BVwG - W258 2217446-1
BVwG - W258 2217446-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(1) GDPR Article 5(1) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 16 GDPR Article 17(3) GDPR Article 30 GDPR Article 35 GDPR Article 58(2)(d) GDPR Article 133(4) Federal Constitution (Bundes-Verfassungsgesetz - B-VG) § 151 Trade Regulation Act (Gewerbeordnung 1994 - GewO) |
Decided: | 26.11.2020 |
Published: | 02.12.2020 |
Parties: | Austrian Postal Service (Plaintiff) Austrian Data Protection Authority (DSB; Respondent) |
National Case Number/Name: | W258 2217446-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2020:W258.2217446.1.01 |
Appeal from: | DSB DSB-D213.747/0002-DSB/2019 (not published because parts of the case are pending before Austrian Administrative Supreme Court (VwGH)) |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
Initial Contributor: | Marco Blocher |
The Austrian Federal Administrative Court partially uphelds a decision of the Austrian DPA: Data on the presumed "affinity for a political party" are special categories of personal data. Their processing would require the data subject's consent.
English Summary
Facts
Facts pertaining to the case
The Austrian Postal Service (Österreichische Post AG) had been selling data on natural person's party "affinity for a political party" to their customers. In light of broad media coverage on this topic the Austrian Data Protection Authority (Datenschutzbehörde - DSB) started an ex-officio investigation against the Austrian Postal Service. The DSB investigated i.a the records of processing activities and the data protection impact assessment of the Austrian Postal Service. Further, it investigated records that must be maintained under § 151 Trade Regulations Act (Gewerbeordnung 1994 - GewO).
Decision by the Austrian Data Protection Authority
With its decision dated 22.01.2019, the DSB
- held that the Austrian Postal Service had processed peronal data on the"affinity for a political party" without a legal basis, as these data qualify as special categories of personal data under Article 9(1) GDPR. Their processing would require the data subjects' explicit consent under Article 9(2)(a) GDPR and § 151(4) GewO,
- ordered the Austrian Postal Service to stop the processing of these data effecive immediately and to erase such data within a period of two weeks (unless a derrogation under Article 17(3) GDPR was applicable),
- held that the Austrian Postal Service had failed to carry out a data protection impact assessment prior to 25.05.2018,
- held that this data protection impact assessment was incorrect because it did not take into account that data on the"affinity for a political party" qualify as special categories of personal data,
- held that the records of processing activities maintaned by the Austrian Postal Service was incorrect, beacuse it did not take into account that data on the"affinity for a political party" qualify as special categories of personal data
- ordered the Austrian Postal Service to carry out a new, correct data protection impact assessment regarding the processing on data on the"affinity for a political party".
Appeal by the Austrian Postal Service
On 11.03.2019 the Austrian Postal Service filed an appeal against the DSB's decision with the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG), claiming incorrect legal evaluation of the case by the DSB. The Austrian Postal Service argued
- that data on the"affinity for a political party" do not qualify as personal data as they only express a probability.
- these data could not be rectified under Article 16 GDPR and therefore would not qualify as personal data,
- these data would qualify as "marketing information and classifications" under § 151(6) GewO which would not be considered as personal data by the Austrian legislator and
- even if these data were to be qualified as personal data they would not qualify as special categories of personal data.
Dispute
- Do data on a natural person's (presumed) "affinity for a political party" qualify as personal data under Article 4(1) GDPR?
- If so, do they also qualify as special categories of personal data?
- Did the Austrian Postal Service process these data unlawfully?
- Did the Austrian Postal Service violate Article 30 GDPR by not considering data on the "affinity for a political party" as special categories of personal data?
- Did the Austrian Postal Service violate Article 35 GPPR by not carrying out a data protection impact assessment prior to 25.05.2018 and by not considering data on the "affinity for a political party" as special categories of personal data?
Holding
TBC
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court Federal Administrative Court Decision date 26.11.2020 Business figures W258 2217446-1 Saying W258 2217446-1/35E PARTICULAR RECOGNITION ON BEHALF OF THE REPUBLIC! The Bundesverwaltungsgericht (Federal Administrative Court), composed of Gerold PAWELKA-SCHMIDT, Judge, acting as President, and Gerd TRÖTZMÜLLER and Gerhard RAUB, expert lay judges, acting as assessors, heard the appeal brought by XXXX, represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against the second paragraph of the judgment. and 6 of the decision of the data protection authority of 11 February 2019, GZ DSB-D213.747/0002-DSB/2019, after an oral hearing on 22 November 2019 and 30 October 2020, in a closed session in a matter relating to data protection law: A) The complaint is partially complied with and 1.) Point 2. with regard to the request for deletion, that the special category of personal data according to Point I. must be deleted within a period of two weeks in the event of any other execution, provided that there are no exceptions under Art 17 (3) DSGVO in the individual case, and 2.) Point 6, according to which the XXXX is instructed to subject the application "DAM target group addresses" to a new data protection impact assessment within a period of two months if it is otherwise executed, and to supplement the processing of "DAM target group addresses" in the processing directory in such a way that special categories of personal data are processed, fixed without replacement. B) For the rest, the appeal is dismissed and sentence 2. is confirmed, with the proviso that it must read as a whole: "The XXXX must refrain with immediate effect from processing the data types "party affinities" for the purpose of address trading and direct marketing without the consent of the data subjects, otherwise the data will be executed. C) The revision is permissible pursuant to Art. 133 para. 4 B-VG. Text Reasons for the decision: I. Course of proceedings: 1 On the basis of media reports on the alleged sale of personal data, in particular information on the "political affinity" of certain persons, the authority incriminated decided on 8 January to take action against the defendant.2019 and asked the complainant to answer various questions about the complainant's customer and interested party file system within two weeks and to submit various related documents, namely a list of processing activities, a data protection impact assessment, if any, a randomly anonymised customer profile, a record of any consent obtained and a model of a "declaration of no objection" within the meaning of Section 151 (6) GewO 1994. 2 In a letter dated 22 January 2019, the complainant submitted the requested documents, with the exception of the non-existent declarations of consent, and answered the questions in summary as follows The use of customer data for the purpose of direct marketing and its activity as an address publisher is based on § 151 GewO. Marketing classifications, such as probability values about party affinities, are also used in this context. However, such probability values are not subject to the DSGVO because they lack any statement or information about a person and are therefore not personal data within the meaning of the DSGVO. This is also shown by the fact that persons who have several places of residence are assigned different probability values depending on where they live. Such data are also not amenable to correction; if they were subject to the DSGVO, a subset of data would be created within their area of application which would exclude some rights of data subjects, but this concept is foreign to the DSGVO. 