11.05. 2026
Gernot Fritz, Tanja Pfleger
In April 2026, both the Austrian Data Protection Authority (DSB) and the Parliamentary Data Protection Committee (PDK) published their activity reports for 2025.
Read together, the two reports point to a development that is more relevant in practice than any individual figure: data protection supervision is becoming broader, more complex and more resource-intensive. The DSB no longer refers merely to a “data protection report”, but deliberately to an “activity report”. This is more than a linguistic adjustment. It reflects the fact that the authority is no longer dealing only with traditional GDPR proceedings, but is increasingly taking on responsibilities under adjacent digital legislation. These include, in particular, the Freedom of Information Act, the AI Act, the Regulation on Political Advertising, NIS 2, the Platform Work Directive and, in future, issues relating to the Data Act.
The DSB in figures: complaints reach a new scale
The trend is particularly visible in individual complaints. In 2023, the DSB received 2,389 individual complaints from within Austria. In 2024, that number rose to 3,019. In 2025, it increased to 5,300. This means that the number of complaints has more than doubled within two years. At the same time, the DSB completed a total of 3,403 individual complaint proceedings in 2025, 2,332 by decision and 1,071 by discontinuation.
These figures show not only a high level of activity, but also a structural imbalance. Significantly more complaints are being filed than can be completed within the same year. For companies, this does not necessarily mean more decisions in a shorter period of time. On the contrary: proceedings may take longer, delay-related issues may become more relevant and legal uncertainty may persist for longer periods. This is also reflected in the number of proceedings before the Federal Administrative Court, which increased again significantly. In 2025, 453 proceedings before the Federal Administrative Court were recorded. Particularly striking is the rise in complaints for failure to act, from 56 in 2024 to 108 in 2025.
AI is changing not only compliance, but also complaint practice
One aspect of the report has also attracted media attention: the DSB is increasingly confronted with complaints that appear to have been drafted with the help of language models. According to the DSB, such submissions are recognisable in particular by their length and by the fact that they specifically refer to relevant provisions of the GDPR. In the authority’s view, this phenomenon ties up considerable resources.
From a practical perspective, the interesting question is not so much whether a complaint was “written by AI”. The key point is this: the threshold for filing structured, legally argued complaints is decreasing. Data subjects can frame their concerns in legal terms more easily. At the same time, companies face an increased likelihood that even everyday data protection disputes may escalate more quickly into regulatory proceedings. Data protection compliance is therefore becoming even more dependent on robust processes, clean documentation and clear, comprehensible communication with data subjects.
Prioritisation as the new reality of supervision
Rising caseloads are meeting limited resources. At the end of 2025, the DSB had 58 staff members. From a budgetary perspective, the DSB notes that its budget is expected to decrease from EUR 6.1 million in 2025 to EUR 5.9 million in 2026, while staffing remains unchanged at 51 FTEs. Particularly relevant is the fact that, since July 2025, the DSB has been unable to replace a large proportion of its administrative trainees.
The consequence is clearer prioritisation. The DSB places its main focus on complaints, because data subjects have an individual right to have their complaint handled. At the same time, the authority describes delays as unavoidable. Ex officio investigations are to be initiated only where there is a sufficiently concrete suspicion of a serious infringement of the GDPR or the Austrian Data Protection Act. Vulnerable groups, such as children or employees, are to receive particular attention. In addition, legal information provided by the authority is being reduced, telephone availability is being restricted, and comments on legislative proposals are to be submitted only where fundamental data protection issues are involved.
For companies, this is not an all-clear. It does not mean less supervision, but different supervision. Less abstract guidance and less broad ex officio activity, but a stronger focus on specific complaints, data breaches and serious suspected infringements. Companies that only start collecting processes and evidence once a concrete case arises will increasingly find themselves under time pressure.
Data breaches and security incidents remain a practical focus
In addition to complaints, it is also worth looking at data breach notifications. In 2025, the DSB recorded a total of 1,855 security breaches, compared with 1,319 in 2024. Notifications under Article 33 GDPR increased from 1,216 in 2024 to 1,704 in 2025.
This, too, fits the overall picture. Data protection supervision is not driven only by data subject rights, but increasingly also by operational security incidents. For companies, it therefore remains essential not to treat data protection as an isolated legal topic. Incident response, IT security, reporting chains, internal responsibilities and communication processes are all part of the same compliance reality.
The DSB is becoming a digital supervisory authority with a data protection core
The report also makes clear that the role of the DSB is moving beyond the traditional enforcement of the GDPR. The authority expressly refers to new responsibilities under the Freedom of Information Act, the AI Act, the Regulation on Political Advertising, the Platform Work Directive, NIS 2 and the Data Act. These areas of law pursue different regulatory objectives, but regularly touch on personal data, transparency, algorithmic systems or digital infrastructure.
