GDPR Checklist for Websites in Austria

December 8, 2025 • 14 min read

Making your website GDPR-compliant is not only a legal obligation but also protects you from hefty fines and strengthens your visitors' trust. Since 2018, clear regulations have applied in Austria for handling personal data that you as a website operator must follow. Here you will find the most important measures you need to implement to be on the safe side legally.

Key steps at a glance:

Privacy policy and imprint: These mandatory pages must be complete, easily accessible, and up to date. Particularly important are details about responsible parties, collected data, and third-party providers used.
Cookie banner: Cookies may only be set after active consent. The opt-in procedure is mandatory – a rejection option must be just as visible as the consent option.
Contact forms: Only ask for truly necessary data and obtain user consent. Clearly reference your privacy policy.
SSL encryption: A website without HTTPS is no longer appropriate and violates the GDPR. Activate an SSL certificate to securely transmit data.
Tracking tools: Do you use analytics tools like Google Analytics? Then you need a data processing agreement and must disclose the data processing in your privacy policy.

Implement these measures consistently to avoid warnings and strengthen your users' trust. Below you will find further details on each point.

GDPR Basics for Austrian Websites

The GDPR forms the legal basis for handling personal data in Austria. Website operators must ensure that every data processing – whether via contact forms, newsletters, or tracking tools – complies with legal requirements. Those who know the basic principles can incorporate data protection directly into the website design. The following sections explain the central aspects of the GDPR.

Core GDPR Principles

The GDPR is based on six fundamental principles that apply to every data processing on your website. These principles are not mere theories but have concrete practical implications.

Lawfulness, fairness, transparency: Personal data may only be processed if there is a legal basis – such as user consent or a legitimate interest. At the same time, you must clearly communicate which data is collected for which purpose. Unclear wording in the privacy policy or an opaque cookie banner are unacceptable.

Purpose limitation: The use of collected data must be limited to the stated purpose. For example, if you collect email addresses for order confirmations, these may not be used for marketing purposes without explicit consent.

Data minimisation: Only collect data that is truly necessary. A typical problem on Austrian websites is contact forms that require unnecessary information such as date of birth or phone number, even though name and email address would suffice. Such additional fields not only increase legal risk but can also deter visitors.

Accuracy: Stored data must always be correct and up to date. Users should have the ability to correct their details, for example via a customer account or by contacting you. Outdated data, such as old newsletter subscriptions, should be regularly cleaned up.

Storage limitation: Data may only be stored for as long as necessary. Set clear deletion deadlines: contact enquiries can be deleted after communication is completed, while invoice data must be retained for seven years due to tax regulations. These deadlines should be documented in your privacy policy.

Integrity and confidentiality: Protect your users' data through measures such as SSL encryption, strong passwords, and regular backups. A web shop without HTTPS is a clear violation of this principle.

Privacy by Design and Privacy by Default

The principles of "Privacy by Design" and "Privacy by Default" emphasise that data protection must be incorporated into the planning and development of your website from the outset. For operators in Austria, this means: data protection is not an afterthought but an integral part of every project.

Privacy by Design means that data protection measures are considered during the planning phase. For example, when creating a new contact form, you should immediately define: Which fields are necessary? Where is the data stored? Who has access? And how long will it be stored? Instead of storing form data in an open database, use encrypted connections and restrict access to authorised persons.

Privacy by Default ensures that the most privacy-friendly setting is active by default. This means: tracking cookies may only be set after explicit consent. A pre-checked box for the newsletter is impermissible – users must actively consent. For cookie banners: the "Reject all" option must be just as visible as "Accept all".

Many content management systems like WordPress now offer default settings that consider data protection. Nevertheless, you should critically review and adjust these if necessary.

Practical tip: Review your contact forms and remove all required fields that are not absolutely necessary. Only ask for information you truly need. This simple measure not only ensures greater GDPR compliance but also increases the likelihood that visitors will fill out the form.

These fundamental principles form the basis for further measures to make your website data protection-compliant.

