Only to the extent they are necessary for the sole purpose of transmitting a communication via a communications network or they are a basic precondition for enabling the provider of an information society service to provide a service explicitly requested by the user or subscriber (see Sec. 165 (3) Austrian Telecommunications Act 2021 (“TKG 2021”)).
In general, yes.
Yes.
Consent is not required if cookies are necessary for the sole purpose of transmitting a communication via a communications network or they are a basic precondition for enabling the provider of an information society service to provide a service explicitly requested by the user or subscriber (see Sec. 165 (3) TKG 2021).
As regards the question of necessity, in cases of doubt the Austrian DPA (“DSB”) recommends following the former Art. 29 WP’s Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN. Also, in light of the DSB’s and the Austrian Federal Administrative Court’s case law, the DSB underlines in its guidance (FAQ on cookies and data protection, as of 3May 2023) that necessity must not be interpreted in the sense of an “economic necessity” (e.g. advertising cookies for showing personalised ads do not become “technically necessary” merely because they are necessary to finance the operation of the website).
As long as none of the mentioned types of cookies are necessary pursuant to Sec. 165 (3) TKG 2021 they cannot be placed automatically without obtaining prior consent.
No.
No, unless the exemption for necessary cookies pursuant to Sec. 165 (3) TKG 2021 applies (please see answer to Q3 above). Please note, should personal data be processed as a result of using (any kind of) cookies, this has to be reflected in the privacy notice pursuant to Art. 13 and 14 GDPR.
No, unless the exemption for necessary cookies pursuant to Sec. 165 (3) TKG 2021 applies (please see answer to Q3 above).
Yes, according to the DSB’s case law and guidance (FAQ on cookies and data protection as of 3 May 2023) the use of cookie walls may be permitted subject to the following considerations. However the DSB stresses that this is only the current view of DSB and no case law of the CJEU on this issue exists at the moment:
- full compliance with applicable data protection laws (in particular the GDPR) must be ensured regarding processing of personal data based on consent;
- consent form must be granular (see not yet legally binding DPA’s decision 29 March 2023, No.: 2023-0.174.027);
- no public authorities or other public bodies are involved;
- no exclusivity with regard to the content or services offered, i.e. companies with an explicitly public (supply) mandate or universal service providers cannot lawfully use cookie walls;
- companies using pay walls must not have a monopoly or quasi-monopoly position in the market;
- a reasonable and fair price for the pay alternative must be offered, i.e. the pay alternative must not be offered pro forma at a completely unrealistically high price; and
- if a user accesses the website by means of the pay alternative, no personal data may be processed for the purpose of personalised advertising
As of today, there are no publicly accessible decisions available imposing fines due to violation of respective cookie rules. However, in light of increased activity of data protection activist groups and numerous pending complaint proceedings with the DSB an increase in enforcement in the future appears to be likely.
Note: Violations of the information obligations pursuant to Sec. 165 TKG 2021 may be subject to fines up to EUR 50,000.- imposed by the competent Telecommunication Office (lokales Fernmeldebüro). However, the DSB may still have jurisdiction if personal data are processed as a result of the use of cookies. Hence, additional fines based on the GDPR may be imposed as well in such case.
None that we are aware of.
So far none, but in light of increased activity of data protection activist groups and numerous pending complaint proceedings with the DSB an update in case law in the near future is likely.
