Newsletter registration

By using our website, you are agreeing to cookies being stored and Google Analytics being used on your device in order to offer the best possible service. You can find more information on thishere.
Bridge to New Markets.

Data protection could be expensive as of May 2018 – What startups have to keep in mind!

Much of it is not new at all, but is already applicable law today. Anyone who has not yet focused on this issue should not delay in doing so. Some things cannot be implemented overnight. Violating the stipulations contained in this regulation may not only turn out to be expensive but could even potentially threaten the very existence of start-ups in some circumstances. 

Here are the most important regulations and changes in the GDPR at a glance

The processing of personal data is generally forbidden in Austria! This may sound surprising, but in fact the processing of personal data in Austria is only permissible in exceptional cases or with the express consent of the affected person, for example when the data is required to fulfil a contract.

For this reason, you will also have to always take the following points into account when handling personal data:

  • Compliance with the principles of lawfulness, fairness and transparency has to be ensured. The data may only be used for specified, explicit and lawful purposes and you are only permitted to collect and store as much data as is absolutely necessary. In practice, this means that the data for which you no longer have an appropriate use has to be deleted again.  At the beginning of your business operations, you have certainly gathered a lot of data from interested parties, potential customers or even investors. Which data do you really need for your active business? How many lists still exist on various cloud storage devices which contract these principles?
  • Startups focusing on the issues of big data and profiling have to reconcile themselves to the idea of being subject to massive restrictions. In the future, automated decision-making processes are generally forbidden when the consequence is that the affected person, for example, is put at a disadvantage due to his or her ethnic origin or political opinion. 
  • Affected individuals have the right to request that personal data made available on a voluntary basis is transferred to another company (data portability). For the company, this means that it must be capable of making all data available electronically. For example, this also applies to “shopping baskets“, “wish lists“ or “shopping carts“ in your online shop.
  • The “right to be forgotten” pursuant to Article 17 GDPR has been put into more concrete terms. Personal data which cannot be immediately deleted has to be promptly blocked.
  • Startups aiming to gain a foothold in social media are required to consider the age of children. This means valid approval has to be granted for data processing of personal data relating to children and youth. By the way, the age for which a person is still considered to be a child with respect to data protection regulations was lowered to 14 years.  If you offer your services in other EU countries, you will have to comply with nationally valid regulations pertaining to minimum age. In the meantime, this may strongly differ from country to country.
  • Even as a startup, you may have to appoint a data protection officer for your company, if, for example, the company deals with sensitive data. By the way, health care data is considered to be particularly sensitive! If you plan to offer a fitness app, you will have to inform yourself about currently valid regulations. However, if you decide to do without a data protection officer, document your decision!
  • Many startups cannot afford their own large IT landscape, but use Web and cloud services. They are considered to be “processors” (outsourced services). As a business person, you have to ensure that your providers comply with the stipulations of the GDPR. Otherwise your company is liable to penalties (“negligent selection“).  Before you use the new free CRM software, conclude a corresponding written contractual agreement. 
  • If your company offers software, Web services or apps, they have to be secure (“privacy by design“) and only collect data which is really necessary.  By the way, in the future the affected persons have to indicate which data they want to make available. The previously common practice of pre-setting everything in advance is no longer permissible (“data protection by default“).
  • The data protection authority can be called upon to deal with all violations of the rights of the persons involved, for example the “right to information“, the ”right to erasure” and the “right to data portability“ if these affected people file complaints.  
  • Review your general terms and conditions and the declarations of content that your customers fill out. Is it clear which data you collect and for which purposes, and to whom you may pass on this data?

Our GDPR tips:

  • If you have not previously dealt with the following: which types of data are you gathering, and how long do you want/may you store this data? What legal regulations apply? If you want to keep this data for a longer period, you will require proper justification?
  • Compile a procedure log. This is easy to implement. In this way you can be sure that you are actually dealing with the issue.


Gerhard Pronegg

CEO Natuvion Consulting GmbH,
+43-660-690 77 03

Share on Facebook Share on Facebook Share on Twitter Share on Twitter Share on Linkedin Share on Linkedin



Meet us at events, seminars and trade shows - worldwide.

  • Doing Business in Austria

    03.03.2020, Bratislava, Slovakia

  • Austria as a European window for Russian export opportunities

    05.03.2020, Moscow, Russia

Austria Map

Find the perfect location for your company

Thanks to a fantastic mindset, our employees at the Villach site have built up a unique expertise which helps us to further strengthen our position on the global market. We fuse high-performance manufacturing with research and development in the field of power electronics. In addition to a very good cooperation with partners and networks, a well-developed landscape of 'talent factories' ranging from higher technical colleges to universities, we as a company also value the outstanding model of research promotion which exists in Austria.


Logo Infineon
More testimonials

news from the business location Austria

Many-body quantum physics

Many of the biggest questions in physics can be answered with the help of quantum field theories: They are needed to describe the dynamics of many interacting particles. These theories are just as essential in solid state physics as they are in cosmology.

Growing demand for natural active ingredients enables Phytovalley Tyrol to flourish

The comeback of plant-based active ingredients in medicine, cosmetics and food production has positive impacts on Tyrol as a business location. Austria has succeeded in playing a pioneering role in plant research thanks to the support of the federal government, the Federal Province of Tyrol, the company Bionorica and the University of Innsbruck. This niche in plant research already established itself in Innsbruck years ago.

More news All blog posts