Mandatory Pages for Legally Compliant Websites

After implementing basic GDPR measures, it is crucial to also make your website's mandatory pages legally secure. In Austria, websites – whether an online shop, blog, or business site – must contain certain legal information. These pages not only ensure transparency but also strengthen your visitors' trust and help avoid legal risks. The two most important pages are the privacy policy and the imprint.

Place these pages ideally in the footer of your website so that users can reach them with a maximum of two clicks. Below you will learn which details must be included in your privacy policy and imprint.

Privacy Policy Requirements

The privacy policy is a central component of GDPR compliance. It clearly and understandably informs your visitors about which personal data is collected, why it is processed, and what rights users have.

Important contents of the privacy policy:

Name the responsible party: Provide the name and contact details of the responsible person. If a data protection officer has been appointed, their contact details should also be listed.
List collected data: Describe exactly which data is collected. If you use a contact form, you should state, for example, that the name, email address, and message are stored. Also explain how long this data is retained – for instance, until the enquiry is processed, after which the data is deleted.
Newsletter information: If you send newsletters, explain that the email address is used for this purpose and how users can unsubscribe.

Clearly state legal bases: Every data processing requires a legal basis. Common bases include consent, contract fulfilment, or legitimate interest. Explain these in a way that is comprehensible to your visitors.

Specify third-party providers and tracking tools: If you use tools such as Google Analytics, Facebook Pixel, or embedded YouTube videos, these must be named in the privacy policy. Describe which data is transmitted to these providers and whether data is processed outside the EU.

Explain user rights: Visitors to your website have the right to access, rectification, deletion, restriction of processing, and data portability. Explain how these rights can be exercised, e.g. by email to the specified contact address. Also point out the right to complain to the Austrian Data Protection Authority.

Many website operators use generators to create their privacy policy. However, these should be regularly reviewed and updated to ensure they remain complete and correct.

Imprint Requirements

The imprint is legally required in Austria and mandatory regardless of the GDPR. It serves to clearly identify the website operator and create transparency. Particularly websites that offer products or services must provide an imprint.

Mandatory information in the imprint:

Name of the operator: For sole proprietors, first and last name; for companies, the company name.
Address: Provide the full address (street, house number, postcode, and city). A PO box address is not sufficient.
Contact options: Include a phone number and email address.

For companies, additional information is required, such as the VAT number (UID-Nummer), the commercial register number, and the responsible commercial register court. For a GmbH, the managing director must also be named. Freelancers such as doctors, lawyers, or architects should also state their professional title, the responsible supervisory authority, and the chamber.

Visibility and accessibility: The imprint should be easy to find, ideally in the footer of every page. The link should be clearly labelled as "Imprint" to avoid misunderstandings. Ensure that the imprint is also fully and easily readable on mobile devices. Test your website on various devices to ensure all information is correctly displayed.

Avoid common mistakes: A frequent problem is an incomplete imprint, e.g. when the phone number is missing or only a general email address is provided. Outdated information, such as after a move or a change in legal form, can also lead to legal problems. Regularly check your imprint to ensure all details are current and correct.

Consent and Transparency in Data Collection

Once you have set up the necessary mandatory pages, it is crucial to obtain the explicit consent of your visitors. According to the GDPR, personal data may only be processed after users have actively consented. This regulation serves not only legal protection but also strengthens your visitors' trust in your website. Without proper consent, you risk warnings and possible fines from the Austrian Data Protection Authority.

Below you will learn how to design cookie banners and form consents in a GDPR-compliant manner.

Cookie Banners and Consent Management

Cookie banners have become standard on Austrian websites, yet many operators do not implement them correctly. According to the GDPR and ePrivacy Directive, users must actively consent before cookies are deployed. This means: cookies may only be stored after the visitor has given their consent.

Opt-in instead of opt-out: Cookie banners that activate cookies as soon as the page loads are not permissible. Instead, an opt-in procedure is required in which users must actively consent. A pre-selected checkbox or phrases like "By using this website, you agree" are not sufficient. Consent must be given through a clear click on a button such as "Accept".