The AI Act illustrates this development particularly clearly. The DSB will not become the general AI market surveillance authority for all questions relating to artificial intelligence. It will, however, become relevant wherever AI systems process personal data or affect fundamental rights. Similar interfaces arise in the areas of political advertising, platform work, freedom of information and data access. For companies, this means that data protection law is not standing still. It is increasingly becoming the interface between digital regulation, governance and technical implementation.
The PDK: new supervision of data protection in the legislative sphere
In parallel, the Parliamentary Data Protection Committee has taken up its work as a second data protection supervisory authority in Austria. The trigger was the judgment of the Court of Justice of the European Union of 16 January 2024 in Case C-33/22. The creation of the PDK closed a supervisory gap: data processing in the legislative sphere, particularly in connection with parliamentary scrutiny, is now subject to its own independent supervisory authority.
The PDK is responsible in particular for data processing by the National Council, the Federal Council and their auxiliary bodies, such as the Court of Audit and the Ombudsman Board. In its first year of activity, the organisational build-up naturally played a central role. Nevertheless, the PDK already handled around 20 proceedings, mainly individual complaint proceedings, as well as proceedings relating to data breaches and one ex officio investigation. The PDK explains the relatively low number primarily by the still limited awareness of the new authority and the gradual creation of the constitutional foundations at provincial level for Austria-wide jurisdiction over legislative bodies of the Länder and their auxiliary bodies.
Substantively, the PDK is particularly interesting because it has to enforce data protection in an environment that is structurally geared towards publicity, scrutiny and transparency. The tension is obvious: parliamentary control is meant to be visible. Data protection, by contrast, protects against personal information being made public without a sufficient legal basis.
First contours: data protection in parliamentary inquiry committees
This becomes particularly clear in one of the PDK’s first decisions. In a case concerning the publication of a verbatim transcript of a public hearing before the BVT parliamentary inquiry committee, the PDK found a partial violation of the right to confidentiality. The complainant had been named in the published transcript with their full first and last name. The National Council was ordered to remove the name from the published transcript.
This decision shows that data protection in the parliamentary sphere is not merely theoretical. It raises very practical questions: Which personal data may be published in parliamentary materials? When does the public interest in transparency prevail? When must data be anonymised or deleted? And who is responsible for continued publication on parliamentary websites?
This is precisely where the PDK is likely to play an important role in the future. Parliamentary inquiry committees, parliamentary questions, responses to parliamentary questions, Court of Audit reports and other forms of parliamentary control may contain substantial amounts of personal information. Data protection assessments will therefore often be intertwined with constitutional, democratic and transparency-related considerations.
The PDK is also taking on new digital responsibilities
Like the DSB, the PDK is not anchored solely in traditional data protection law. Its report shows that the PDK is also being integrated into new structures under EU law. Among other things, it has been designated as a fundamental rights authority within the meaning of Article 77 of the AI Act. From 2 August 2026, such fundamental rights authorities may, under certain conditions, request and review documentation relating to high-risk AI systems. If that is not sufficient, a technical test may be initiated via the market surveillance authority.
In addition, since 10 October 2025, the PDK has also been responsible within its area of competence for certain aspects of the Regulation on transparency and targeting of political advertising, in particular rules on targeting and ad delivery techniques in connection with political advertising, where personal data are processed.
This also shows that, for the PDK, data protection supervision is no longer limited to GDPR supervision. It is becoming cross-cutting supervision of data processing in politically, technically and socially sensitive areas.
Conclusion: more trigger events, more interfaces, less room for manoeuvre
The activity reports of the DSB and the PDK do not point to one spectacular individual change. They show something more important: a structural shift in data protection supervision in Austria.
The DSB is facing sharply rising complaint numbers, more data breaches, AI-assisted submissions and additional responsibilities under EU law. At the same time, resources remain limited. The response is prioritisation: complaints and serious trigger events move to the foreground, while general guidance and broad ex officio activity recede.
At the same time, the PDK is establishing a new level of supervision for the legislative sphere. There, data protection becomes relevant in particularly sensitive constellations: parliamentary scrutiny, publicity, transparency and the protection of personality rights must be brought into balance.
For companies and public bodies, the practical consequence is clear: data protection compliance must become more robust, better documented and more resilient in concrete cases. Organisations that address data subject rights, deletion processes, access request processes, data breaches, AI use and internal responsibilities only selectively will come under pressure more quickly in an increasingly complaint-driven supervisory environment.
The direction is clear: more proceedings, more interfaces, more digital regulation and less regulatory slack. Data protection is not becoming less important. It is becoming more operational.
We support you in assessing these developments and aligning your data protection processes accordingly. Feel free to get in touch.