3 By decision of 11 February 2019, the authority complained of found that the official investigation procedure was justified and that the complainant had unlawfully processed special categories of personal data, namely "party affinity", in the context of the business of "address publishers and direct marketing companies" in the absence of the consent of the persons concerned (point 1).), instructed the complainant to cease processing these special categories of data with immediate effect and to delete existing data within two weeks, unless an exception under Article 17 (3) DSGVO existed in the individual case (ruling 2.), stated that the complainant had breached its obligation to carry out a data protection impact assessment with regard to the application "DAM target group addresses" by not carrying out the data protection impact assessment in the period from March to June 2018, contrary to the time specifications in the data protection impact assessment, but at a later point in time, in any event after 25 June 2018.05.2018 (point 3), the data protection impact assessment on the application "DAM target group addresses" is erroneous because it denies the processing of special categories of data, although the "party affinity" is calculated and as a result the existence of a high risk is therefore in any event denied (point 4).) and the list of processing activities "DAM-Zielgruppenadressen" was erroneous because it denied the processing of data requiring special protection, including political opinion, and the extensive processing of sensitive data (see point 5) and instructed the complainant to submit the application "DAM-Zielgruppenadressen" to a new data protection impact assessment within two months and to supplement the processing of "DAM-Zielgruppenadressen" in the processing list so that special categories of personal data were processed (see point 6). In its statement of reasons, the prosecuting authority stated in summary, citing the case law of the European Court of Justice, case law and literature opinions, that "political affinity" is personal data even if it represents an "average probability for a marketing group"; it would also not differ in the end from "conventional" profiling processes or other automated decision-making processes, such as those carried out by credit information agencies, as defined in Art 22 DSGVO: In all these procedures, values would be determined using statistical methods, in some cases enriched by concrete empirical values on specific persons, which would be assigned to a specific or identifiable person. The "political affinity" would be recognisable by an average, objective third party at least indirectly as a "political opinion" in the sense of Article 9(1) DSGVO, which the complainant specifically assigns to a person, otherwise no targeted advertising would be possible; it therefore also constitutes a special category of data. Since the data protection impact assessment presented refers to the DSFA-V, Federal Law Gazette II No. 278/2019, which was only announced on 9 November 2018, as one of the reasons for its implementation, the data protection impact assessment could not have been carried out before the DSGVO came into force on 25 May 2018. 4 The present complaint of 11.03. is directed against this decision.2019 on the grounds of substantive unlawfulness and unlawfulness on the grounds of breach of procedural rules, in which the complainant requested that an oral hearing be held, that the Court of First Instance itself rule on the substance of the case and annul the contested decision, or, in the alternative, annul the contested decision and refer the case back to the authority complained of for a fresh decision, or, in the event of the complaint being upheld in part, that points 1, 3, 4 and 5 be annulled on the grounds of lack of competence and unlawfulness. After a detailed description of her approach to the creation of the "party affinity", she explained that marketing classifications, in particular the probability-related average calculations used here, are neither information about a specific person nor a statement about a specific person and are therefore not personal data within the meaning of the DSGVO. Nor are they capable of correction and thus not accessible to all the rights of data subjects granted by the DSGVO, which would create a subset of data - if they were regarded as personal data - which would not be accessible for correction, although this is not provided for by the DSGVO. The same is apparent from Paragraph 151 of the GewO, which distinguishes between personal data and marketing classifications - i.e. here data relating to "party affinity". Not all indirect information - as in this case - can be seen as information about the political opinion of those affected. In case of doubt, the existence of a special category of data should be denied. The context in which information is used should be taken into account. If, as in this case, the abstract probability of an advertising interest is assigned to a specific person and no information components relating to the person, such as party memberships or participation in events, are processed, it can under no circumstances be information about the political opinion of data subjects within the meaning of Article 9 (1) DSGVO. If the court that has jurisdiction should have doubts as to the interpretation of the term "personal data" or the classification of the "party affinity" in question as a special category of data within the meaning of Article 9(1) of the DSGVO, an application to the European Court of Justice is suggested. The complainant also alleged a number of formal errors: the authority in question had no competence for the "declaratory" rulings; the unlawfulness of the complainant's acts did not have to be discussed separately because they were merely the basis for the order to cease and desist. The request for cancellation was to be based on Article 58(2)(g) of the DSGVO. Moreover, the authority against which proceedings had been brought should itself have examined a possible exemption from the obligation to delete under Article 17 of the DSGVO and had not sufficiently specified the data records to be deleted. With regard to the data protection impact assessment, the complainant did not carry it out retrospectively, i.e. not until 25 May 2018; rather, it was subject to ongoing evaluation and adaptation, which also explains the citation of a law that was only promulgated after 25 May 2018; the authority in question unlawfully failed to hear the complainant on this issue. 5 In a written statement dated 12 April 2019, received on 15 April 2019, the authority complained of submitted the complaint to the court hearing the case, followed by the administrative act. It submitted a statement to which the complainant replied with a granted statement of 04.07.2019. An oral hearing was held on 29.11.2019, during which, inter alia, the factual and legal situation was discussed and XXXX was heard as a witness on the detailed circumstances of the implementation of the data protection impact assessment. 7 In a written statement of 5 February 2020, the complainant submitted a decision of the contested authority according to which the attribution of marketing classifications is not a process of automated individual decision making or profiling, which contradicted the grounds of the decision in question. Furthermore, a decision of the Landesgericht Wels (Regional Court, Wels) according to which marketing classifications are not personal data. 8 In a written statement of 9 March 2020, the complainant submitted a judgment of the Innsbruck Higher Regional Court, by which the judgment of the Feldkirch Regional Court, which had been submitted by the authority being prosecuted to prove its legal opinion, was amended to the effect that the action had been dismissed in its entirety. It is therefore no longer part of the body of law and can no longer support the position of the authority against which proceedings are brought. 9. in the partial decision of 20.08.2020, GZ 2217446-1/15E, the complaint against the first, fourth and fifth points of the statement of objections - determination of the unlawfulness of the processing of "party affinities", the data protection impact assessment and the list of processing activities - was dismissed. The complaint against point 3 - failure to carry out the data protection impact assessment in good time - was upheld and point 3 was rectified without substitution. The complaint against points 2 and 6 was not settled. 10 In a statement of 23 October 2020, the complainant submitted that all marketing classifications, including the party affinities at issue in the proceedings, had been deleted from its marketing database. The party affinity data had not been processed for marketing purposes after February 2019. 11 In the oral hearing of 30.10.2020, XXXX was questioned as a witness on the alleged deletion of party affinities and other marketing classifications. Evidence was obtained by inspecting the administrative act, the Business Information System Austria and by questioning XXXX - with regard to possible administrative criminal proceedings concerning it - as a party. II The Federal Administrative Court considered 1. the following facts have been established: 1.1 Since 3 April 2001, the complainant has been operating, inter alia, the business of "address publishing and direct advertising". Since 01.08.2006, the managing director under trade law has been Ms XXXX . 1.2 In carrying out this business, it operates a data application "DAM target group addresses" in order to provide legal entities with personal data for marketing purposes as part of its "Adress Shop" product. In addition to various processing operations for commercial support, this involves processing target group addresses, enriching customer inventory data with additional marketing information, counting and, if necessary, selecting suitable persons according to the requirements of an interested party and delivering the data to customers. Insofar as relevant to the process, the following information of natural persons is used and passed on to third parties: Title, first and last name, address, date of birth and "party affinity". 1.3 The "Party Affinity" is composed of the data fields "ÖVP AFFIN", "SPÖ AFFIN", "FPÖ AFFIN", "NEOS AFFIN" and "GREEN AFFIN", each of which can be assigned a single value, namely "very low", "low", "high" or "very high". 1.4 The complainant determines the concrete value for the data fields on "party affinity" by conducting anonymous opinion polls. These surveys ask for socio-demographic data such as age, formal education and income levels, place of residence and any interest in election advertising by the respective political parties. Subsequently, based on the socio-demographic data and place of residence, marketing groups are formed within a grid and for each of these marketing groups, taking into account the opinion polls but also regional election results, the probabilities are calculated with which a person with certain socio-demographic data and a certain regional affiliation is likely to be interested in advertising by the political parties mentioned. By classifying a concrete person into a certain marketing group, the probability values calculated for this marketing group are also assigned to him/her, which ultimately allows the concrete values of the data fields to be filled for the respective party affinity. 1.5 The calculation and transfer of the "party affinity" to the persons contained in the data application "DAM target group addresses" is intended to reduce scattering losses in advertising. 1.6 The complainant has not obtained consent for the processing of "party affinity" from the persons from whom the value has been determined or allocated. 1.7 Requests for information within the meaning of Article 15 of the DSGVO and legal actions for processing the data type "party affinity" have been and continue to be made. 1.8 The complainant deleted the data types for "party affinity" on 22.02.2019 and no longer processed them for address trading or marketing purposes. This is because the complainant's management board decided to withdraw from the business of trading in marketing classifications due to the negative media coverage. However, "party affinities" are still present in information provided by the complainant in response to a request for information under data protection law, provided that the information provided contained data on "party affinities". The complainant has archived this information in order to trace and prove the information provided. 1.9 The complainant considers that the processing of "party affinities" for purposes of address trading and direct marketing is still legally permissible even without the consent of the data subjects. (2) The findings result from the following assessment of the evidence: 2.1 The finding under 1.1 is based on the complainant's unobjectionable submissions and a consistent view of the Austrian Business Information System. The findings under 1.2. are based on the complainant's submissions in combination with the data protection impact assessment in line with this, target group addresses, in particular Chapter 1.3.3 and Annex 2D, and Annex 3 of the complainant's opinion of 22 January 2019 (OZ 1 p 52, 83 ff and 185 ff). The findings regarding 1.3. are based on Annex 3 to the complainant's statement of 22.01.2019 - "Database extract party affinity with different places of residence" (OZ 1 S 185). The findings under 1.4. are basically based on the complainant's submissions, in particular the complainant's statement of 22 January 2019, page 2 (OZ 1 p 33). They also rely on the statement of the complainant of 22 January 2019, page 4 (OZ 1 p 35), according to which regional election results are strongly weighted in the calculation of the probability values for the respective party affinity, and on Annex 3 to the statement of the complainant of 22 January 2019 - "Database extract party affinity for different places of residence" (OZ 1 p 185), according to which the respective party affinities are stored in the database for the respective persons. The findings regarding 1.5. are based on the information provided by the complainant in her statement of 22 January 2019, page 2 (OZ 1 p 33). The fact that the complainant did not obtain the consent of the data subjects for the processing of the various types of data "party affinity" follows from her submissions in the administrative procedure. The findings on 1.7. are based on the conclusive and comprehensible testimony of witness XXXX as well as on the civil court judgements presented in the court proceedings. The finding on 1.9. is based on the arguments put forward by the complainant in the administrative and administrative-judicial proceedings. 2.2 The findings on 1.8. are based on the coherent and comprehensible statement of witness XXXX in the oral complaint hearing. It is understandable that, following the negative media coverage of the party affinities, the executive board should have come to the conclusion that further use of this data was no longer worthwhile due to the loss of image and that it had therefore declared a complete stop to processing this data. It is also understandable that the ordered deletion was not possible for legal reasons and could therefore only be carried out after the requests for information had been processed. Thus, it is legally correct in principle that - as described by the witness - the complainant may not delete personal data of a data subject between the request for information and the provision of information, and it is in fact understandable that the complainant was confronted with such a high number of requests for information and enquiries about a possible processed party affinity due to media reporting that the allocation of the received enquiries to the respective data subjects took weeks. The credibility of the witness is also supported by her description of minor details, such as a "dashboard" on which the number of requests received on the one hand and the number of requests already allocated on the other hand were compared. Nor can it change the fact that the complainant is alleged to have assumed that the "party affinities" do not constitute personal data. It is true that in this case, the "party affinities" would not have had to be disclosed. However, it is conclusive and in line with general life experience if - as described by the witness - the complainant, following the media coverage, which was also based on information about party affinities, continued to find out about the "party affinities" in order not to give the impression that she wanted to hide something. 3) The legal consequence of this: The admissible appeal is justified insofar as it is directed against ruling item 6. and the request for cancellation in ruling item 2. of the contested ruling; insofar as it is directed against the cease and desist order in ruling item 2., it is not justified. 3.1 On the qualification of "party affinities" as special categories of personal data: In its partial ruling of 20.08.2020, GZ W258 2217446-1/15E, the Federal Administrative Court confirmed, among other things, the ruling of the challenged ruling, according to which the complainant unlawfully processed special categories of personal data pursuant to Art. 9 DSGVO ("party affinities") in the course of carrying on the business of "address publishers and direct marketing companies" by failing to obtain the consent of the persons concerned. Since the unlawfulness of that processing has thus been established by a final judgment, the national court is bound by that assessment. However, since an ordinary appeal against that finding is currently pending before the Verwaltungsgerichtshof and it is disputed whether the data protection authority, in an examination procedure initiated by the authorities, as in this case, has the power to find unlawfulness in a manner capable of having the force of res judicata, the national court cannot merely refer to partial finding W258 2217446-1/15E as regards the unlawfulness of the processing of the "party affinities". If the Verwaltungsgerichtshof were to set aside that decision, the present decision would not contain any statement of the reasons why the processing of "party affinities" should be unlawful. Therefore, in the following point 3.2., the explanations regarding the unlawfulness of the processing of "party affinities" by the complainant are repeated in the cited ruling as follows. 3.2 The unlawfulness of the processing of 'party affinities': 3.2.1 On the relevant legal provisions: Art 4 DSGVO, entitled "Definitions", reads as follows in no. 1 "1) "personal data" shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identification or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Article 5 of the DSGVO, entitled "Principles for the processing of personal data", reads ("1) Personal data must be [...] (d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate as to the purposes for which they were processed are erased or rectified without delay ('accuracy'); [...]". Article 9 of the DSGVO, entitled "Processing of special categories of personal data", reads "The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data revealing the unique identification of a natural person, health data or data concerning the sexual life or sexual orientation of a natural person shall be prohibited. 