The General Data Protection Regulation (GDPR; Datenschutz-Grundverordnung DSGVO) of the EU has been in force since May 2018 in Austria. Following the implementation, two amendments of the national Data Protection Act (2000) came into force (in addition to modifications of numerous other relevant laws): the Data Protection Amendment Act and the Data Protection Deregulation Act. The Data Protection Act implements the EU data-protection guidelines, regulates all rights and obligations of operators of information collections and applies both to public-legal (authorities etc.) and private legal information collections (companies, associations and other organisations), including those held by cultural institutions. Fundamentally, according to Paragraph 47, the transfer of addresses requires the agreement of those affected, although there are exceptions (for statistical or scientific reasons, for example).
The Austrian Data Protection Authority, one of the eldest data protection authorities in Europe (since 1980), is in charge of the compliance with the data protection law.