strafsachen.at
by Brandauer RA
DE EN BKS
Menü
Focus area · Criminal defence

Corporate criminal law.

When the company itself becomes a defendant, criminal procedure runs on two tracks. The VbVG (Austrian Corporate Criminal Liability Act) has made legal entities fully-fledged subjects of Austrian criminal law since 2006, with their own sanctions, their own procedural role and their own set of defences. We represent Austrian and German companies, their management and their supervisory boards through the entire proceeding, from the first WKStA (Central Public Prosecutor's Office for Economic Crime and Corruption) enquiry to the final judgment.

Your personal attorney

Mag. Christopher Angerer

Your lawyer for criminal defence

Criminal proceedings are a matter of trust. One lawyer who walks with you from the first consultation through to the trial, everything from one hand.

Call directly +43 660 2407152 WhatsApp Send email
Book consultation
What role does your entity play in the proceedings?

Four constellations, from acute VbVG suspicion to preventive work.

Four typical starting positions for management, supervisory boards, compliance officers and group legal departments. Each path leads to a concrete recommendation, the matching deep dive and the option to submit a request directly from within the tree.

Already know you want to submit a request? Go directly to the request form.

01 Question 1

Which constellation describes your entity?

Four frequently occurring starting positions. If none fits, please use the contact form below.

All paths at a glance

Overview of all answers.

01

Immediately: appoint a § 16 VbVG representative, separate the mandates, secure the internal investigation.

On a VbVG opening the entity must immediately appoint a representative under § 16 VbVG, typically an organ that is not itself a suspect (supervisory board, another managing director, special authorised representative). Joint representation with the co-suspect decision maker is inadmissible due to conflict of interest.

Concrete steps: separate mandates for the entity and the natural person, secure the internal investigation under counsel direction (§ 112 StPO scope after OGH 14 Os 39/23z), CMS stocktake and sanction review. A functioning compliance system can substantially reduce the daily-rate count or exclude attribution under § 3 para. 3 no. 2 VbVG entirely.

Deep dive: VbVG attribution in detail →
02

Internal investigation under counsel direction, secure the § 112 StPO scope.

Internal alerts are the most frequent source of VbVG proceedings. The right response decides whether the alert becomes a well-defended case or an incident that hits the entity at full force. The investigation must be under counsel direction from the start, only then does the seizure protection of § 112 StPO and OGH 14 Os 39/23z apply.

Concretely: mandate from supervisory board or management to the law firm, evidence preservation (e-mail, collaboration systems, ERP), employee interviews with notification under § 157 para. 1 no. 1 StPO analogously. Examine self-disclosure under § 29 FinStrG for tax-related matters, notification to the FMA / Data Protection Authority / Competition Authority where required. The HSchG (50+ employees) requires processing of internal reports within 3 months (§ 15 HSchG).

Deep dive: internal investigation phase →
03

CMS roll-out under ISO 37301 / 37001, tailored to the risk profile.

Preventive compliance build-up is the most important defence-strategic investment. A documented, lived CMS breaks the attribution path § 3 para. 3 no. 2 VbVG (employee offence + organisational failure) at the elements stage and acts as a qualified mitigating factor under § 5 para. 2 VbVG at sentencing.

Building blocks: risk analysis (which risks does this entity carry?), Code of Conduct, training programme with attendee lists, reporting channel under HSchG (anonymous, protected), clarification and sanction procedure, regular management review, complete documentation. Reference frames are ISO 37301 (compliance management) and ISO 37001 (anti-corruption); certifiable but not necessarily certified. We build the system together with the corporate-law team of Brandauer Rechtsanwälte.

Deep dive: how CMS breaks attribution →
04

Test territoriality § 62 StGB, coordinate with German OWiG, structure the parallel proceeding.

Foreign group parents with Austrian subsidiaries regularly face VbVG proceedings they had not planned for. The Austrian VbVG attaches territorially: as soon as the offence is committed in Austria or the entity has Austrian seat (§ 62 StGB in conjunction with § 1 VbVG), Austria has jurisdiction, irrespective of the parent's seat.

Concretely for a German group: § 30 OWiG (German entity fine, regulatory offences regime) and the future German Verbandssanktionenrecht run separately to the Austrian VbVG. Both proceedings touch the double-jeopardy bar (Article 50 CFR), but only on identity of the same factual situation. We coordinate the Austrian proceeding with the German group legal department or the mandated German firm, joint case meetings, aligned positions, clear allocation of tasks. Cross-border internal investigations are structured in line with data-protection law (§ 1 DSG, GDPR) and the labour law of both countries.

