AI Voice Agents in Austria: GDPR, DSG & B2B Cold Calling Rules (2026)

If you are running AI voice agent campaigns into the EU, Austria is the country most likely to surprise you. Sales teams comfortable with Germany's implied B2B consent doctrine, or with the permissive Nordic environment, often assume Austria works the same way. It does not. Austria has consistently chosen the strictest interpretation available under the ePrivacy Directive, and its courts have backed that interpretation for over a decade.

This guide focuses narrowly on what an AI voice agent must do (and avoid) when calling Austrian numbers. For broader European context, see our country-by-country GDPR cold calling guide and our DACH-specific compliance guide.

Why Is Austria the Strictest EU Country for Cold Calling?

Three structural choices make Austria materially stricter than its neighbours:

• No B2B exemption in primary law. Section 174 of the Telekommunikationsgesetz 2021 (the recodified successor to TKG 2003 Section 107) treats all subscribers - business and consumer - the same when it comes to unsolicited advertising calls.
• Automated calling systems are singled out. Calls placed by automated dialling systems, voice broadcasting, or AI agents acting autonomously fall under a tighter rule that requires prior consent regardless of who answers.
• Active enforcement. Both the Fernmeldebuero (telecommunications office under the Ministry) and the Datenschutzbehoerde (DSB) investigate complaints. Recipients can also bring private lawsuits under the UWG (Bundesgesetz gegen den unlauteren Wettbewerb).

The combination of strict primary law, statutory administrative penalties up to EUR 58,000, and active enforcement is what makes Austria stand out. You can absorb the regulatory risk in some markets through volume and acceptance of the occasional fine. In Austria, that approach is structurally bad math.

TKG 2003 Section 107 Explained

The original rule everyone references is Section 107 of the Telekommunikationsgesetz 2003. As of 1 November 2021, the TKG was recodified into the Telekommunikationsgesetz 2021 (TKG 2021), and the cold calling rule moved to Section 174 TKG 2021 with substantively identical content. Most practitioners and older case law still refer to "TKG Section 107" as shorthand. Both addresses point to the same regime.

The current rule (TKG 2021 Section 174 (1)) provides:

• Calls (including faxes) to subscribers for the purpose of direct marketing are only permitted with the prior consent of the subscriber.
• This applies regardless of whether the subscriber is a natural person or a legal entity - i.e., B2B is not excluded.
• Consent must satisfy the GDPR standard: freely given, specific, informed, and unambiguous (GDPR Article 4(11)).
• The advertiser bears the burden of proof for that consent.

Read the consolidated text directly on the Austrian legal information system: RIS - Telekommunikationsgesetz 2021.

There is no general "implied consent" carve-out for businesses, no "reasonable expectation" doctrine like Germany's mutmassliche Einwilligung, and no "legitimate interest can replace consent for the call itself" reading. GDPR legitimate interest may justify processing the contact data, but TKG Section 174 is the gate that controls whether the call may happen at all.

How Do the DSG and GDPR Overlap?

The Datenschutzgesetz (DSG) is Austria's domestic data protection statute. After GDPR came into force in 2018, the DSG was significantly cut down: it now operates as the national supplement to GDPR, covering matters where GDPR explicitly leaves room for national rules (such as criminal data, employee data, and the constitutional right to data secrecy).

For an AI voice agent calling Austrian prospects, three layers apply at once:

• GDPR - governs lawful basis, transparency, data subject rights, processor contracts, and international transfers. See the consolidated text at EUR-Lex GDPR.
• DSG - regulates the constitutional right to data secrecy (Section 1 DSG), local enforcement powers, and the structure of the Datenschutzbehoerde. Full text: RIS - Datenschutzgesetz.
• TKG 2021 Section 174 - governs whether the call itself may be placed.

Compliance requires satisfying all three layers. A call that is lawful under GDPR (because you have a legitimate interest in processing the contact) can still be unlawful under TKG (because no prior consent for the call exists). The two questions are independent.

B2B vs B2C - Does the Distinction Help?

In most European jurisdictions, B2B versus B2C is the single most important variable for cold calling. The Netherlands, the UK, France, and the Nordics all carve out B2B for more permissive treatment. Austria does not.