Which cookies require consent? Not all cookies require consent. Technically necessary cookies, such as those for the shopping cart in an online shop or session management, may be set without consent. Cookies for tracking, analytics, and marketing, however, always require active consent. These include tools like Google Analytics, Facebook Pixel, or embedded YouTube videos with tracking functionality.

Granular selection options: A good cookie banner offers users the ability to choose between different cookie categories. Typical categories are "Necessary", "Statistics", "Marketing", and "External Media". Visitors should be able to reject individual categories without restricting the website's functionality. It is important that the rejection option is just as easily accessible as the acceptance option.

Documentation of consent: User consent (including timestamp and IP address) should be documented through a consent management tool. Such tools automatically record which cookies a user has accepted. This data is important in case of legal questions. Popular tools in Austria include Cookiebot, Usercentrics, and Borlabs Cookie.

Enable withdrawal: Add a clearly visible link, e.g. "Cookie Settings", in the footer of your website. This allows visitors to change or withdraw their consent at any time.

Consent for Forms and Newsletters

Not only cookies but also forms on your website require clear and demonstrable consent. This applies especially to contact forms, newsletter sign-ups, and download forms.

Making contact forms GDPR-compliant: When using a contact form, you should transparently explain which data is collected and how it is processed. Directly below the form, there should be a reference to your privacy policy, e.g.: "By submitting this form, you agree to the processing of your data in accordance with our Privacy Policy."

A checkbox as a required field is advisable to actively obtain consent. This checkbox must not be pre-selected. The wording should be clear and understandable, such as: "I agree that my details will be stored for the purpose of processing my enquiry."

Double opt-in for newsletters: For newsletter sign-ups, the double opt-in procedure is indispensable. The user receives an email with a confirmation link after registration. Only after clicking this link may you send newsletters. This procedure protects against fraudulent registrations and ensures that the entered email address actually belongs to the user.

Many newsletter tools like Mailchimp, CleverReach, or Brevo (formerly Sendinblue) offer this feature automatically. Ensure that every newsletter email contains an easily accessible unsubscribe link that works with one click.

Consent for third-party tools: If you use forms from third-party providers like Typeform, Google Forms, or HubSpot, these must also be GDPR-compliant. Check whether the provider offers a data processing agreement (DPA) and whether data is processed outside the EU. In your privacy policy, you should list these tools and explain which data is transmitted to the providers.

Practical tip: Review your existing forms and newsletter sign-ups. Is a consent checkbox or a reference to the privacy policy missing? Add these elements to be on the safe side legally.

Technical Security Measures

After establishing the legal foundations for consents, it is equally important to take technical measures to protect personal data. The GDPR obliges website operators to take appropriate technical and organisational precautions to protect data from unauthorised access, loss, or manipulation. These measures complement the legal requirements and strengthen your visitors' trust. If neglected, not only fines are at stake but also a significant loss of trust.

The following explains how such measures can be practically implemented.

SSL Certificates and Data Encryption

An SSL certificate (Secure Sockets Layer) is indispensable for every website that handles personal data. Websites with SSL encryption can be recognised by the "https://" address and the padlock symbol in the browser. This technology ensures that all data exchanged between the user's browser and your server is protected from third-party access. The GDPR requires that data be encrypted during transmission. Without this encryption, sensitive information such as passwords, contact details, or payment information can be easily intercepted.

Many hosting providers offer free SSL certificates like "Let's Encrypt" or inexpensive alternatives. Check your hosting dashboard to see if SSL is activated and set up automatic redirection from HTTP to HTTPS. Using a free SSL test, for example via SSL Labs (ssllabs.com), you can ensure your certificate is correctly configured.

Backups and Software Updates

In addition to encryption, regularly updating your systems plays a central role. Backups and software updates are essential for ensuring the long-term availability and security of your website. Outdated software or the absence of backups increases the risk of data loss, hacking attacks, and system failures.

Keep your content management system (e.g. WordPress, Joomla, or Typo3) as well as all themes and plugins up to date. Many systems offer automatic updates that close security vulnerabilities. Ensure you only use PHP versions that receive security updates. If your version is outdated, an immediate update is necessary.