GDPR Checklist for Business Websites in Austria 2026

GDPR is often portrayed as a bureaucratic nightmare in Austria — unfairly. Most requirements can be handled with a clean setup in a few hours. Here's the honest checklist I use on every client project.

1. Cookie Banner: More Than a Click Barrier

A compliant cookie banner satisfies three conditions: (1) no non-essential cookies before consent, (2) equal-weight buttons for "Accept all" and "Reject all", (3) granular consent (marketing/analytics/functional selectable separately). A banner with only an "OK" button is not compliant under the Austrian Federal Administrative Court's decision of 31 July 2024 (case W108 2284491-1/15E).

Recommendation: Cookiebot, Usercentrics, or (cheaper) a custom implementation with consent logic. Cost: €0–€12/month.

2. Server Location: EU Hosting Is Mandatory

Data from European users should live on EU servers. Hetzner (Germany/Finland), IONOS (Germany), Netcup (Germany), or Scaleway (France) cover this easily. US cloud providers like AWS or Google Cloud are theoretically possible via EU regions but are subject to the US CLOUD Act — which courts classify as a GDPR risk.

3. Data Processing Agreement (DPA)

Every external service that processes personal data needs a DPA. This applies to hosts, newsletter tools (Mailchimp, Brevo), analytics services, CRM systems. DPAs are usually standard templates you just sign — but you must document them in your record of processing.

4. Analytics: Google Analytics Is Problematic

The Austrian Data Protection Authority classified Google Analytics as GDPR-violating in several 2022 rulings. Since then the legal situation has softened slightly, but the pragmatic answer is clear: Plausible Analytics or Matomo. Both are cookie-free (no consent needed), self-hostable, and EU-based. For 95% of websites they deliver all the insights you need.

5. Fonts: Google Fonts Locally Only

The Munich Regional Court ruled in 2022 (Az. 3 O 17493/20): embedding Google Fonts via CDN violates GDPR because IP addresses are transmitted to Google. Solution: host Google Fonts locally. In Next.js, next/font/google handles this automatically — fonts are downloaded at build time and served from your own server.

6. External Embeds: YouTube, Maps, Social

YouTube videos, Google Maps, Facebook plugins set tracking cookies — without consent that's illegal. Two solutions: (1) a consent wall ("Click here to load the video from YouTube"), (2) use privacy mode (youtube-nocookie.com instead of youtube.com).

7. Contact Forms and Data Retention

Every form needs: (a) a note on what the data is used for, (b) a checkbox linking to the privacy policy, (c) a retention period (typically 6 months after contact). Do not use Google reCAPTCHA — use Cloudflare Turnstile or HCaptcha instead.

8. Record of Processing Activities (Art. 30 GDPR)

Every company with employees (including SMEs) must keep a record of all data processing activities. Sounds like overhead but fits in a single spreadsheet: purpose, data categories, recipients, retention period, technical measures. The Austrian Chamber of Commerce (WKO) provides free templates.

9. What Actually Matters — and What Is Myth

True: IP addresses are personal data. Tracking requires consent. Privacy policy must be complete and understandable.

Myth: Every cookie banner needs a law firm. Mass warning letters from private individuals. €2500 fines for tiny shops. In reality, SMEs are rarely targeted if they follow the basics. The DPA mostly acts on complaints.

10. My Pragmatic Setup

For client websites I use: Hetzner hosting in Germany, Plausible Analytics (no consent needed), Google Fonts locally via next/font, Cloudflare Turnstile for forms, YouTube in privacy mode, cookie banner only when marketing cookies are active — and that's not needed for 80% of SME websites.

One-time effort: 4–6 hours. Recurring cost: €0. Legal certainty: high. Questions about your own setup? Write to me.