Deep dive: VbVG procedure with cross-border element →
VbVG attribution, § 3 VbVG side by side

Which attribution path runs, and where the defence engages.

Corporate liability under the VbVG follows two paths: the direct offence of a decision maker (§ 3 para. 2 VbVG) and the employee offence combined with an organisational failure (§ 3 para. 3 VbVG). The table sets out both paths with their requirements, sample fact patterns and the concrete defence lever.

Attribution paths, decision-maker offence, employee offence, offence for the benefit of the entity, breach of an entity duty.
Attribution path Statutory basis Requirements Example case Defence lever
Decision-maker offence
§ 3 para. 2 VbVG 		§ 2 para. 1 VbVG (definition decision maker) Unlawful and culpable offence by a managing director, board member, prokurist, supervisory board member or de facto decision maker, acting in that capacity. GmbH managing director signs a sham invoice, § 153 StGB breach of trust for the benefit of the entity. Functional analysis , Careful review of whether the suspect was actually a decision maker under § 2 para. 1 VbVG, document signing authority, budget control, hiring power. OGH 13 Os 87/18k on de facto management.
Employee offence + organisational failure
§ 3 para. 3 no. 2 VbVG 		§ 2 para. 2 VbVG (definition employee) Offence by an employee plus organisational failure: a decision maker, by failing to exercise the care required and reasonable to expect, materially facilitated or failed to prevent the offence. Sales staff pays a kickback to a public official, no training, no approval process, no compliance audit. CMS breaks attribution , A functioning, documented compliance management system (risk analysis, training, reporting channels, sanctioning) excludes attribution under § 3 para. 3 no. 2 VbVG or substantially reduces the daily-rate count.
Offence for the benefit of the entity
§ 3 para. 1 no. 1 VbVG 		§ 3 para. 1 no. 1 VbVG Anchor for both paths: the offence must objectively be capable of conferring an advantage on the entity, turnover, cost saving, competitive edge, avoidance of penalties. Accounting offence § 163a StGB for obtaining a bank loan; money laundering § 165 StGB to disguise group payments. Examination whether the advantage was objectively for the entity or predominantly private (self-enrichment of the perpetrator), self-enrichment defeats attribution.
Breach of an entity duty
§ 3 para. 1 no. 2 VbVG 		§ 3 para. 1 no. 2 VbVG Anchor for both paths: breach of a duty incumbent on the entity itself, labour-protection law, tax law, data protection, sectoral regulation. Breach under ASchG (Austrian Employee Protection Act); FM-GwG breach of a credit institution; GDPR breach in data processing. The entity duty must be clearly identified, generic duty of care without a specific norm is insufficient.

Corporate liability under § 3 para. 1 VbVG additionally requires that the offence was committed for the benefit of the entity or that a duty incumbent on the entity was breached. OGH 13 Os 87/18k clarifies the reach of the decision-maker definition; OGH 14 Os 39/23z the privilege protection of internal investigation reports.

Corporate fine, daily-rate count by sentencing range of the predicate offence

Maximum exposure under § 4 VbVG, and where it lands in practice.

The number of daily rates follows the sentencing range of the predicate offence (§ 4 paras. 1 and 2 VbVG). With the maximum daily rate of EUR 10,000 under § 4 para. 4 VbVG, theoretical ceilings emerge that in Salzburg and broader Austrian practice are rarely exhausted.

Six daily-rate tiers plus § 4 para. 2 VbVG (particularly serious cases), with theoretical maximum and practice averages for mid-sized entities.
Sentencing range of predicate offence Max. daily rates Max. daily rate amount Theoretical maximum Practice average (Salzburg mid-sized)
Up to 1 year imprisonment (e.g. § 88 para. 1 StGB, simple misdemeanours) 85 daily rates EUR 10,000 EUR 850,000 20 to 60 daily rates x EUR 200 to 600 = EUR 4,000 to 36,000 typically
Up to 3 years imprisonment (e.g. § 153 para. 1, § 165 para. 1 StGB) 130 daily rates EUR 10,000 EUR 1.3 million 40 to 90 daily rates x EUR 300 to 1,200 = EUR 12,000 to 108,000 typically
Up to 5 years imprisonment (e.g. § 148 StGB commercial fraud, § 153 para. 2 StGB) 180 daily rates EUR 10,000 EUR 1.8 million 60 to 120 daily rates x EUR 500 to 2,000 = EUR 30,000 to 240,000, the WKStA-typical band
Up to 10 years imprisonment (e.g. § 147 para. 3, § 153 para. 3, § 165 para. 4 StGB) 360 daily rates EUR 10,000 EUR 3.6 million 80 to 200 daily rates x EUR 1,000 to 3,500 = EUR 80,000 to 700,000 typically
Over 10 years / life imprisonment 600 daily rates EUR 10,000 EUR 6 million Group case, multiple parties; rare in Salzburg practice
Particularly serious case
§ 4 para. 2 VbVG 		850 daily rates EUR 10,000 EUR 8.5 million , Heightened sentencing range for sentencing maxima above ten years and particular gravity, for instance corruption cases with damages in the tens of millions, organised crime, serious balance-sheet manipulation. Exceptional; in practice only in the largest economic-crime and corruption matters

Daily-rate amount under § 4 para. 4 VbVG: minimum EUR 50, maximum EUR 10,000 by reference to the entity's earnings position. Practice averages are empirical from the Salzburg and broader Austrian WKStA practice and not a fixed rule.

VbVG procedural timeline

From initial suspicion to judgment, the VbVG phases at a glance.

Six phases from internal alert or prosecutorial initial suspicion to the trial before the lay-judge court and the appeal track. Each phase has its own deadlines, key questions and defence levers.

  1. 01
    First phase
    Before formal opening, days to months

    Initial suspicion, internal alert or authority enquiry

    Triggers are internal alerts (HSchG report), enquiries from the public prosecutor or WKStA, audit findings or press reports. § 1 para. 3 StPO defines initial suspicion.

    Initial suspicion and internal alerts stand at the start of practically every VbVG proceeding. Timing is critical: an entity that acts proactively, internal triage, immediate measures, where applicable a self-disclosure under § 29 FinStrG for tax-related matters, secures the position of a cooperating addressee and lays the groundwork for sentence mitigation under § 5 para. 2 VbVG.

    Statutory references: § 1 para. 3 StPO · § 13 VbVG · § 29 FinStrG (tax-related)

  2. 02
    Preventive phase
    Weeks to months, parallel to the official proceeding

    Internal investigation under counsel direction

    Mandate from management or supervisory board, evidence preservation, employee interviews, counsel's professional duties to secure the § 112 StPO privilege following OGH 14 Os 39/23z.

    The internal investigation is the most important preventive defence measure. Conducting it under counsel direction secures the professional duties under § 9 RAO (Austrian Lawyers Act) and with them the protection scope of § 112 StPO. In-house compliance investigations without lawyer involvement are typically unprotected after OGH 14 Os 39/23z, reports, interview minutes and forensics output may move into the criminal file in full.

    Statutory references: § 112 StPO · § 157 para. 1 no. 1 StPO · § 9 RAO · OGH 14 Os 39/23z

  3. 03
    Acute phase
    Day of measure + 14 days segregation period

    House search at company premises + segregation motion

    Seizure under §§ 117, 119 StPO, lawyer attendance under § 121 para. 2 StPO, segregation motion under § 112 StPO for privileged data and internal investigation reports.

    The house search at the company premises or third parties (auditors, tax advisers, banks) is often the first visible step of the prosecutor. Segregation motion under § 112 StPO secures attorney-client correspondence and, following OGH 14 Os 39/23z, also internal investigation reports where they were prepared under attorney mandate. Employees must be informed of the right to remain silent under § 157 para. 1 no. 1 StPO.

    Statutory references: §§ 117, 119 StPO · § 112 StPO · § 121 para. 2 StPO

  4. 04
    Suspect phase
    Weeks to months

    Suspect interview, entity + decision maker

    Entity is interviewed under § 16 VbVG through its own representative; the decision maker as a natural person, separate mandates, coordinated strategy. Counsel involvement under § 164 para. 1 StPO.

    Suspect interviews in VbVG matters are dual: once for the entity (represented under § 16 VbVG by an organ that is not itself a suspect, or by a special representative), once for the natural person. Joint representation by the same defence counsel is regularly inadmissible due to conflict of interest, separate mandates are the rule. Uncoordinated statements may bring further organs into suspect status or only then trigger attribution under § 3 para. 3 VbVG.

    Statutory references: § 16 VbVG · § 164 para. 1 StPO · § 49 StPO · § 51 StPO

  5. 05
    Disposal decision
    After investigations conclude

    Indictment or diversion §§ 18 to 19 VbVG

    Diversion § 19 VbVG (fine, probation, organisational measures) where guilt is not severe; dismissal § 190 StPO; indictment before the lay-judge court at sentencing ranges above 5 years.