2. Paragraph 1 shall not apply in the following cases: (a) the data subject has given his explicit consent to the processing of those personal data for one or more specified purposes, except where, under Union or national law, the prohibition referred to in paragraph 1 cannot be lifted by the data subject's giving his consent] (g) processing is necessary for reasons of substantial public interest on the basis of Union law or the law of a Member State which is proportionate to the aim pursued, respects the substantive content of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject Art 16 DSGVO, entitled "Right of rectification", reads "The data subject shall have the right to obtain from the controller the rectification without delay of inaccurate personal data relating to him/her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the completion of incomplete personal data, including by means of a supplementary declaration". Art 58 of the DSGVO, entitled "Powers", reads "[...] (2) Each supervisory authority shall have all the following remedial powers enabling it to take action, (a) warn a controller or a processor that processing operations envisaged are likely to be carried out in breach of this Regulation (b) to warn a controller or a processor if he has carried out processing operations in breach of this Regulation, (c) instruct the controller or the processor to act on the data subject's requests to exercise the rights conferred on him/her by this Regulation (d) instruct the controller or the processor to bring processing operations into conformity with this Regulation, where appropriate in a specific way and within a specific period, (e) instruct the controller to notify the person concerned of any breach of the protection of personal data, (f) impose temporary or definitive restrictions, including a ban, on processing, (g) order the rectification or erasure of personal data or the restriction of processing in accordance with Articles 16, 17 and 18 and the notification of such measures to the recipients to whom the personal data have been disclosed in accordance with Articles 17(2) and 19 (h) withdraw a certification or instruct the certification body to withdraw a certification issued in accordance with Articles 42 and 43, or instruct the certification body not to issue a certification if the conditions for certification are not, or are no longer, fulfilled (i) to impose a fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the case, (j) order the suspension of the transfer of data to a recipient in a third country or to an international organisation. […] 6. Each Member State may provide by law that its supervisory authority shall have powers in addition to those listed in paragraphs 1, 2 and 3. The exercise of these powers shall not affect the effective implementation of Chapter VII. The recitals, where relevant, in particular to Article 9 of the DSGVO, read "( 46 ) The processing of personal data should also be considered lawful if it is necessary to protect a vital interest of the data subject or of another natural person. [...] Some types of processing may serve both important public interest reasons and vital interests of the data subject; for example, processing may be necessary for humanitarian purposes, including the monitoring of epidemics and their propagation, or in humanitarian emergencies, in particular natural or man-made disasters (47) The lawfulness of processing may be justified by the legitimate interests of a controller, including a controller to whom personal data may be disclosed, or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, taking into account the reasonable expectations of the data subject based on his relationship with the controller. The processing of personal data for the purpose of direct marketing may be considered to be processing in the legitimate interest of the data subject. (51) Personal data which by their nature are particularly sensitive with regard to fundamental rights and freedoms deserve special protection, since their processing may involve substantial risks to fundamental rights and freedoms. Such personal data should include personal data revealing racial or ethnic origin, and the use of the term "racial origin" in this Regulation does not imply that the Union endorses theories which seek to prove the existence of different human races. The processing of photographs should not in principle be considered as processing special categories of personal data, since photographs are covered by the definition of "biometric data" only if they are processed by special technical means which allow for the unique identification or authentication of a natural person. Such personal data should not be processed except in the specific cases set out in this Regulation, taking into account that specific data protection provisions may be laid down in the law of the Member States in order to adapt the application of the provisions of this Regulation to allow compliance with a legal obligation or the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other provisions of this Regulation should apply, in particular as regards the conditions for legitimate processing. Exceptions to the general prohibition of processing of these special categories of personal data should be expressly provided for, inter alia, where the data subject has given his explicit consent or where there are specific needs, in particular where processing is carried out in the course of legitimate activities by certain associations or foundations promoting the exercise of fundamental freedoms. (52) Derogations from the prohibition to process special categories of personal data should also be allowed where provided for by Union or national law and, subject to adequate safeguards for the protection of personal data and other fundamental rights, when justified by the public interest, in particular for the processing of personal data in the fields of labour law and social security law, including pensions, and for the purpose of ensuring and monitoring health and health alerts, prevention or control of infectious diseases and other serious health threats. Such an exception may be made for health purposes, such as the safeguarding of public health and the management of health care services, in particular where this is intended to ensure the quality and efficiency of the procedures for billing of services in social health insurance systems, or where the processing is for archiving, scientific or historical research or statistical purposes in the public interest. The processing of such personal data should also be exceptionally allowed where it is necessary for the purpose of asserting, exercising or defending legal claims, whether in judicial or administrative proceedings or in extrajudicial procedures. (55) The processing of personal data by public authorities for objectives of religious communities recognised by the state and laid down in constitutional or international law is also carried out for reasons of public interest". Section 151 of the GewO, entitled "Address publishers and direct marketing companies", reads "(1) The provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Basic Data Protection Regulation), OJ L 231, 30.12.2006, p. 1, shall apply to the use of personal data for the marketing purposes of third parties by the professionals authorised to carry on the business of address publishers and direct marketing companies. No. L 199 of 4.5.2016 S 1, (hereinafter: DSGVO), and the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG), Federal Law Gazette I. No. 165/1999, as amended by Federal Act BGBl. I. No. 120/2017, unless otherwise specified below. (2) The activity of intermediary between owners and users of customer and prospect file systems (list broking) is reserved for the traders referred to in paragraph 1. (3) The traders referred to in paragraph 1 shall be entitled to obtain personal data for their activities under paragraphs 1 and 2 from publicly available information, by interviewing the persons concerned, from customer and prospect file systems of third parties or from marketing file systems of other address publishers and direct marketing companies, provided that this is done in compliance with the principle of proportionality for 1. the preparation and implementation of marketing campaigns of third parties, including the design and dispatch of advertising material or 2. list broking is necessary and permissible according to paragraphs 4 and 5. (4) Insofar as special categories of personal data pursuant to Art. 9 para. 1 DSGVO are concerned, they may be processed by the traders referred to in para. 1, provided that the data subject has given his express