DSB (Austria) - DSB 2023-0.404.421

From GDPRhub
Revision as of 09:05, 16 November 2023 by 109.158.30.129 (talk) (added missing words)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - DSB 2023-0.404.421
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(f) GDPR
Article 6(4) GDPR
Article 83(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.06.2023
Published: 18.10.2023
Fine: 1,000 EUR
Parties: n/a
National Case Number/Name: DSB 2023-0.404.421
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: co

The Austrian DPA issued a €1,000 monetary penalty against a controller for unlawfully further processing personal data in breach of Article 6(4) GDPR. The further purpose was political advertisement.

English Summary

Facts

The controller is employed as a sales representative at a road construction company and he is also the mayor of a municipality in Austria. In his capacity as sales representative, the controller regularly visits private homes of clients in relation to the development of the company’s district heating system and to promote new offers. In this context, the controller usually collects contact data of interested clients using a paper form. However, after one visit in January 2023, the controller saved the telephone numbers of seven clients on his mobile phone, and later contacted them via SMS advertising his political campaign as candidate in the elections in the Austrian region of Niederösterreich of 2023. The contacted persons, as data subjects, filed a complaint with the DSB claiming that they never gave their consent to be contacted via phone for purposes of political advertisement.

Holding

In its analysis, the DSB first of all assessed the existence of a legal basis for such processing. It found that, since none of the data subjects had given their consent to the controller to save their telephone numbers on his private mobile phone, the only possible legal basis for such processing could be Article 6(1)(f) GDPR.

In this, the DSB carried out a balancing exercise between the legitimate interest of the controller and the fundamental rights and freedoms of the data subjects, taking into account their legitimate expectations. In this case, the controller had an interest in expanding his circle of acquaintances in order to secure more votes on the day of the elections. However, the data subjects could not expect their personal data to be used in such a way by the controller, that is, for a completely different purpose from the one for which personal data has initially been collected. In conclusion, the DSB held that the interests and rights of the data subjects overrode those of the controller, hence he could not rely on Article 6(1)(f) GDPR as a legal basis. Other legal bases were also not applicable.

The DSB further held that under Article 5(1)(b) GDPR and Article 6(4) GDPR, personal data can be further processed for other purposes, only if there is a link between the purposes, in which context this occurred, which type of personal data this concerns, the consequences of further processing and lastly given that appropriate safeguards are in place. In this case the DSB found that already a concrete, coherent or sufficiently close connection between the two purposes was missing. Hence, the controller had processed personal data in violation of the principle of purpose limitation of Article 5(1)(b) GDPR and against the provisions of Article 5(1)(a) GDPR and Article 6(1)(f) GDPR in conjunction with Article 6(4) GDPR.

Further, the DSB found this type of behavior by the controller to be intentional, thus fulfilling the requirement of Article 83(2)(b) GDPR allowing the DSB to impose an administrative fine. The DSB decided to issue a fine in the amount of €1,000 against the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0.404.421 from June 16, 2023 (Procedure number: DSB-D550.788)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

Penalty finding

Accused: Peter A***, born on April 14, 198*

As the person responsible within the meaning of Article 4 Z 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter : "GDPR"), OJ No. L 119 of May 4, 2016 p. 1 as amended, realized the following facts and thereby committed the following administrative violations: As the person responsible within the meaning of Article 4, Number 7, of Regulation (EU) 2016/ 679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ No. L 119 of May 4, 2016, p. 1 As it stands, the following facts were realized and the following administrative offenses were thereby committed:

-    In your role as controller, you have unlawfully processed personal data within the federal territory of Austria at least in the period from January 13, 2023 to January 26, 2023 by using the contact details (name and telephone number) of Ms. Melanie O***, Mr. Ernst P** * and five other people who are only known to you because of their status as employees of N*** Strassenbaugesellschaft m.b.H. were announced during customer visits, stored on your private mobile phone in order to subsequently keep them on record for the sending of political advertising in connection with the state elections in Lower Austria in 2023. The processing could not be based on any of the permissions standardized in Article 6 Para. 1 GDPR. There was also no permissible further processing in accordance with Art. 6 Para. 4 GDPR. In your role as controller, you unlawfully processed personal data within the federal territory of Austria at least in the period from January 13, 2023 to January 26, 2023 by using contact details (name and telephone number ) from Ms. Melanie O***, Mr. Ernst P*** and five other people who are only known to you because of their status as employees of N*** Straßenbaugesellschaft m.b.H. were announced during customer visits, stored on your private mobile phone in order to subsequently keep them on record for the sending of political advertising in connection with the state elections in Lower Austria in 2023. The processing could not be based on any of the permissions standardized in Article 6, paragraph one, GDPR. There was also no permissible further processing in accordance with Article 6, Paragraph 4, GDPR.

As a result, you have violated the following requirements of the GDPR:

   Legality of data processing in accordance with Article 6, paragraphs 1 and 4 of the GDPRLegality of data processing in accordance with Articles 6, paragraphs 1 and 4 of the GDPR

   Principle of processing personal data lawfully, in good faith and in a manner understandable to the data subject in accordance with Article 5 Paragraph 1 lit. a GDPR (Principle of processing personal data lawfully, in good faith and in a manner understandable to the data subject in accordance with Article 5, paragraph one, letter a, GDPR (“Lawfulness, fair processing, transparency”)

   Principle of processing personal data for specified, explicit and legitimate purposes pursuant to Article 5(1)(b) GDPR (Principle of processing personal data for specified, explicit and legitimate purposes pursuant to Article 5(1)(b) GDPR (“earmarking”)

Administrative offense according to:

Art. 5 Para. 1 lit. a and lit. b, Art. 6 Para. 1 and 4 in conjunction with Art. 83 Para. 5 lit one, Litera a and Litera b, Article 6, paragraph one, and 4 in conjunction with Article 83, paragraph 5, Litera a, GDPR OJ L 2016/119, p. 1, as amended

The following penalty is imposed for this administrative offense:

Fine of euros

If this is irrecoverable, a substitute prison sentence of

according to

1,000.00 euros

60 hours

Art. 83 Para. 1 lit

Furthermore, you must pay in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG: Furthermore, in accordance with Section 64 of the Administrative Penalties Act 1991 - VStG, you must pay:

100.00

Euros as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 Euros;



Euros as a replacement for cash expenses



The total amount payable (penalty/costs/cash expenses) is therefore

1100.00

Euro

Payment deadline:

If no complaint is made, this penalty is immediately enforceable. In this case, the total amount must be paid into the account [shortened here] in the name of the data protection authority within two weeks of the entry into legal force. The business number and the completion date should be stated as the intended purpose.

If no payment is made within this period, the total amount can be collected. In this case, a flat-rate contribution of five euros must be paid. If payment is not made, the outstanding amount will be enforced and, if it cannot be collected, the equivalent prison sentence corresponding to this amount will be carried out.

Reason:

1.   The following facts relevant to the decision are established based on the evidence procedure carried out:

1.1. The accused is the mayor of the market town of L***berg.

1.2. In addition, the accused is a sales representative at N*** Straßenbaugesellschaft m.b.H.

1.3. In this capacity, the accused regularly carries out home visits to customers in connection with the expansion of the district heating network and to submit offers. The data collection by N*** Strassenbaugesellschaft m.b.H. takes place using a pre-prepared - non-digital - form into which the contact details of interested customers are entered.

1.4. In any case, after an appointment on January 13, 2023, the accused saved Ms. Irmgard O***'s name and telephone number on his private cell phone in order to send her political advertising on his own behalf at a later date for the state elections in Lower Austria in 2023.

1.5. At the time of the crime, the complainant also saved the name and telephone number of Mr. Ernst P*** and five other people, whose contact details he gave as employees of N*** Strassenbaugesellschaft m.b.H. has raised.