    Diversion under § 19 VbVG is the most important case-ending instrument for entities. It requires guilt of not-severe character, sufficient clarification and suitability for guiding the entity to lawful conduct. Available measures are a fine, a probation period (1 to 3 years, optionally with a probation officer) and, VbVG-specific, the introduction or adaptation of organisational measures (CMS roll-out, new reporting processes). If the case proceeds to indictment, the typical sentencing ranges of the predicate offences route it to the lay-judge court.

    Statutory references: § 18 VbVG · § 19 VbVG · §§ 198 et seq. StPO · § 190 StPO

  6. 06
    Trial + appeals
    Multiple hearing days; registration 3 days / written submission 4 weeks

    Lay-judge court, judgment, plea of nullity

    Trial before the Schöffengericht, corporate fine § 4 VbVG, sentencing § 5 VbVG. Appeals: plea of nullity § 280 StPO + appeal on sentence § 283 StPO by the entity itself.

    The trial before the lay-judge court (Schöffengericht) is the forum for most VbVG cases, the typical predicate offences (§ 153 para. 3, § 147 para. 3 StGB, corruption) carry sentencing ranges above 5 years and therefore fall within Schöffen jurisdiction. Under § 23 VbVG the entity is an independent appellant; plea of nullity under § 280 StPO and appeal on sentence under § 283 StPO are available analogous to individual defence. Registration deadlines (§ 284 StPO: 3 days) and written submission deadlines (§ 285 StPO: 4 weeks) are absolute.

    Statutory references: § 4 VbVG · § 5 VbVG · § 23 VbVG · § 280 StPO · § 283 StPO

The VbVG framework: when the company itself becomes the defendant

The Corporate Criminal Liability Act (VbVG) entered into force on 1 January 2006 and applies, under § 1 para. 2 VbVG, to all legal entities of private and public law, registered partnerships, European Economic Interest Groupings and comparable foreign entities, with narrow exceptions for the Federal State, Länder, municipalities and other territorial corporations acting in sovereign capacity. A limited liability company, a stock corporation, a cooperative, an association, a foundation and a GmbH & Co KG are all fully capable of being charged. The consequence: in every proceeding with a business background, the defence has to think from the outset on two tracks, the individual case against the managing director, the board member or the employee, and the parallel case against the legal entity itself.

The procedural frame of the VbVG proceeding is set out in §§ 13 to 25 VbVG. Alongside it the Code of Criminal Procedure (StPO) applies subsidiarily under § 14 VbVG. In practice, the entity and its officers are nearly always questioned in the same file; separation of the proceedings under § 15 VbVG is exceptional and must be justified. That shared record has practical weight: a statement by one managing director in the individual proceeding can become key evidence against the entity the next day. Coordinated defence, with one firm covering both individuals and the entity where permissible, or with several firms acting in a privileged joint-defence arrangement under § 48 StPO, is therefore the rule, not the exception.

Where an offence has a business dimension, the Central Public Prosecutor's Office for Economic Crime and Corruption (WKStA) under § 20a StPO is typically in charge of the VbVG proceeding as well. Outside the WKStA's scope of competence, the locally competent public prosecutor, in Salzburg the Public Prosecutor's Office Salzburg, runs the proceeding. Judicial authority follows the sentencing range of the underlying offence: most VbVG cases are heard by the lay-judge court (Schöffengericht) at the Regional Court, because the predicate offences, breach of trust under § 153 para. 3 StGB (Austrian Criminal Code), aggravated fraud under § 147 para. 3 StGB, corruption and money laundering, routinely carry more than five years' imprisonment.

Procedurally the entity is represented under § 16 VbVG by a defence representative appointed by the organ that has the power to do so, usually the managing director or the board. Where the managing director is accused in the same matter, an internal conflict arises: the individual is both an organ of the entity and the entity's opposite in the criminal record. The case law requires a separate representative for the entity in those constellations, commonly a member of the supervisory board, a specially authorised prokurist or an experienced compliance officer. If no such person is available, the court appoints a curator under § 16 para. 2 VbVG. Getting this appointment right in the first week of the proceeding often determines whether the entity can mount a coherent defence at all.

A further peculiarity: VbVG liability is not subsidiary. The entity may be convicted even where the individual offender cannot be identified, is deceased, benefits from immunity or has been acquitted for individual reasons, provided the elements of an offence attributable under § 3 VbVG are established. Conversely, the individual is not relieved by a decision against the entity. In practice that means: a settlement on the corporate side never automatically ends the individual case, and a fully exculpatory acquittal of the individual does not always carry through to the entity. The defence strategy must be designed for both fronts from day one.

Attribution under § 3 VbVG, decision makers and organisational failure

The heart of the VbVG lies in § 3 VbVG, the attribution rule. An offence becomes an offence of the entity when it was committed for its benefit or when duties incumbent on the entity were breached. Both anchors matter: the benefit need not materialise (an attempted advantage is sufficient), and the duty element captures regulatory offences of the entity itself, typically under labour-protection law, environmental law, tax law or sector-specific regimes. Beyond these anchors, the offence must flow from one of two attribution paths, the decision-maker path or the employee path.

The decision-maker path (§ 3 para. 2 VbVG) covers offences committed wilfully and unlawfully by a decision maker, acting in that capacity. § 2 para. 1 VbVG defines a decision maker functionally: managing directors, board members, supervisory board members, authorised officers (prokuristen), senior staff with directing authority and de facto decision makers, persons who in fact exercise control without holding a formal function. The functional definition is crucial. Where a group holding operates through unrecorded reporting lines, a staff member on the payroll of the parent may qualify as a decision maker of the Austrian subsidiary. The OGH (Austrian Supreme Court, 13 Os 124/17x, 14 Os 97/22g) has confirmed this reach repeatedly. For the defence it means: the individual job title in the organisational chart is never the end of the inquiry.

The employee path (§ 3 para. 3 VbVG) reaches further, but adds a second hurdle. Where an employee, any employee, not only a senior one, commits an offence, the entity is liable only if two elements align: the act objectively fits the elements of the offence (fault of the employee is not required, § 3 para. 3 no. 1 VbVG) and the offence was made possible or materially facilitated by an organisational failure on the part of a decision maker, namely by the failure to exercise the care required under the circumstances and reasonable to expect (§ 3 para. 3 no. 2 VbVG). That second prong is where compliance systems enter the picture. A functioning, documented compliance regime, risk analysis, reporting channels, training, sanctioning of breaches, clear allocation of responsibility, breaks the causal chain between the employee's act and the entity's liability. In its recent decisions (13 Os 75/23a, 14 Os 29/24m) the OGH has insisted that organisational failure must be shown concretely: the prosecution has to identify which organisational measure a reasonable decision maker would have taken and how it would have prevented the offence. Generic references to "weak compliance" no longer suffice.

The predicate offences attributable to the entity cover essentially the whole penal code and large parts of ancillary criminal law. In day-to-day WKStA practice the relevant norms are breach of trust (§ 153 StGB), fraud (§§ 146 et seq. StGB), corruption (§§ 302 et seq. StGB), money laundering (§ 165 StGB), accounting offences (§§ 163a et seq. StGB), fiscal offences under the FinStrG (Austrian Fiscal Offences Act), sanctions breaches under the SanktG (Austrian Sanctions Act) and, increasingly, offences under the Data Protection Act and the Federal Anti-Discrimination Act. The VbVG does not create new offences, it attributes existing ones. The defence must therefore always examine the underlying offence first (is it even fulfilled?) before turning to attribution.

Jurisdictional reach is broader than many German management boards expect. Austrian criminal jurisdiction applies under § 62 StGB whenever the offence was committed inside Austria, and under § 64 StGB also for specific offences committed abroad (above all corruption offences involving Austrian officials, cross-border fraud and money laundering). For companies incorporated outside Austria, § 1 para. 2 VbVG picks up the entity once the offence falls within Austrian jurisdiction, meaning that a German GmbH or a Liechtenstein AG can become a VbVG defendant where the act is attributable to them and touches Austrian soil. Cross-border groups with an Austrian branch, a distribution subsidiary, a Salzburg project company or a construction site in Upper Austria are therefore regularly confronted with corporate criminal proceedings they had not planned for. Early clarification of attribution lines, who signed, for whom, under which mandate, tends to be the single most productive piece of defence work in the first weeks.

The corporate fine, § 4 VbVG and its daily-rate system

The sanction under the VbVG is the corporate fine (Verbandsgeldbuße). § 4 VbVG constructs it in daily rates, following the logic of the individual day-fine but with parameters of its own. The number of daily rates follows the sentencing range of the underlying offence: up to 85 daily rates for offences carrying a maximum of five years' imprisonment, up to 130 daily rates where the range extends to ten years, and up to 180 daily rates for higher maxima. The amount of the daily rate, up to EUR 10,000, is set by reference to the entity's earnings and overall economic condition (§ 4 para. 3 VbVG). The theoretical upper limit is therefore EUR 1.8 million, multiplied by the number of attributable offences.