The wording of TKG 2021 Section 174 references Teilnehmer (subscribers), which the Oberster Gerichtshof (OGH, Austria's Supreme Court) has consistently interpreted to include legal entities. The Austrian legislature has had repeated opportunities to introduce a B2B exemption and has chosen not to.

Practical consequences for B2B AI cold calling into Austria:

• Calling a generic info@firma.at phone number requires the same prior consent as calling a private mobile.
• The fact that the prospect is a relevant decision-maker for your product does not, on its own, create a lawful basis for the call.
• Sourcing numbers from a public business register (Firmenbuch) does not constitute consent. Public availability of a phone number is a frequently raised - and consistently rejected - argument.

The Existing Customer Relationship Exception

The one narrow opening in Austrian law for unsolicited contact is the existing customer relationship exception, which mirrors the "soft opt-in" in Article 13(2) of the ePrivacy Directive. In Austria, however, this exception is written for email and SMS direct marketing - not for telephone calls.

For email/SMS, the conditions are:

• The contact details were obtained in the course of selling a product or service to the recipient.
• The marketing concerns similar own products or services.
• The recipient was given a clear opt-out option at the time of collection and in every subsequent message.
• The recipient has not previously opted out.
• The contact is not on the Robinson List maintained by the RTR (Rundfunk und Telekom Regulierungs-GmbH).

For telephone calls placed by automated systems (which is the relevant category for AI voice agents), there is no equivalent "existing customer" soft opt-in. The OGH has been clear: for fully automated calls, prior explicit consent is the only safe path, even toward established customers, unless that consent was specifically obtained for telephone marketing at the time the relationship was created.

This is why "we already do business with them" is not a complete answer in Austria. The existing relationship may justify human-initiated service or transactional calls. It does not, on its own, authorise an AI voice agent to dial out for a marketing or upsell purpose.

Penalties and Datenschutzbehoerde Enforcement

Austria layers three separate enforcement tracks on top of each other:

The headline TKG number is EUR 58,000 per offence. "Per offence" in Austrian administrative practice typically means per call campaign or per documented violation, not per individual call - but courts have on occasion treated repeated calls as separate offences. The DSB's decisions are published at dsb.gv.at and through RIS - DSB decisions.

A representative example is DSB decision D124.2103/2018, where the authority confirmed that the burden of proof for valid consent always sits with the controller, and that consent records must be specific to the channel (telephone) and not generic. The European Data Protection Board echoed this reading in its Guidelines 05/2020 on consent, which Austrian regulators apply directly.

“Direct marketing by telephone, fax, email or SMS to natural persons or legal entities is only permitted with the prior consent of the subscriber. The advertiser must be able to prove this consent.”

Key OGH Decisions Shaping the Rules

Austrian Supreme Court (Oberster Gerichtshof) case law is the practical reference point for how the rules are enforced. A handful of decisions are the ones that AI voice agent operators should know:

• OGH 4 Ob 174/15z - confirmed that consent for direct marketing must specifically cover the telephone channel. A general "I agree to receive marketing" checkbox is not sufficient. Read the decision on RIS.
• OGH 4 Ob 221/06p - established that the existence of a public business phone number does not authorise advertising calls.
• OGH 4 Ob 65/22z - addressed automated calling systems and reinforced that the "automated calling system" category in TKG is to be read broadly, capturing modern AI dialler architectures and not just legacy IVR.
• OGH 4 Ob 22/19w - confirmed that an opt-out provided by the recipient must be respected immediately and across all channels controlled by the same advertiser.

The throughline of these decisions is that Austrian courts read the cold calling rules narrowly against the advertiser and broadly in favour of the recipient. There is no "technically compliant but practically annoying" safe harbour. Form follows substance.

EU AI Act Transparency Duties for Voice Agents

On top of the Austrian regime, the EU AI Act (Regulation 2024/1689) adds transparency duties that apply directly in Austria as a member state. For AI voice agents, the relevant rule is Article 50(1):

Practical implications for a voice agent calling into Austria:

• Disclosure must happen at the start of the conversation, before the substantive pitch.
• Voice cloning that imitates a real human (e.g., a specific salesperson by name) without disclosure is independently prohibited under Article 50(4) as a deceptive deepfake.
• The disclosure obligation is non-waivable - it applies even if the recipient has separately consented to receive marketing calls.
• Failure to disclose can trigger AI Act fines of up to EUR 15 million or 3% of global turnover under Article 99, on top of TKG and GDPR exposure.

