The Austrian Federal Administrative Court has confirmed a heavy fine against Austrian Post. The company had processed data on political opinions ("affinities") without a legal basis and used it for direct marketing. The ruling shows the mistakes companies can make when handling sensitive data and the consequences of breaches of the GDPR.
Facts and course of proceedings
Österreichische Post AG operated an extensive database with target group addresses, which was used for targeted marketing measures. Various personal characteristics were analyzed and stored in order to enable individually tailored advertising campaigns. A central element was the calculation of so-called "affinities", which indicated the probabilities with which a person might be interested in the advertising of certain political parties. These affinities were derived from socio-demographic data, previous purchasing behavior and other criteria and stored in the database. The calculated values were not only used for internal analysis purposes, but were also sold to third-party companies.
The company also collected other personal data, including information on parcel frequency, i.e. how often a person has received parcels in a given period. This data was obtained by linking it to logistics services. In addition, the company analyzed relocation probabilities based on forwarding orders, among other things. This information was used to further segment the target groups.
The data protection authority became aware of the company after reports in the media about the possible misuse of sensitive data. In January 2019, it initiated an investigation to examine the lawfulness of the data processing. The investigation revealed that the company had not obtained the consent of the data subjects for the processing of their data. A data protection impact assessment had also not been carried out properly.
Based on these findings, administrative criminal proceedings were initiated, which ended with a considerable fine. The data protection authority imposed a fine of 18 million euros for violations of the GDPR. The company then lodged an appeal with the Federal Administrative Court, which reassessed the case and examined the legal framework for data processing in detail. As a result, the amount of the fine was adjusted, while the data protection violations found were essentially confirmed.
Processing of political affinities violates GDPR
The court found that the processing of political affinities violates Art. 9 GDPR. This provision generally prohibits the processing of personal data revealing political opinions. Unless one of the exceptions listed in Art. 9 para. 2 GDPR applies. As there was no explicit consent from the data subjects and no other legitimate legal basis for the processing, it was classified as unlawful. The company had used statistical methods to calculate probabilities for political preferences and passed these on to third parties for the purpose of targeted election advertising. This not only constitutes a violation of the ban on processing sensitive data, but also of the requirement for transparency and the requirement for fairness pursuant to Art. 5 para. 1 GDPR.
Another serious breach concerned the processing of parcel frequencies. The company used data on parcels received from the parcel delivery division to create projections for marketing purposes. This data was further processed for a new, originally unintended purpose without the knowledge or consent of the data subjects. The court considered this to be an unlawful change of purpose in accordance with Art. 6 para. 4 GDPR, as the new use of the data was not compatible with the original purpose of parcel delivery.
Determining the probability of relocation was equally problematic. The company used data from forwarding orders to calculate the probability of certain people or households moving in the future. This information was then used for targeted direct marketing. As the data subjects had not expressly consented to this further processing and had not been given clear information about the use of the data, the court also considered this to be a breach of the GDPR. Particularly relevant in this context was Art. 14 GDPR, which obliges companies to inform data subjects about the origin and purpose of the data used if it was not collected directly from them. The inadequate information provided to data subjects therefore constituted a breach of the information obligations.
Neglect of GDPR basics
Furthermore, the court found that the company had not kept a complete and compliant record of processing activities. According to Art. 30 GDPR, controllers must provide comprehensive documentation of their data processing activities. There were significant deficiencies in this register, particularly in the description of data categories and their purposes. Incorrect or incomplete documentation not only makes inspection by the supervisory authorities more difficult, but also breaches the accountability obligation under Art. 5 para. 2 GDPR.
The data protection impact assessment, which is required under Art. 35 GDPR for data processing with a particularly high risk, was also deemed inadequate. The company's assessment that there was no high risk to the rights and freedoms of data subjects was not shared by the court. In particular, the processing of political affinity was classified as high risk, as it is likely to enable targeted political influence and, in the event of unauthorized disclosure, may have a significant impact on the privacy of the data subjects. The lack of a comprehensive and appropriate risk analysis was therefore considered a further violation of the GDPR.
Consequences for companies
The ruling shows that data protection violations can have considerable legal and economic consequences. In particular, the processing of sensitive data (e.g. political affinities) without a clear legal basis poses considerable risks for companies. In this case, the data protection authority imposed a fine of 18 million euros, which the BVwG confirmed but reduced to 16 million euros. The fine was imposed due to several serious violations of the GDPR: in particular with regard to the unlawful processing of data on political affinities, the further processing of package frequencies and relocation probabilities as well as the inadequate data protection impact assessment.
Companies must ensure that their data protection impact assessments cover realistic risks and are based on a solid legal foundation. Transparent information for data subjects is essential in order to meet the requirements of the GDPR. The regulation requires a clear and verifiable legal basis for any change in the purpose of data processing. If personal data is processed without valid consent or another permissible legal basis, there is a risk of high fines and possible civil law claims by the data subjects.
The Federal Administrative Court has also determined that companies can be held liable for breaches of the GDPR without the breaches being directly attributable to a natural person. This decision follows the case law of the European Court of Justice (ECJ) and clarifies that legal entities can be held fully liable for data protection violations, even if no single responsible natural person can be identified. This underlines the need for a comprehensive and preventive data protection strategy in companies in order to avoid potential fines and reputational damage.
Reading tip: These are the highest GDPR fines in January 2025
High GDPR requirements for direct marketing
The ruling underlines the high requirements for data processing in direct marketing and highlights the serious consequences of breaches of the General Data Protection Regulation (GDPR). Companies must not only ensure that their data processing processes comply with the legal requirements, but also continuously review and adapt their data protection measures.
Violations of the GDPR can not only result in high fines, but can also cause serious reputational damage that has a lasting impact on the trust of customers and business partners. The unlawful processing of sensitive data, such as political affinities or personal information from forwarding orders, is particularly problematic as it can significantly violate the privacy of those affected.
Companies should therefore act proactively and carry out comprehensive data protection impact assessments in order to identify and minimize potential risks at an early stage. Transparent communication with those affected and compliance with all information obligations are essential. In addition, clear internal guidelines and employee training are required to ensure the correct implementation of data protection regulations.
Ultimately, the ruling shows that data protection is not just a compliance issue, but a strategic challenge for companies. Only by implementing the GDPR consistently and responsibly can companies maintain the trust of their customers in the long term and avoid legal sanctions.
Source: Judgment (W258 2227269-1/39E) of the Austrian Federal Administrative Court
English 
German 
Italian 
French