In practice the calculation moves very far from that ceiling. The prosecution submits the entity's profit-and-loss accounts, consolidated group figures where relevant and public filings; the defence responds with its own economic presentation, seasonal business, one-off effects, write-downs, loss carry-forwards, group transfer pricing. The courts tend to pragmatic outcomes: small and mid-sized Salzburg companies with annual earnings in the low seven figures typically see daily rates between EUR 500 and EUR 2,000. Corporate groups are assessed on a wider base and can end at six-figure daily rates in exceptional cases. Where the entity is loss-making, a symbolic daily rate of EUR 30 to 100 is not uncommon, particularly in combination with diversion.

The mitigating and aggravating factors sit in § 5 VbVG and are where defence work earns most of its money. § 5 para. 2 VbVG lists as mitigating, among others: minor contribution of the entity to the offence, weak foreseeability, substantial loss suffered by the entity itself, subsequent remediation of the damage, clarification of the offence beyond its own legal obligations and the introduction of essential steps to prevent future offences of the same kind. That last factor, post-incident compliance improvements, is frequently the decisive lever: a structured compliance overhaul carried out during the investigation, documented in writing and accompanied by external review, regularly reduces the sentence by half. Aggravating factors under § 5 para. 3 VbVG are, by contrast, repeated offences of the same kind, serious organisational failure and use of the proceeds for the benefit of decision makers.

Alongside the fine, the court may under § 6 VbVG order conditional remission, analogous to the suspended sentence in individual criminal law. Where the fine does not exceed 70 daily rates and a favourable prognosis exists, the full amount or a part of it may be suspended against a probationary period of one to three years, coupled with instructions, typically the implementation or extension of compliance measures, restitution, co-operation with a monitor or reporting duties to the court. A combination of partial suspension and partial payment is standard in mid-sized cases. In group proceedings, the conditional part is often tied to concrete KPIs: audit of the reporting channel, training quotas, number of compliance cases handled internally.

Additional consequences come in two further forms. First, the general criminal-law instruments of forfeiture (§ 19a StGB), confiscation (§ 20 StGB) and extended confiscation (§ 20b StGB) apply to the entity as they do to individuals, meaning that profits obtained through the offence can be drawn in separately, in addition to the fine. In corruption and money-laundering proceedings, forfeiture of the proceeds frequently exceeds the fine in magnitude. Second, a VbVG conviction has regulatory knock-on effects: public procurement law (§§ 78 et seq. BVergG, Austrian Public Procurement Act) provides for exclusion from award procedures where the entity has been convicted of certain offences, with rehabilitation through self-cleaning under § 83 BVergG possible but demanding. Banking, trade, financial-services and professional licensing regimes follow the same logic. A VbVG case is therefore never only about the fine on the books, it is about the entity's future access to markets.

Compliance management systems, the strongest preventive instrument

A working compliance management system (CMS) is the single most effective defence against VbVG attribution. Its role is double: preventively, it blocks the employee-path attribution by rebutting organisational failure under § 3 para. 3 no. 2 VbVG; mitigating, it reduces the number of daily rates under § 5 para. 2 VbVG where an offence has nevertheless occurred. In Austrian case law, most clearly in OGH 13 Os 75/23a, the CMS is assessed not as a formality but as a functional system. Paper policies, untested processes and dormant reporting lines do not survive cross-examination.

A CMS that holds up before an Austrian court rests on seven building blocks. A written risk analysis identifies offence-prone processes (procurement, sales to state entities, subsidy applications, export controls, data flows). A Code of Conduct translates the risk analysis into rules of behaviour, approved by the board and signed off by staff. Training operates on fixed intervals, with proof of participation. A reporting channel, anonymous where possible, gives employees a safe route to raise concerns, the Austrian HinweisgeberInnenschutzgesetz (Whistleblower Protection Act) demands it for entities of a certain size. A review and escalation procedure defines who investigates, who decides, who sanctions. Consistent sanctioning of confirmed breaches is the most underestimated element, an unpunished breach undermines the whole system. Finally, documentation, risk analyses updated yearly, minutes, training records, breach logs, makes the CMS provable in court.

Austrian practice is shaped by two international reference frames. ISO 37301:2021 (compliance management systems) and the Austrian ÖNORM CEN/TS 17687 series, together with the IDW PS 980 professional standard used by auditors, define the structural expectations. A certified CMS is not a shield of its own, the OGH has repeatedly stated that certification is an aid to evidence, not a substitute for effectiveness, but certification tightens the documentation and passes the audit test that the defence will otherwise have to run in court. For mid-sized Salzburg businesses without group resources, a risk-based and proportionate CMS, tailored to the concrete business, is both more credible and more defensible than an oversized template.

The sector-specific layer adds further duties. Credit institutions under the Austrian Banking Act (BWG), investment firms under the Securities Supervision Act (WAG 2018), insurance companies under the Insurance Supervision Act (VAG 2016), gambling operators and auditors operate under statutory compliance and organisational duties. Lawyers, notaries and tax advisers are bound by professional compliance obligations under the RAO (Austrian Lawyers Act), the NO (Austrian Notaries Act) and the WTBG (Austrian Act on Tax Advisors and Auditors), in particular around money laundering. Trade and manufacturing operations face labour-protection, environmental-law and product-safety compliance duties. Every VbVG defence has to map these sector-specific regimes against the generic CMS, it is rarely the generic system that fails first.

The post-incident response is where a CMS either proves its worth or exposes its weakness. When a reporting-channel entry, an external enquiry or a supervisor's observation indicates a potential offence, the decision tree is strict: secure evidence, freeze relevant data, open an internal investigation, consider duties to notify (tax authorities under § 29 FinStrG, financial-market authority under § 16 FM-GwG, Austrian Financial Market Anti-Money Laundering Act, data protection authority where personal data were affected) and prepare the proportionate response. Every one of these steps must be documented and must happen quickly. Entities that handle the response carelessly rarely save themselves by an expensive external investigation six months later, the window in which a post-incident compliance improvement under § 5 para. 2 no. 5 VbVG counts as mitigation tends to close with the first prosecutorial contact.

Internal investigations, diversion and defence strategy

An internal investigation is today the standard reaction to a serious compliance incident, and simultaneously the area of Austrian corporate criminal law with the most unresolved legal questions. The investigation has three masters: the entity's need to understand what happened, the defence's need to preserve exculpatory material and the employees' right to fair treatment. Austrian law does not codify a separate regime, the playing field is set by general principles of labour law, data protection, employee co-determination under the Austrian Labour Constitution Act (ArbVG) and criminal procedure. Four principles guide the practice. First, employees have a duty to co-operate with the employer's investigation within reasonable limits, but they retain a right to remain silent applied analogously to § 157 para. 1 no. 1 StPO where self-incrimination in a pending or foreseeable criminal case is at stake, meaning counsel for the employee is often called in early. Second, the works council has to be involved where the investigation affects a larger group of staff (§§ 89 et seq. ArbVG). Third, the investigation must comply with data-protection law (GDPR and the Austrian Data Protection Act), in particular on proportionality, purpose limitation and data-subject rights. Fourth, the final report and its underlying materials are not automatically privileged; protection depends on who commissioned the investigation, who carried it out and how the materials are stored. External counsel-led investigations have a stronger claim to segregation under § 112 StPO, but after the OGH decision 14 Os 39/23z the case law has tightened, and every file must be built with segregation in mind from day one.

Diversionary disposal under § 19 VbVG, the VbVG's counterpart to § 198 StPO, offers a way out without a conviction. The requirements mirror the individual regime: facts sufficiently clear, guilt not severe, no fatal consequence, suitability for diversion and no predominant preventive need for a judgment. The mechanisms: payment of a sum not exceeding the notional daily-rate fine (§ 19 para. 2 no. 1 VbVG), a probationary period of one to three years with or without a monitor (§ 19 para. 2 no. 2 VbVG) and other appropriate measures, typically the implementation of concrete compliance improvements. The probationary period can be tied to a report to the court at regular intervals. In practice, corporate diversion is negotiated in parallel with individual diversion of the decision maker, a coordinated package frequently serves both sides and preserves the entity's regulatory standing. Where the daily-rate fine would exceed the diversion ceiling, partial solutions are often possible: diversion of the entity combined with a suspended partial fine under § 6 VbVG.

The procedural particularities of the VbVG matter for defence strategy. § 15 VbVG allows the public prosecutor to refrain from pursuing the entity where the predicate offence against the individual is severely punished and no independent benefit in a VbVG proceeding is apparent (the opportunity principle). § 18 VbVG structures the interaction where the individual proceeding and the VbVG proceeding are joined, which is the rule. § 20 VbVG sets out rights of participation: the entity has the same rights as an individual defendant, including the right of access to the file under § 51 StPO, the right to file motions for evidence and the right to attend hearings through its defence representative. § 21 VbVG allows the court to issue interim measures against the entity where they are proportionate, seizure of funds, provisional professional restrictions, and the defence must check the proportionality of every such measure carefully. Appeals under § 23 VbVG follow the ordinary regime: plea of nullity under § 280 StPO, appeal on sentence under § 283 StPO, appeal against single-judge judgments under § 489 StPO. The deadlines run against the entity as they do against individuals.