For a deeper treatment of how Article 50 applies to voice systems, see our EU AI Act transparency requirements guide.

Call Recording Consent in Austria

Austria is a two-party consent jurisdiction for call recording. The relevant rule is Section 120(1) of the Strafgesetzbuch (StGB), which makes the recording of a private conversation without the consent of all parties a criminal offence punishable by up to one year of imprisonment.

For an AI voice agent, this means:

• The agent must inform the recipient that the call will be recorded before recording starts.
• The recipient must be given the option to continue without recording.
• Consent must be captured in audio (the recording itself) and ideally also in a metadata log.
• Quality assurance and training-on-recordings is a separate, additional consent layer that must be disclosed.

For a deeper treatment of recording compliance across jurisdictions, see our AI voice agent recording compliance guide.

Practical Compliance Checklist for AI Voice Agents

If your roadmap includes Austrian outbound, work through this list before the first dial.

1. Map the call path. Document which calls are inbound, which are human-initiated and AI-assisted, and which are fully autonomous AI dials. Only the latter trigger the strictest interpretation.
2. Build an opt-in funnel. Web forms, event registrations, and gated content must capture specific telephone marketing consent, not generic marketing consent. Store the timestamp, the form text shown to the user, and the IP/UA fingerprint.
3. Scrub against the RTR Robinson List. Even though the Robinson List is primarily a soft signal for email/SMS, suppressing matched numbers is good faith evidence and operationally trivial.
4. Set channel-specific consent records. "Email + telephone" consent must show both checkboxes and the user's active opt-in for each. Bundled consent fails the OGH 4 Ob 174/15z test.
5. Configure AI disclosure. Hard-code the AI Act Article 50 disclosure into the opening turn of every Austrian call. Do not gate it behind a question. Test it in production weekly.
6. Configure recording consent. Ask before the substantive pitch begins. Offer a no-recording path. Log the answer in structured form, not just in the audio.
7. Honour opt-outs across all channels in 24 hours. Austrian regulators have signalled that anything slower than next-business-day is suspect. Faster is better.
8. Sign a GDPR Article 28 DPA with your AI provider. Cover EU data residency, sub-processor list, audit rights, breach notification timeline, and deletion-on-termination.
9. Run a DPIA. Large-scale automated outbound calling with profiling typically meets the GDPR Article 35 high-risk threshold. Document the assessment even if the conclusion is "risk is acceptable".
10. Restrict calling hours. Austria does not codify hours the way France does, but DSB and OGH practice treats calls outside 09:00-18:00 local time, weekends, and public holidays as aggravating factors.
11. Cap dialling frequency. Two or three attempts within 30 days, then drop to email-only. Repeated calls after a no-pickup are a frequent complaint trigger.
12. Audit recordings monthly. Pull a sample, verify the AI disclosure fired, the recording consent fired, and the opt-out language was recognised. Keep the audit log for 24 months.

How AINORA Handles Austrian Compliance

AINORA is built around the assumption that the EU compliance perimeter is the default, not an afterthought. For Austrian deployments specifically, that translates into a handful of opinionated defaults:

• Country-aware call gating. Austrian numbers are not dialled unless a verified prior consent record exists in the connected CRM, or the call is explicitly classified as inbound-led or human-initiated.
• Native AI Act disclosure. The opening turn of every call includes an AI identity disclosure that satisfies Article 50(1). Disclosure language is locale-aware (German for AT) and is logged for every conversation.
• Two-party recording flow. Recording is off by default on Austrian calls. The agent asks for consent in German, captures the answer, and continues the call recording-free if the recipient declines.
• Opt-out everywhere. Recognised opt-out phrases across German dialects feed a centralised suppression list that is honoured immediately across all channels and all future campaigns.
• EU data residency. All conversation data, transcripts, and metadata stay in EU data centres. The Article 28 DPA, sub-processor list, and audit log are available before the first call.

None of this replaces local legal counsel. It does materially shorten the gap between "we want to call into Austria" and "we are calling into Austria in a way that survives a complaint".

Frequently Asked Questions