consent to the processing of such data for the marketing purposes of third parties. The identification and further processing of special categories of personal data from customer and prospect file systems of third parties on the basis of such consent is only permissible to the extent of paragraph 5 and only to the extent that the owner of the file system has declared in writing to the trader pursuant to paragraph 1 that the data subjects have expressly consented to the processing of their data for third-party marketing purposes. Criminally relevant data within the meaning of Art. 10 DSGVO may only be processed for marketing purposes by traders under para. 1 in accordance with § 4 para. 3 DSG or if express consent has been given. (5) Unless the data subjects have given their consent pursuant to Art. 4 No. 11 DSGVO to transfer their data for third-party marketing purposes, the traders referred to in paragraph 1 may only transfer the data from a third-party customer and prospect file system to a third party 1. names, 2nd gender, Title 3, 4. academic degree, 5. address, 6. date of birth, 7. professional, trade or business designation and 8. the person concerned belongs to this customer and prospect file system determine. The prerequisite for this - unless the stricter provisions of paragraph 4 apply - is that the owner of the file system has declared in writing to the trader in accordance with paragraph 1 that he has no objection, that the persons concerned have been informed in an appropriate manner about the possibility of prohibiting the transfer of their data for the marketing purposes of third parties and that no prohibition has been issued. (6) Traders under subsection 1 may use marketing information and classifications collected for marketing purposes and attributed to specific persons by name on the basis of marketing analysis procedures only for marketing purposes and, in particular, may transmit them to third parties only if the third parties declare unobjectionably that they will use the results of such analysis exclusively for marketing purposes. […]“ 3.2.2 Applied to the facts, this means According to Art. 9 para. 1 DSGVO, the processing of personal data from which political opinions, among other things, emerge is prohibited unless one of the exceptions in para. 2 applies. In the contested decision, the authority against which proceedings were brought stated, citing the prohibition on processing under Article 9(1) of the DSGVO, that the processing of data relating to "party affinity" by the complainant was to be qualified as processing of personal data from which political opinion is derived, which would have been unlawful in the absence of the consent of the persons concerned, an exception within the meaning of Paragraph 2 leg cit. The complainant counters this - in summary and with detailed explanations - by stating that Art 9 DSGVO is not applicable because the data on party affinity generated by it and attributed to the persons concerned are probability values which are neither personal data nor information from which political opinions would emerge. That cannot be accepted. 3.2.3. data on "party affinity" as personal data: In accordance with Art. 4 Z 1 DSGVO, "personal data" refers to all information relating to an identified or identifiable natural person (hereinafter "data subject"). The scope of application of the DSGVO is very broad and the personal data it covers is diverse. Indeed, the use of the term "all information" reflects the Union legislator's aim to give a broad meaning to the term "personal data". It covers all types of information, both objective and subjective, provided that it is information "about" the person in question. The latter condition is fulfilled if the information is linked to an identified or identifiable person by virtue of its content, purpose or effects (see in general the judgement of the European Court of Justice of 22 June 2005 on the Data Protection Directive 95/46/EC ("DPA Directive").2017, C-434/16, NOWAK Rz 33, whose statements can also be adopted for the DSGVO on the basis of the identical definition of the term "personal data" in Art 2 lit a DS-RL and in Art 4 Z 1 DSGVO (see also Klar/Kühling in Kühling/Buchner (ed.), DSGVO² Art 4 Rz 2)). The Article 29 Working Party, the forerunner of the European Data Protection Committee, further defines the content, purpose and impact requirement referred to by the ECJ (Analysis of the definition of personal data following the Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 20072007, 01248/07/EN WP 136; on transferability to the DPA by analogy, see - even if the WP has not been explicitly recognised by the Data Protection Committee as being generally transferable to the DPA (Endorsement 1/2018 of 25 June 2007)05.2018 of the European Data Protection Committee) - above; see also Karg in Simitis/Hornug/Spiecker (ed.), Datenschutzrecht (2019) Art 4 No. 1 Rz 33 ff and Klabunde in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 4 Rz 10 f): The "content element" is present whenever - according to the generally accepted understanding of the word "obtain" - information is given about a specific individual, irrespective of the purpose on the part of the controller or a third party or of the impact of this information on the data subject. Information "relates" to a person if it is information "about" that person, which must be assessed in the light of all the circumstances surrounding the processing operation. The "purpose element" is deemed to exist if the data are or could be used, taking into account all the circumstances, for the purpose of evaluating a person, treating him or her in a specific way or influencing his or her position or behaviour. As regards the "impact requirement", it is stated that data can be considered "personal" if its use, taking into account all relevant circumstances, could have an impact on the rights and interests of a particular individual. The possible outcome need not be a lasting impact. It is sufficient if the person could be treated differently from other persons because of the processing of such data. As a result, the complainant now links certain natural persons to the likelihood that the persons in question are interested in advertising from certain parties ("party affinity"). The probability values are based on statistical correlations between certain socio-demographic characteristics and place of residence on the one hand and the interest in electoral advertising of certain political parties on the other hand, as determined by the complainant through opinion polls and taking into account regional election results. The link is made in order to minimise wastage in advertising, i.e. to be able to advertise in a targeted manner. The linking of the party affinity to a single person fulfils the content element. Thus, even if the actual political opinion of the person concerned is not known, the party affinity - contrary to what was stated in the notice of appeal - contains a direct statement about the specific person, namely the probability with which he or she is interested in advertising from a particular political party. This statement, even if it is subject to statistical fluctuation due to the method of investigation, is not completely random, but is derived from correlations obtained from opinion polls and election results. It is a statistically based assessment of the person's interest in advertising for a particular political party. Otherwise, it would be unsuitable for the purpose of preventing wastage in advertising. Contrary to the complainant's submissions, the question whether the content element is fulfilled or a personal date is present does not depend on whether the assessment of the person concerned is (also) based on parameters which are inherent in the behaviour of the person to be assessed. The "purpose element" is also fulfilled: The information "party affinity" is intended and can be used to avoid scattering losses in advertising, i.e. to treat in a certain way persons who, depending on the determined party affinity, receive or do not receive advertising for a certain party. The "impact requirement" is thus also met. The persons concerned could be treated differently, depending on the "party affinities" attributed to them, by receiving or not receiving advertising about a particular party. The data type "party affinity" is therefore personal data within the meaning of Art 4 Z 1 DSGVO. 3.2.4 The complainant's arguments cannot alter this assessment: 3.2.4.1 The complainant's argument according to which the "party affinity" she had identified was comparable to evaluations by Statistik Austria, such as average incomes in a certain microgeographic grid, which are not considered to be personal data, is not convincing. Thus, the contested ruling was not directed against the determination of the - non-personal - connections between socio-demographic data or the place of residence and the interest in election advertising of certain parties. What is at issue is the application of these connections to certain persons and the linking of the resulting "party affinities" with the respective persons. Statistics Austria currently does not link the information generated by it to specific or identifiable natural persons and natural persons are neither to be treated differently nor are they to be treated differently on the basis of this information. 