Austrian cases with a German parent or German management have become the bulk of our practice in this field. Austrian and German corporate criminal law diverge more than they converge. Germany applies the Act on Regulatory Offences (OWiG), § 30 OWiG imposes a fine on the entity, which is structurally different from the VbVG's daily-rate system and, unlike the VbVG, is not positioned as criminal liability but as regulatory sanction. The Austrian proceeding runs by criminal procedural rules; the German proceeding mostly by regulatory procedural rules. A German compliance officer accustomed to OWiG logic often underestimates the weight of an Austrian WKStA file, the speed of an Austrian house search and the register consequences of an Austrian VbVG conviction. Our role in these matters is both procedural defence and translation, of Austrian particularities for German headquarters, and of German expectations for Austrian investigators. Where the individual defence is handled by a German firm at home and by us in Austria, clear co-ordination, standing calls, shared document-management conventions, agreed public positioning, prevents the contradictions on which prosecutors build their case.

Fees in VbVG matters are typically billed hourly or on a mixed-retainer model. The General Fee Guidelines (AHK) of the Austrian Bar Association provide orientation, but complex VbVG matters are regularly negotiated away from the published rates. Where a legal-expense insurance covers the entity or the decision makers, we clarify coverage with the insurer before beginning work, set out the fee structure in writing and flag the option of claiming the flat-rate cost reimbursement under § 393a StPO in case of acquittal. Where the criminal dimension meets civil exposure, director liability (§§ 25 GmbHG, Austrian Limited Liability Companies Act, 84 AktG, Austrian Stock Corporation Act), shareholder disputes, D&O insurance claims, we coordinate with the firm's Brandauer Rechtsanwälte corporate-law team, which has covered company and insolvency law since 1978. For managing directors and shareholders active cross-border, we bundle criminal, corporate and insurance questions in a single engagement, with a clear sense of where Austrian law demands a different step than the one they would take at home. Where appeal strategy is at stake, our focus area appeals covers plea of nullity, retrial and constitutional remedies in detail.

In-depth topics

Where we advise in detail.

01

The first 48 hours of a VbVG investigation, what management must do

Parallel investigations against the entity and its decision makers, segregation of the attorney-client file under § 112 StPO (Austrian Code of Criminal Procedure), internal communication, employee interviews and preservation of exculpatory evidence during an ongoing house search.

02

Decision makers and organisational failure, the two paths of attribution

Who qualifies as a decision maker under § 2 para. 1 VbVG (Austrian Corporate Criminal Liability Act), when an employee offence triggers corporate liability through organisational failure under § 3 para. 3 no. 2 VbVG, and where the case law draws the line between occasional misconduct and systemic weakness.

03

Calculating the corporate fine under § 4 VbVG

Daily-rate system, upper limits of 85, 130 or 180 daily rates tied to the sentencing range of the underlying offence, daily-rate ceiling at EUR 10,000, the income perspective for group companies, conditional remission under § 6 VbVG.

04

Diversionary disposal of VbVG proceedings under § 19 VbVG

Prerequisites, cost contributions, probationary period with a monitor, comparison with individual diversion under § 198 StPO and the strategic interplay where a corporate diversion accompanies a suspended sentence against a managing director.

05

Compliance management systems as attribution defence

Risk analysis, reporting channels, training, sanctioning of breaches and written documentation, what a compliance system must deliver to prevent attribution of an employee offence under § 3 para. 3 no. 2 VbVG, and how the OGH (Austrian Supreme Court) has tightened the standard.

06

Internal investigations between defence need and employment-law exposure

Conducting a confidential internal investigation, right to remain silent of employees under § 157 StPO analogously, works-council participation, protection of whistleblowers under the HinweisgeberInnenschutzgesetz and preservation of privilege over the final report.

Related topics

You may also be concerned by this.

White-collar crime

Breach of trust, fraud, accounting offences, market manipulation and insolvency offences. Defence in complex trials and WKStA investigations.

Property crimes

Fraud, theft, embezzlement, money laundering, classification, defence strategy and restitution as mitigation.

Appeals

Appeal, plea of nullity, retrial, constitutional complaint. Strategic decisions after the first-instance judgment.

WKStA enquiry, house search, VbVG indictment?

When the company itself becomes a defendant, the first response shapes the whole case. Call us directly, callback within one business day, earlier in urgent matters.

+43 660 2407152 [email protected]
Contact

A direct line to the firm.

Address

BRANDAUER Rechtsanwälte GmbH Giselakai 51 5020 Salzburg