations to these rights, we may not, or only partially, comply with your application. If legally permissible, we will inform you in this case of the reason for the refusal or restriction. 

How can you submit your application?

You can present your application to assert your data protection rights to the competent body responsible for the processing of your personal data in the following ways:

  • By letter or fax
    this requires attachment of a copy of an official photo ID (e.g. passport or identity card)
  • Via FinanzOnline
    in fiscal law matters
  • Personally
    this requires presentation of a copy of an official photo ID (e.g. passport or identity card)

Please write your application as specifically as possible. Only in this way can we process it efficiently and quickly. Please also note that in the area of application of the Austrian Federal Tax Code (Bundesabgabenordnung, BAO), requests for information pursuant to § 48f of the BAO must specify which information or processing operations the request for information relates to. 

Insofar as the request for information relates to personal data contained in a file, pursuant to § 48f II of the BAO the access procedure of the BAO applies. Electronic application is therefore possible only via FinanzOnline. In the cases of § 48g I of the BAO, for the right of correction according to Art. 16 of the GDPR the procedure according to the regulations of the BAO, is likewise to be carried out.

Please understand that in cases of doubt we may have to request further information about your identity. This is solely for the protection of your personal data and intended to ensure that only you yourself receive information about your personal data. 

How long does it take to process your application?

We will provide you with the relevant information about the measures as soon as possible, but no later than within one month of receipt of your application.  

Please note that this period may be extended for a further two months, if this is necessitated by the complexity or number of applications. However, we will inform you of any extension of the deadline and the reasons for this within one month of receipt of your application. 

How will your application be answered?

Personal data are a matter of trust. As an unencrypted email unfortunately cannot be considered secure and resembles more a postcard than a letter, we may never send you the answer to your request by email. You will therefore receive the answer by letter mail (RSa) or in tax matters possibly by means of the FinanzOnline Databox. 

Which redress do you have?

If you have any questions, suggestions or complaints in data protection matters, please contact the BMF Data Protection Officer.

If you feel that the processing of your personal data by us violates data protection regulations, or your data protection rights have otherwise been violated, you can lodge a complaint with the competent supervisory authority. In Austria, this is the Österreichische Datenschutzbehörde (Austrian Data Protection Authority). 

Contact data:
Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
Barichgasse 40-42, 1030 Vienna (Wien)
Phone: +43 1 52 152 0
Email: dsb@dsb.gv.at
Web: www.dsb.gv.at

If you believe that the Federal Fiscal Court has violated your rights under the General Data Protection Regulation in the exercise of its jurisdictive competence, you may file a complaint with the Federal Fiscal Court in writing or by fax.

Contact data:
Federal Fiscal Court (Bundesfinanzgericht)
Hintere Zollamtsstraße 2b
A-1030 Vienna (Wien)
Telephone: +43 (0) 50250 577100
Fax: +43 (0) 50250 5977100

For more information on data protection in the areas of the Österreichs Digitales Amt (Austria's Digital Office), Unternehmer  Service Portal, Appointment Scheduling Tool - Termino, Digital Austria,  IKT SicherheitsportalStammzahlenregisterbehörde  and  Fernmeldebüro please check:

Oesterreich.gv.at and the app „Digitales Amt“ (in German only)

Unternehmer Service Portal - USP (in German only)

Appointment scheduling tool - Termino (in German only)

Digital Austria (in German only)

 IKT Sicherheitsportal (in German only)

Stammzahlenregisterbehörde (in German only)

Fernmeldebüro (in German only)

 As of: 1 August 2022