3.2.4.2 The complainant further submits that the data cannot be rectified on the merits and that not all data subjects' rights can be exercised. They could therefore not be subject to the DSGVO. Otherwise, a subset of data types would be created which would not be accessible to all data subjects' rights. That concept is foreign to the DSGVO and is not covered either by its wording or by its recitals. The appellant thus concludes from the alleged fact that the "party affinity" - as a probability value - is not correctable and thus not amenable to correction under Article 16 DGVO, that this would deprive the "party affinity" of the entire scope of application of the DSGVO. Apart from the fact that it cannot be concluded from the inapplicability of certain provisions of the DSGVO that the entire DSGVO is thus inapplicable, the complainant uses this argument to overlook the fact that "party affinity" is indeed open to correction. Admittedly, it cannot be corrected by any other actual interest of the person concerned in advertising for certain political parties. But that is not necessary. Indeed, the accuracy of personal data must be assessed in relation to the purpose for which the data were collected (Art 5 (1) lit d DSGVO arg "in relation to the purposes for which they are processed"; ECJ 22.06.2017, C-434/16, NOWAK Rz 53). The purpose of determining "party affinity" is not to determine the interests of data subjects in advertising by a particular person in concrete terms, but only to make a statistically sound assessment of such interests. It is therefore merely necessary to correct any errors of assessment, such as the use of incorrect socio-demographic data or errors in the attribution of the data subject to a particular marketing group. Such correction is possible by a new - correct - determination of "party affinity". (see also the comparable case of the correctability of answers to examination questions ECJ 22.06.2017, C-434/16, NOWAK Rz 46 ff) 3.2.4.3 The complainant further refers to § 151 GewO, the structure of which argues that marketing classifications do not constitute personal data. Accordingly, § 151 (4) and (5) regulates the admissibility of the use of personal data for the purposes of address trading and direct marketing, while § 151 (6) GewO regulates the admissibility of the use of marketing classifications. Since para 6 refers to marketing classifications and not to personal data and para 6 does not refer to para 4 and 5, the legislator does not regard marketing classifications as personal data. Otherwise, there would be no room for the application of Paragraph 6, which cannot be imputed to the legislature. This argument overlooks the fact that the term "personal data" is defined in Art 4 (1)(1) DSGVO, i.e. a European law standard which is directly applicable in the Member States. In the absence of a corresponding opening clause, it is to be interpreted autonomously under European law and no legal provisions of the member states, in this case § 151 GewO, can be used for its definition or interpretation. 3.2.4.4 The complainant's objection according to which party affinities are not assigned to data subjects but rather data subjects are classified in marketing groups (from which the party affinity then results) must be countered by the fact that for a personal date to be assumed, it is sufficient if there is a qualified link between the data subject and the information (ECJ 22 June 2017, C-434/16, NOWAK Rz 33). The "direction" in which the link is made, i.e. whether the person is assigned to the information or the information is assigned to the person, is just as irrelevant as the question of whether the assignment is only made indirectly via classification in a marketing group whose members are attributed certain characteristics. 3.2.4.5 The complainant's objection that different addresses of the persons concerned would lead to different party affinities shows the limits of the algorithm used, but it does not show that it is generally not suitable for assessing the interest of persons concerned in the advertising of election-seeking parties. 3.2.4.6 Ultimately, the complainant's argument that, if "party affinity" were to be seen as a personal date, any election analysis by ORF would generate personal data overlooks the fact that such election analyses do not assign any data to specific persons. Even the mere knowledge of the persons concerned themselves to find themselves in one of the groups analysed does not constitute a processing operation relevant under data protection law. 3.2.5. data on "party affinity" as special categories of personal data: The processing prohibition of Art. 9 para. 1 DSGVO applies to special categories of data, which include personal data from which political opinions emerge. It is disputed whether the date on which a person is likely to be interested in advertising about a particular political party indicates that person's political opinion within the meaning of Art 9 (1) DSGVO. The complainant, reproducing numerous literary opinions, essentially argues that it would only calculate the probability of persons with certain socio-demographic and regional characteristics being interested in advertising for certain political parties, which would neither generate a statement of political views or political affiliations nor a statement of a political opinion or an activity related to it, and that "party affinity" could therefore not be qualified as "political opinion" in the sense of the literature cited. This is not to be followed. Decisive for the interpretation of Art 9 DSGVO is its protective purpose (see also Schiff in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 9 Rz 19). It must be asked what the provision is intended to protect the persons concerned from. The interpretation has its limits in the extreme sense of the provision. The background to Art 9 (1) DSGVO is that personal data which by their nature are particularly sensitive with regard to fundamental rights and freedoms deserve special protection because considerable risks to fundamental rights and freedoms may arise in connection with their processing (ErwGr 51 DSGVO). As a rule, the types of data mentioned above have a high potential for damage and discrimination, which is repeatedly realised (cf Paal/Pauly Datenschutzgrundverordnung Bundesdatenschutzgesetz ² Art 9 DSGVO Rz 6). Art 9 DSGVO therefore aims to protect against the risks usually associated with certain types of personal data. On the basis of the wording of Art 9 (1) DSGVO, according to which the prohibition concerns processing as such, the only criterion is the fundamental suitability of the types of data to trigger these risks. The specific processing context, such as the purpose of the processing or specific processing steps, are thus not to be taken into account in assessing whether a personal date falls within one of the special categories of data (in the case of indirectly sensitive data, this is disputed; Data protection law (2019) Art 9 Rz 12 with reference to Bergauer in Knyrim The new data protection law in Austria and probably also Schiff in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 9 Rz 2 f; aA Schulz in Gola Art 9 Rz 13; Weichert in Kühling/Buchner (Hrsg), DSGVO² Art 9 Rz 22). This must therefore be linked to the abstract suitability of certain personal data to trigger particularly adverse consequences for data subjects. What types of personal data are defined in Art 9 (1) DSGVO. Among other things, it must be personal data from which the "political opinion" of the person concerned can be deduced. Since even a suspected political opinion can trigger those negative consequences for the person concerned from which Art 9 DSGVO seeks to protect, it is sufficient for the adoption of a political opinion if such an opinion can be deduced with sufficient probability from the information (Schiff in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 9 Rz 21). Certainty is not required. It is also irrelevant whether the information on characteristics is correct in terms of content (Weichert in Kühling/Buchner (Hrsg), DSGVO² Art 9 margin no. 24). Whether the political opinion of the data subject can be derived with sufficient probability from personal data must be assessed from the circumstances of the individual case, taking into account the protective purpose of the standard (in this sense also Schiff in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 9 Rz 22). Applied to the facts of the case, this means In the present case, natural persons are linked to the likelihood of having an interest in advertising through certain political parties. There is a relevant link between the (probable) interest in advertising from a particular party and an interest in that political party and therefore in a political opinion: Although it is not possible