Data protection violations in direct marketing: million-euro fine against Swiss Post confirmed

Austrian Post processed data on political opinions without a legal basis and used it for direct marketing.
Categories:
,

The Austrian Federal Administrative Court has confirmed a heavy fine against Austrian Post. The company had processed data on political opinions ("affinities") without a legal basis and used it for direct marketing. The ruling shows what mistakes companies can make when handling sensitive data and what consequences violations of the GDPR have.

Facts and course of proceedings

Österreichische Post AG operated an extensive database with target group addresses, which was used for targeted marketing measures. Various personal characteristics were analyzed and stored in order to enable individually tailored advertising campaigns. A central element was the calculation of so-called "affinities", which indicated the probability of a person opting for the Advertising of certain political parties. These affinities were derived from socio-demographic data, previous purchasing behavior and other criteria and stored in the database. The calculated values were not only used for internal analysis purposes, but were also sold to third-party companies.

In addition, the company collected further personal dataincluding information on parcel frequency, i.e. how often a person has received parcels in a certain period of time. This data was obtained by linking it to logistics services. In addition, the company analyzed relocation probabilities based on forwarding orders, among other things. This information was used to further segment the target groups.

The data protection authority became aware of the company after reports in the media about the possible misuse of sensitive data. In January 2019, it initiated an investigation to examine the legality of the data processing. The investigation found that the company did not Consent of the persons concerned for the Processing of their data. Also a Data protection impact assessment had not been carried out properly.

Based on these findings, administrative criminal proceedings were initiated, which ended with a considerable fine. The data protection authority imposed a fine for violations of the GDPR a fine of 18 million euros. The company then submitted Complaint to the Federal Administrative Court, which reassessed the case and examined the legal framework for data processing in detail. As a result, the amount of the fine was adjusted, while the data protection violations identified were essentially confirmed.

Processing political affinities violates GDPR

The court found that the Processing of political affinities against Art. 9 GDPR is violated. This provision generally prohibits the Processing personal data revealing political opinions. Unless one of the grounds listed in Art. 9 para. 2 GDPR exceptions mentioned above. As there is no explicit Consent of the data subject and there was no other legitimate legal basis for the Processing was classified as inadmissible. The company had used statistical methods to calculate probabilities for political preferences and had sent these to the public for the purpose of targeted election advertising. Third passed on. This is not only a Infringement against the ban on Processing sensitive data, but also violates the principle of transparency and the principle of fairness pursuant to Art. 5 para. 1 GDPR.

Another serious Infringement concerned the Processing of parcel frequencies. The company used data on parcels received from the parcel delivery division to create projections for marketing purposes. This data was collected without the knowledge or Consent of the data subject for a new, originally unintended purpose. The court considered this to be an inadmissible change of purpose in accordance with Art. 6 para. 4 GDPRas the new use of the data was not compatible with the original purpose of parcel delivery.

Determining the probability of relocation was equally problematic. The company used data from forwarding orders to calculate the probability of certain people or households moving in the future. This information was then used for targeted direct marketing. As the data subjects had not expressly consented to this further processing and had not been given any clear information about the use of the data, the court also considered this to be an infringement of data protection law. Infringement against the GDPR. Particularly relevant in this context was Art. 14 GDPRwhich obliges companies to inform data subjects about the origin and purpose of the data used if it was not collected directly from them. The inadequate information provided to data subjects therefore constitutes a Infringement against the Duty to inform represent.

Neglect of GDPR basics

In addition, the court found that the company had not submitted a complete and compliant List of processing activities had led to. According to Art. 30 GDPR must Responsible persons a comprehensive Documentation of their data processing activities. There were significant shortcomings in this list, particularly in the description of data categories and the purposes for which they are used. An incorrect or incomplete Documentation not only makes monitoring by the supervisory authorities more difficult, but also violates the accountability obligation under Art. 5 para. 2 GDPR.

The Data protection impact assessmentwhich according to Art. 35 GDPR is required for data processing with a particularly high risk was deemed inadequate. The court did not share the company's assessment that there was no high risk to the rights and freedoms of data subjects. In particular, the Processing of political affinity has been classified as high risk, as it is likely to enable targeted political influence and, in the event of unauthorized disclosure, could have a significant impact on the Privacy of those affected. The lack of a comprehensive and appropriate risk analysis was therefore identified as a further Infringement against the GDPR viewed.

Consequences for companies

The ruling shows that data protection violations can have considerable legal and economic consequences. In particular the Processing sensitive data (e.g. political affinities) without a clear legal basis poses considerable risks for companies. In this case, the data protection authority imposed a fine of 18 million euros, which the Federal Administrative Court confirmed but reduced to 16 million euros. The fine was imposed due to several serious breaches of the GDPR imposed: in particular with regard to the unlawful Processing of data on political inclinations, the further processing of packet frequencies and relocation probabilities as well as the inadequate Data protection impact assessment.

Companies must ensure that their data protection impact assessments cover realistic risks and are based on a solid legal foundation. Transparent information for data subjects is essential in order to meet the requirements of the GDPR to be complied with. The regulation requires a clear and demonstrable legal basis for any change in the purpose of data processing. Becoming personal data without valid Consent or another permissible legal basis, there is a risk of heavy fines and possible civil claims by the data subjects.

The BVwG has also determined that companies are liable for violations of the GDPR can be held liable without the infringements being directly attributable to a natural person. This decision follows the case law of the European Court of Justice (ECJ) and clarifies that legal persons can be held fully liable for data protection breaches, even if no individual person is directly responsible. responsible natural person can be identified. This underlines the need for a comprehensive and preventive data protection strategy in companies in order to avoid potential fines and reputational damage.

Reading tip: These are the highest GDPR fines in January 2025

High GDPR requirements for direct marketing

The ruling underlines the high requirements for data processing in direct marketing and highlights the serious consequences of breaches of the General Data Protection Regulation (GDPR). Companies must not only ensure that their data processing processes comply with legal requirements, but also continuously review and adapt their data protection measures.

Violations of the GDPR can not only result in high fines, but can also cause serious reputational damage that has a lasting impact on the trust of customers and business partners. Particularly problematic is the unlawful Processing sensitive data, e.g. political affinities or personal information from forwarding orders, as this could jeopardize the Privacy of the persons concerned.

Companies should therefore act proactively and carry out comprehensive data protection impact assessments in order to identify and minimize potential risks at an early stage. Transparent communication with those affected and compliance with all Duty to inform are essential here. In addition, clear internal guidelines and employee training are required to ensure the correct implementation of data protection regulations.

Ultimately, the ruling shows that Data protection is not just a compliance issue, but a strategic challenge for companies. Only through consistent and responsible implementation of the GDPR companies can maintain the trust of their customers in the long term and avoid legal sanctions.

Source: Judgment (W258 2227269-1/39E) of the Austrian Federal Administrative Court

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts