DSB (Austria) - Austrian Postal Service: Difference between revisions
(switched to dpa box, added decision text, updated status) |
(switched dpa box) |
||
Line 1: | Line 1: | ||
{{ | {{DPAdecisionBOX | ||
| DPA_Abbrevation = DSB | |||
| Case_Number_Name = DSB-D550.148/0017-DSB/2019 | <!--Information about the DPA--> | ||
| ECLI = | | Jurisdiction = Austria | ||
| | | DPA-BG-Color = | ||
| | | DPAlogo = logoAT.png | ||
| | | DPA_Abbrevation = DSB | ||
| | | DPA_With_Country = DSB (Austria) | ||
| | |||
| | <!--Information about the decision--> | ||
| Date_Decided = 29.10.2019 | | Case_Number_Name = DSB-D550.148/0017-DSB/2019 | ||
| Date_Published = | | ECLI = | ||
| GDPR_Article_1 = Article 6(1)(f) GDPR | |||
| GDPR_Article_Link_1 = | | Original_Source_Name_1 = 2019 Report of the DSB (p. 52) | ||
| GDPR_Article_2 = Article 9(1) GDPR | | Original_Source_Link_1 = https://www.dsb.gv.at/dam/jcr:c9c2daf9-9746-4088-bced-dc8e296076e0/Datenschutzbericht_2019.pdf#page=52 | ||
| GDPR_Article_Link_2 = | | Original_Source_Language_1 = German | ||
| National_Law_Name_1 = § 151 GewO 1994 | | Original_Source_Language__Code_1 = DE | ||
| National_Law_Link_1 = https://www.ris.bka.gv.at/eli/bgbl/1994/194/P151/NOR40202658 | |||
| | | Original_Source_Name_2 = | ||
| | | Original_Source_Link_2 = | ||
| Party_Name_1 = Österreichische Post AG | | Original_Source_Language_2 = | ||
| Party_Link_1 = https://www.post.at | | Original_Source_Language_Code_2 = | ||
| Party_Name_2 = | |||
| Party_Link_2 = | | Type = Investigation | ||
| Party_Name_3 = | | Outcome = Enforcement | ||
| Party_Link_3 = | | Date_Decided = 29.10.2019 | ||
| Party_Name_4 = | | Date_Published = | ||
| Party_Link_4 = | | Year = 2019 | ||
| Party_Name_5 = | | Fine = 18000000 | ||
| Party_Link_5 = | | Currency = EUR | ||
| Appeal_To_Body = BVwG (Austria) | <!--Information about the applied law--> | ||
| GDPR_Article_1 = Article 6(1)(f) GDPR | |||
| Appeal_To_Case_Number_Name = W258 2227269-1 | | GDPR_Article_Link_1 = Article 6 GDPR | ||
| | | GDPR_Article_2 = Article 9(1) GDPR | ||
| | | GDPR_Article_Link_2 = Article 9 GDPR | ||
| GDPR_Article_3 = | |||
| | | GDPR_Article_Link_3 = | ||
| GDPR_Article_4 = | |||
| GDPR_Article_Link_4 = | |||
| GDPR_Article_5 = | |||
| GDPR_Article_Link_5 = | |||
| GDPR_Article_6 = | |||
| GDPR_Article_Link_6 = | |||
| GDPR_Article_7 = | |||
| GDPR_Article_Link_7 = | |||
| GDPR_Article_8 = | |||
| GDPR_Article_Link_8 = | |||
| GDPR_Article_9 = | |||
| GDPR_Article_Link_9 = | |||
| GDPR_Article_10 = | |||
| GDPR_Article_Link_10 = | |||
| GDPR_Article_11 = | |||
| GDPR_Article_Link_11 = | |||
| GDPR_Article_12 = | |||
| GDPR_Article_Link_12 = | |||
| GDPR_Article_13 = | |||
| GDPR_Article_Link_13 = | |||
| GDPR_Article_14 = | |||
| GDPR_Article_Link_14 = | |||
| GDPR_Article_15 = | |||
| GDPR_Article_Link_15 = | |||
| GDPR_Article_16 = | |||
| GDPR_Article_Link_16 = | |||
| GDPR_Article_17 = | |||
| GDPR_Article_Link_17 = | |||
| GDPR_Article_18 = | |||
| GDPR_Article_Link_18 = | |||
| GDPR_Article_19 = | |||
| GDPR_Article_Link_19 = | |||
| GDPR_Article_20 = | |||
| GDPR_Article_Link_20 = | |||
| EU_Law_Name_1 = | |||
| EU_Law_Link_1 = | |||
| EU_Law_Name_2 = | |||
| EU_Law_Link_2 = | |||
| EU_Law_Name_3 = | |||
| EU_Law_Link_3 = | |||
| EU_Law_Name_4 = | |||
| EU_Law_Link_4 = | |||
| EU_Law_Name_5 = | |||
| EU_Law_Link_5 = | |||
| EU_Law_Name_6 = | |||
| EU_Law_Link_6 = | |||
| EU_Law_Name_7 = | |||
| EU_Law_Link_7 = | |||
| EU_Law_Name_8 = | |||
| EU_Law_Link_8 = | |||
| EU_Law_Name_9 = | |||
| EU_Law_Link_9 = | |||
| EU_Law_Name_10 = | |||
| EU_Law_Link_10 = | |||