to infer a political opinion from a low probability value, it can be based on a fundamental disinterest in politics or a rejection of advertising material. The same applies to a high probability value, which can only be based on a general political interest. However, since "party affinities" are assigned to several political parties, the interaction between high probability values for certain parties and low probability values for other parties results in a particular advertising interest for one party and a reduced advertising interest vis-à-vis the other parties. In this constellation, the advertising interests indicate whether the person concerned basically represents the opinions of a particular political party, feels close to it or is considering voting for it, or opposes it. If one takes into account the protective purpose of Art 9 DSGVO, i.e. to protect affected persons against discrimination on the basis of an (assumed) political opinion, the probability of the political opinion coming to light is also sufficient: If - as in this case - persons with a high "party affinity" are regarded as susceptible to advertising - and thus to a certain political opinion - and are therefore to be advertised specifically through advertising about certain political parties, this is mirrored by the dangers that Art 9 DSGVO seeks to avoid: to discriminate against or even persecute such persons because a certain proximity to a party is suspected. 3.2.6 As regards the complainant's arguments The complainant objects to the classification of "party affinities" as a special category of personal data, essentially on the grounds that a political opinion within the meaning of Article 9(1) DSGVO can only emerge if the data subject has acted himself or herself or if there is an (at least indirectly political) information component about the data subject (such as party membership or participation in events). Neither of these was given in the present case. This view overlooks the fact that the dangers which are usually associated with the processing of political opinion and from which Art 9 DSGVO seeks to protect are already threatened if the political opinion of a data subject can be established with sufficient probability. However, it makes no difference for the existence of a certain probability whether the probability is based on actual behaviour of the data subject, on (at least indirectly political) information about the data subject or on statistical methods. The fact that the method used by the complainant to determine the probability values would have no statistical relevance can be inferred neither from the method of investigation established nor from the intended purpose, i.e. the targeted application of natural persons. 3.2.7 In the final analysis, the data types relating to "party affinity" are therefore to be subsumed as special categories of personal data within the meaning of Article 9 (1) DSGVO and are subject to the processing prohibition stipulated therein. 3.2.8. on possible grounds for authorisation: 3.2.8.1 The DSGVO provides several exceptions to the ban on processing special categories of personal data, which are listed exhaustively in Art. 9 (2) DSGVO. Processing is permissible in some cases if - subject to the fulfilment of further specified conditions - it is permissible under Union law or the law of a Member State (Article 9 (2) lit g DSGVO). 3.2.8.2 § 151 (6) GewO could constitute such a national legal norm. According to this provision, traders authorised to carry on the business of address publishers and direct marketing companies are permitted to use marketing information and classifications collected for marketing purposes which are attributed to specific persons on the basis of marketing analysis procedures ("marketing information") only for marketing purposes and - under further conditions - to pass them on to third parties. 3.2.8.3 As a more specific provision, Section 151(6) of the German Trade Regulation Act could take precedence over the provision of Section 151(4) of the German Trade Regulation Act, according to which the use of special categories of data requires the consent of the data subjects. Under this interpretation, § 151.6 of the GewO would also cover the processing of special categories of data and could justify the processing of data types for "party affinity" by the complainant. 3.2.8.4 Against the background of Article 9 (2) lit g DSGVO, however, such an interpretation of § 151 (6) GewO fails to be consistent with European law. The exception to the prohibition on processing special categories of personal data under Article 9 (2) (g) of the DPA, according to which processing is permissible on the basis of Union law or the law of a Member State, is subject to a major restriction: the legal act must be necessary for reasons of substantial public interest. 3.2.8.5 The interest pursued by the act must therefore be of general interest as such. The requirement of "relevance" is also intended to exclude measures which serve the general public but which are not so relevant to the general public that the general public would be seriously affected without the measure in question (Schiff in Ehmann/Selmayr Datenschutz-Grundverordnung² Art 9 para. 52). This covers interests of the public interest or common goods which are particularly worthy of protection (Schulz in Gola DS-GVO² Art 9 Rz 30). 3.2.8.6. According to recitals 46, 52 and 55 of the DSGVO, a public interest exists, inter alia, when personal data are processed in the field of labour law and social security law, including pensions, and for the purpose of ensuring and monitoring health and health alerts, prevention or control of infectious diseases and other serious health threats, for humanitarian purposes, including the monitoring of epidemics and their spread, or in humanitarian emergencies, in particular natural or man-made disasters, or processed by public authorities to achieve objectives laid down in constitutional or international law by religious communities recognised by the State Economic interests or address publishers and direct marketing companies are not mentioned. Only at one point, which does not concern special categories of data or public interests, does the EU legislator refer to data processing for the purpose of direct marketing, namely the question of when a legitimate (data processing) interest within the meaning of Art 6 (1) lit f DSGVO can be assumed (recital 47 of the DSGVO). 3.2.8.7. although not explicitly mentioned in the recitals, there is a (significant) public interest in a functioning economic system, it has a significant impact on the public and private budget and thus indirect effects on the examples of public interest mentioned in the recitals, such as the financial viability of the public health system or of emergency services. Against the background of the recitals, this can no longer be generalised to the existence of certain economic sectors which are not critical to the system. In principle, no significant public interest within the meaning of Art. 9 para. 2 lit g DSGVO can be assumed if the legal provision is only intended to facilitate the activities of a specific economic sector; in such cases, the general public would not normally be seriously affected without the measure in question. 3.2.8.8 A provision that allows publishers of direct mail and direct marketing companies to process marketing information, which is also a special category of personal data, without the consent of the data subjects, facilitates the activities of these businesses, but the absence of such a provision does not call into question the existence of the businesses. They are thus able to process marketing information without the consent of the persons concerned as long as it does not correspond to any of the special categories of personal data mentioned in Art. 9 para. 1 of the DPA, which is regularly sufficient. It is not evident that the general public could be seriously affected without such a regulation. Such a regulation is therefore not in the substantial public interest. 3.2.8.9 An interpretation of Section 151 (6) of the German Trade Regulation Act, according to which, contrary to Section 151 (4) of the German Trade Regulation Act, the consent of the data subject is not required for the processing of marketing information and classifications collected for marketing purposes, even if the marketing information and classifications are special categories of personal data within the meaning of Article 9 (1) of the German Data Protection Act, is therefore not possible if interpreted in conformity with European law. 3.2.8.10. The complainant cannot therefore base the processing of data types for "party affinity" on Article 9 (2) lit g DSGVO in conjunction with Article 151 (6) GewO. 3.2.8.11. Since the complainant cannot invoke any of the other exemptions in Article 9(2) DSGVO from the prohibition on processing special categories of data in Article 9(1) DSGVO either, and in particular since she has not obtained consent for the processing from the data subjects, the processing of the respective types of data for "party affinity" purposes proves to be unlawful. 