GDPR website Austria: what companies need to consider
Legal notice requirements, privacy policy, cookie banners, Google Fonts: the legal requirements for a website in Austria are extensive. This overview shows what is mandatory, what is often overlooked — and how to avoid typical mistakes.
Running a website in Austria means taking responsibility for personal data. That applies to the sole proprietorship just as much as to the mid-sized company – the GDPR knows no exceptions for small businesses. The good news: if you know the essential building blocks and implement them correctly, you're on the safe side. The bad news: many websites aren't, and the number of cease-and-desist letters and complaints to the data protection authority is rising.
Legal notice requirements: what is mandatory in Austria
In Austria, the legal notice is regulated by the E-Commerce Act (ECG). Mandatory information for commercially operated websites includes the company's name and address, contact details (email, phone), the company's business purpose, the competent supervisory authority, and, for corporations, the commercial register number and court. The legal notice must be easily accessible from every subpage — a link in the footer is sufficient as long as it is clearly recognizable.
Privacy policy: what it must contain
The privacy policy informs users about which data is collected, for what purpose, on what legal basis, and how long it is stored. It must also explain data subject rights: access, rectification, erasure, restriction, and objection. A generic template from the internet is usually not enough – the policy must reflect the tools and processes actually in use. Anyone using Google Analytics, a contact form, or a newsletter service must name them explicitly.
Cookie banners: when they're required and what matters
Not every website needs a cookie banner — but every one that uses cookies or tracking tools that are not technically necessary does. That affects practically all websites with Google Analytics, Google Ads, Facebook Pixel, or similar services. Crucially, the banner must offer a genuine choice. Pre-checked boxes, dark patterns, or equating “Reject” with closing the banner are not permitted. Google's Consent Mode v2 is now mandatory for anyone who wants to use Google Ads or GA4.
Google Fonts and external resources
A frequently underestimated risk: anyone loading Google Fonts, YouTube embeds, or other external resources directly from a third-party server transmits the user's IP address in the process – without their consent. Austrian courts have already ruled this a GDPR violation. In most cases, the solution is simple: host Google Fonts locally, load YouTube videos only on click (privacy-enhanced mode or thumbnail fallback), and check whether other third-party services are loaded only after consent.
Contact forms and email processing
Every contact form processes personal data. That requires clear information about what happens with the data, a reference to the privacy policy, and – if data is passed on to third parties (such as a CRM or email service) – a corresponding clause in the data processing agreement. The principle of data minimization applies: only the data actually needed to process the inquiry may be requested.
A practical checklist for GDPR-compliant websites
- Legal notice complete and reachable from every page
- Privacy policy up to date and tailored to the tools actually in use
- Cookie banner with genuine choices, no opt-out as the default
- Google Fonts hosted locally
- External scripts (analytics, ads, pixels) loaded only after consent
- Contact form with a privacy notice, only the necessary fields
- SSL certificate active (https) – a basic requirement for secure data transmission
- Data processing agreements with all service providers that process data
This article is for general information purposes. For a legally sound assessment of your individual case, we recommend consulting a lawyer specializing in data protection.
Frequently asked questions
Does every website in Austria need a legal notice?
Yes. In Austria, the legal notice requirement under the E-Commerce Act applies to all commercially operated websites. Mandatory information includes name, address, contact details, business purpose, supervisory authority, and, for a GmbH/AG, the commercial register number.
Is a cookie banner mandatory for every website?
Not for every website, but for most. As soon as cookies or tracking tools that are not technically necessary are used — such as Google Analytics or Google Ads — a consent banner with a genuine choice is legally required.
What must a privacy policy contain?
Information about which data is collected, for what purpose, on what legal basis, how long it is stored, whether it is shared with third parties, and what rights data subjects have.
What penalties do GDPR violations on your website carry?
The GDPR provides for fines of up to 20 million euros or 4 percent of annual revenue. In practice, smaller companies frequently receive cease-and-desist letters, which come with legal fees.
Do Google Fonts have to be embedded locally?
Yes, if you value legal certainty. If Google Fonts is embedded via the Google server, IP addresses are transmitted without consent. The safe solution is hosting the font files locally on your own server.
Does the GDPR also apply to small businesses?
Yes. The GDPR applies to all companies and self-employed persons who process personal data of EU citizens — regardless of company size or revenue.