| EU_Law_Name_11 = | |||
| EU_Law_Link_11 = | |||
| EU_Law_Name_12 = | |||
| EU_Law_Link_12 = | |||
| EU_Law_Name_13 = | |||
| EU_Law_Link_13 = | |||
| EU_Law_Name_14 = | |||
| EU_Law_Link_14 = | |||
| EU_Law_Name_15 = | |||
| EU_Law_Link_15 = | |||
| EU_Law_Name_16 = | |||
| EU_Law_Link_16 = | |||
| EU_Law_Name_17 = | |||
| EU_Law_Link_17 = | |||
| EU_Law_Name_18 = | |||
| EU_Law_Link_18 = | |||
| EU_Law_Name_19 = | |||
| EU_Law_Link_19 = | |||
| EU_Law_Name_20 = | |||
| EU_Law_Link_20 = | |||
| National_Law_Name_1 = § 151 GewO 1994 | |||
| National_Law_Link_1 = https://www.ris.bka.gv.at/eli/bgbl/1994/194/P151/NOR40202658 | |||
| National_Law_Name_2 = | |||
| National_Law_Link_2 = | |||
| National_Law_Name_3 = | |||
| National_Law_Link_3 = | |||
| National_Law_Name_4 = | |||
| National_Law_Link_4 = | |||
| National_Law_Name_5 = | |||
| National_Law_Link_5 = | |||
| National_Law_Name_6 = | |||
| National_Law_Link_6 = | |||
| National_Law_Name_7 = | |||
| National_Law_Link_7 = | |||
| National_Law_Name_8 = | |||
| National_Law_Link_8 = | |||
| National_Law_Name_9 = | |||
| National_Law_Link_9 = | |||
| National_Law_Name_10 = | |||
| National_Law_Link_10 = | |||
| National_Law_Name_11 = | |||
| National_Law_Link_11 = | |||
| National_Law_Name_12 = | |||
| National_Law_Link_12 = | |||
| National_Law_Name_13 = | |||
| National_Law_Link_13 = | |||
| National_Law_Name_14 = | |||
| National_Law_Link_14 = | |||
| National_Law_Name_15 = | |||
| National_Law_Link_15 = | |||
| National_Law_Name_16 = | |||
| National_Law_Link_16 = | |||
| National_Law_Name_17 = | |||
| National_Law_Link_17 = | |||
| National_Law_Name_18 = | |||
| National_Law_Link_18 = | |||
| National_Law_Name_19 = | |||
| National_Law_Link_19 = | |||
| National_Law_Name_20 = | |||
| National_Law_Link_20 = | |||
| Party_Name_1 = Österreichische Post AG | |||
| Party_Link_1 = https://www.post.at | |||
| Party_Name_2 = | |||
| Party_Link_2 = | |||
| Party_Name_3 = | |||
| Party_Link_3 = | |||
| Party_Name_4 = | |||
| Party_Link_4 = | |||
| Party_Name_5 = | |||
| Party_Link_5 = | |||
<!--Information about a possible appeal--> | |||
| Appeal_To_Body = BVwG (Austria) | |||
| Appeal_To_Case_Number_Name = W258 2227269-1 | |||
| Appeal_To_Status = Successfully Appealed | |||
| Appeal_To_Link = BVwG - W258 2227269-1/14E | |||
| | |||
}} | }} | ||
The DSB fined the Austrian Postal Service a record fine of € 18 Mio for generating the likeliness of the political affiliations of Austrian citizens without consent. | The DSB fined the Austrian Postal Service a record fine of € 18 Mio for generating the likeliness of the political affiliations of Austrian citizens without consent. |
Revision as of 10:46, 7 April 2021
DSB - DSB-D550.148/0017-DSB/2019 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 6(1)(f) GDPR Article 9(1) GDPR § 151 GewO 1994 |
Type: | Investigation |
Outcome: | Enforcement |
Started: | |
Decided: | 29.10.2019 |
Published: | |
Fine: | 18000000 EUR |
Parties: | Österreichische Post AG |
National Case Number/Name: | DSB-D550.148/0017-DSB/2019 |
European Case Law Identifier: | n/a |
Appeal: | Successfully Appealed BVwG (Austria) [BVwG - W258 2227269-1/14E W258 2227269-1] |
Original Language(s): | German |
Original Source: | 2019 Report of the DSB (p. 52) (in DE) |
Initial Contributor: | n/a |
The DSB fined the Austrian Postal Service a record fine of € 18 Mio for generating the likeliness of the political affiliations of Austrian citizens without consent.
English Summary
Facts
The Austrian postal service ("Österreichische Post AG", a private stock company, of which 52,9% is owned by the Republic of Austria) also sells data for direct marketing purposes ("list brokerage"). These lists include names and addresses and other factors that are largely generated using other public information and predictive models. The postal service also sold data that included a likeliness of the political affiliation (similar to: 45% social-democratic, 20% conservative, 5% Green Party). This was mainly intended for postal mailings by said political parties. The data was generated using public information about voting behavior in each voting district in Austria, aga and alike and was sold publicly.
The postal service mainly relied on § 151 of the Austrian Business Code of 1994 ("Gewerbeordnung 1994", GewO) that regulates address brokers. The national law does not differentiate between different types of data, but limits the use solely to marketing purposes.
The postal service took the view that predictions about the political affiliation of a data subject does not itself constitute "special categories of data" under Article 9 GDPR.
Dispute
What is the relationship between national laws (like § 151 GewO) and GDPR?
Is a prediction of a political affiliation a "special category of data" under Article 9(1) GDPR?
Holding
The decision of the DSB is not published. So far there are only news reports on the case (see e.g. ORF.at) On 29. 10. 2019 the postal service issued a warning to its stock holders that it was fined with € 18 Mio by the DSB in this case. The postal service has announced that the fine will be appealed to the Austrian Federal Administrative Court (BVwG):
"This does not include provisions totalling EUR 18m for an administrative fine imposed on Austrian Post by the Austrian Data Protection Authority on grounds of the alleged illegal use of marketing data. The penalty decision is not legally binding, and Austrian Post intends to exercise its right to file an appeal in a court of first instance."
Comment
Your comment can be added here!
See also
The Regional Court of Feldkirch ("Landesgericht Feldkrich") has issues a similar decision against the postal service in a private lawsuit under Article 79 GDPR and awarded € 800 in emotional damages. The case is under appeal. See LG Feldkirch - 57 Cg 30/19b - 15.
Further Reseouces
Share blogs or news articles here!
English Machine Translation of the 2019 report
The decision below is a machine translation of the original. Please refer to the German original for more details.
Direct marketing and data broking On 23 October 2019, GZ: DSB-D550.148/0017-DSB/2019, the DSB imposed a fine of € 18,000,000.00 on Österreichische Post AG for, among other things, compiling data on the political affinity of individually identified persons in the course of its commercial activities as an address publisher and direct marketing company and marketing this data to political parties. This was done by assigning alleged political preferences to individual persons in an address database through statistical procedures and then marketing this information. In addition, it was found that Austrian Post had marketed data on the frequency of relocation and the number of parcels received by individual customers, which it had initially collected as part of its activities as a postal service provider under the Postal Market Act, to other companies within the scope of its address publishing and direct marketing business. The penalty imposed for the identified violations of Articles 5(1), 6(1) and (4) and 9 of the GDPR is not final, as the defendant has appealed against it to the Federal Administrative Court.