3.2.9 The decisions of the ordinary courts submitted by the parties in the proceedings were not to be taken into account further due to the lack of binding effect. 3.3 The complaint against the performance contracts (Statement of Objections A): 3.3.1 The factual and legal situation relevant for the Federal Administrative Court is determined - in the absence of other statutory provisions - by the date of the administrative court's decision (cf. e.g. VwGH 24.03.2015 Ro 2014/09/0066); if necessary, the factual situation is determined by the date of the conclusion of the preliminary investigation procedure (Section 17 VwGVG in conjunction with Section 39 (3) AVG; cf. Kolonovits/Muzak/Stöger Verwaltungsverfahrensrecht11 Rz 835/1). Point 2. instructs the complainant, among other things, to delete special categories of personal data pursuant to Art. 9 DSGVO ("party affinities") which the complainant processes in the course of carrying on the business of "address publishers and direct marketing companies", unless there is an exception under Art. 17 para. 3 DSGVO. Since the decision of the prosecuted authority, the complainant has deleted the types of data relating to "party affinity" with the exception of those data relating to "party affinity" which were provided to data subjects in data protection information and no longer uses them for address publishing or marketing purposes. In view of the legal disputes which are taking place and are threatening to take place, the complainant can base this remaining data processing on the exception in paragraph 2 lit f of the processing ban on special categories of personal data in Article 9 of the DSGVO, namely the necessary assertion, exercise or defence of legal claims. The basis for issuing an order for cancellation has thus ceased to exist, which is why the part of the ruling under point 2. of the contested decision requiring cancellation had to be rectified without replacement. 3.3.2 Point 6 orders the complainant to carry out a new data protection impact assessment because the complainant has not given due consideration to the processing of party affinities and to supplement its list of processing activities concerning the processing of "DAM target group addresses" in such a way that special categories of personal data, namely "party affinities", are processed. Since the complainant no longer uses the types of data relating to party affinity for the purposes of address trading and marketing and is therefore no longer processed in the data processing of "DAM target group addresses", there is in fact no longer any reason to carry out the data impact assessment again or to adapt the list of processing activities, which is why point 6 above had to be removed without replacement. 3.4 The complaint against the injunction (point B): In ruling 2. of the contested decision, the authority against which the complaint was brought also ordered the complainant to refrain with immediate effect from processing special categories of personal data pursuant to ruling 1. The complainant submits that the authority in question wrongly based its mandate to refrain from processing the type of data known as "party affinity" on the power of redress under Article 58(2)(d) of the DPA. In fact, it should have relied on Article 58(2)(f) of the DSGVO. In principle, this must be accepted. According to Art 58 (2) lit. d DSGVO, the data protection authority, as the national supervisory authority within the meaning of Art 51 DSGVO (Art 18 (1) DSG), has the power of redress to instruct the controller or processor to bring processing operations into conformity with the DSGVO, if necessary in a specific way and within a specific period of time. If a processing operation is brought into conformity with the DSGVO, it must, according to the literal sense of this provision, still be carried out after the ordered measure has been carried out, albeit in an amended form. Otherwise it would not have been brought into compliance with the DSGVO but would have been prohibited or terminated (in this sense also Wlk-Rosenstingl in Knyrim, DatKomm Art 58 DSGVO Rz 34 (as of 1.10.2018, rdb.at)). The prohibition of the processing of data of the type "party affinity" ordered by the prosecuting authority and the deletion of any existing data put an end to the data processing, which is why the prosecuting authority wrongly relied on Art 58 (2) lit d DSGVO. However, the complainant has nothing to gain from this. The citation of an incorrect legal provision does not lead to the setting aside of the ruling as long as it can be based on another legal basis (in this sense, for example, VwGH 22.10.2012, 2012/03/0092). Such a legal basis exists - as the complainant also points out. The failure to process the data type "party affinity" can be based on Art 58 (2) lit f DSGVO, according to which the supervisory authority may impose a temporary or permanent restriction on processing, including a ban: Thus, according to Art 57 (1) lit a DSGVO, the national supervisory authority has the task of monitoring and enforcing the application of the DSGVO. To this end, Art 58 (2) DSGVO grants it various remedial powers, including the right to impose a ban on data processing in accordance with lit f leg cit. An ordered measure must be suitable, necessary and proportionate - with regard to the tasks of the supervisory authority - taking into account the circumstances of the individual case (ErwGr 129 DSGVO). The complainant has processed the special category of personal data "party affinity" for the purposes of address trading and direct marketing without the consent of the persons concerned or any other reason for consent under Article 9 paragraph 2 DSGVO and thus unlawfully. A ban on such processing is appropriate to enforce compliance with the DSGVO and, in the absence of alternatives, proportionate. It is also necessary, although the complainant no longer processes "party affinities" for the purposes of address trading and direct marketing. Thus, the complainant has already processed the "party affinities" without any exception to the processing ban of Art 9 DSGVO, which indicates a risk of repetition. Although the executive board has since withdrawn from the business, this was done for economic reasons. In legal terms, however, the complainant still considers the processing of "party affinities" to be permissible. There is therefore nothing to prevent the Managing Board from processing "party affinities" again in future, whether because the business of address trading and direct marketing is becoming particularly lucrative or because public opinion is changing to the effect that the processing of "party affinities" is viewed uncritically. The authority against which proceedings were brought was therefore in principle right to grant the injunction. 3.5 Confirmation of specifications: However, it must be taken into account that the processing of "party affinities" would not prove to be illegal if one of the exceptions to the processing ban in Art 9 DSGVO listed in para. 2 were to apply. In particular, the complainant is not prohibited from processing information in order to use it in any official or judicial proceedings, even if the information contains details of "party affinities" (Article 9 (2) lit f DSGVO). Since the authority complained of refers in the prohibition of processing in point 2 to the types of data in point 1, which refers to "party affinities" in the context of the operation of the business of "address and direct marketing", this could also cover permissible uses of data. Thus, the permissible provision and archiving of information under data protection law would also take place in the context of the operation of the business of "address and direct marketing". This would be excessive. The cease and desist order formulated in sentence 2. therefore had to be adjusted for clarification purposes to the effect that only the processing of "party affinities" for the purpose of address trading and direct marketing is prohibited. 3.6 It was therefore appropriate to make a ruling. On point C) Admissibility of the appeal: Pursuant to § 25a (1) VwGG, the Administrative Court must state in its ruling or order whether the appeal is admissible under Article 133 (4) B-VG. This statement must be briefly substantiated. The appeal is admissible because legal issues had to be resolved which are of fundamental importance within the meaning of Article 133 (4) B-VG. For example, there is a lack of case-law of the Administrative Court on the question of whether assessments of the interest of natural persons, determined from average values, in order to be able to treat them in a certain way, can constitute special categories of personal data within the meaning of Article 9 of the DSGVO concerning that person, even though the assessment of the natural person is not based on behaviour which he/she has chosen to adopt, nor on information (at least indirectly) concerning the assessment (here, his/her political opinion) concerning him/her. European Case Law Identifier ECLI:AT:BVWG:2020:W258.2217446.1.01