1.6. On January 25, 2023 and January 26, 2023, the accused sent the following SMS message with the attachment shown below to three mobile phone numbers collected in this way in the run-up to the state elections in Lower Austria in 2023 (formatting not reproduced 1:1):

“Have a nice morning!

I, Peter A***, was on site to record data for the preparation of the offer (district heating connection). I am the mayor of L***berg and am now applying for a mandate for our [name of the region], the southern region of our district, in the Lower Austrian state parliament for the [name of the election proposal].

There is some information and a video about me at this link - https://***.***partei-noe.at/kanidenliste/Peter-A***/ -

For us, every preferential vote counts! If you would like to support me, you can place me on the constituency list **. Mark with a cross. Whoever has the most preferential votes of the ** candidates receives the mandate. I will send a sample ballot paper as a photo.

Have a nice day and kind regards Peter A***”

[Editor's note: The graphical representation of the ballot paper with election advertising elements inserted here cannot be pseudonymized with reasonable effort and has been removed.]

1.7. The data subjects did not consent to their personal data being stored by the accused on his private mobile phone for the purpose of future political advertising.

1.8. The accused has now deleted the contact details from his private cell phone - on January 26, 2023 at the earliest.

1.9. In 2022, the accused had an annual gross income of EUR 61,579.44 and debts of EUR 83,000.00 due to the renovation of his parents' house.

2.   The findings are made based on the following assessment of evidence:

2.1. First of all, it should be noted that the facts were essentially not disputed by the accused in his submissions to the data protection authority.

2.2. The statement on point 1.4. is based in particular on the complaint procedure conducted by the data protection authority regarding case number D124.0111/23, which was concluded with a legally binding decision dated March 16, 2023. This shows that the accused visited a customer on January 13th, 2023 and then saved Irmgard O***'s data on his private cell phone in order to use it for political advertising via an SMS message on January 25th, 2023.

2.3. That the accused also had the data of Ernst P*** and five other people at the time of the crime, whose contact details he gave as employees of N*** Strassenbaugesellschaft m.b.H. stored on his private mobile phone, arises, on the one hand, from the complaint procedure for case number D124.0110/23 and from the allegations made by the accused in his supplementary statement of May 30, 2023, submitted in the present proceedings.

2.4. The fact that the accused has now deleted the data from his private cell phone can be seen from the statements in his justification dated May 22, 2023. The fact that the deletion took place on January 26, 2023 at the earliest is evident from the fact that he sent a text message for election advertising on that day.

2.5. The determination of the accused's income and debts results from the announcement of his income and assets sent with his statement dated May 30, 2023 and the enclosed income tax assessment for the year 2022.

3.   Legally it follows:

3.1. On the subject scope of the GDPR and the responsibility of the data protection authority

3.1.1. The material scope of application of the GDPR in accordance with Article 2 GDPR is undoubtedly fulfilled in the present case. The accused did not make any claims to the effect that the GDPR would not apply. The household exception according to Article 2 Paragraph 2 Letter c GDPR is not fulfilled because the processing took place in connection with the professional activity of the accused (cf. Recital 18 GDPR). The material scope of application of the GDPR in accordance with Article 2 of the GDPR is undoubtedly fulfilled in the present case. The accused did not make any claims to the effect that the GDPR would not apply. The household exception according to Article 2, Paragraph 2, Letter c, GDPR is not fulfilled because the processing took place in connection with the professional activity of the accused (see recital 18 GDPR).

3.1.2. Art. 83 Para. 5 lit worldwide annual turnover of the previous financial year, whichever is higher. According to Section 22 Para. 5 DSG, responsibility for imposing fines on natural and legal persons for Austria, as the national supervisory authority, lies with the data protection authority. Article 83, paragraph 5, letter a, GDPR stipulates that violations of the provisions of Articles 5, 6, 7 and 9 GDPR are subject to fines of up to 20,000,000 euros or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, whichever is higher. According to paragraph 22, paragraph 5, DSG, responsibility for imposing fines on natural and legal persons for Austria, as the national supervisory authority, lies with the data protection authority.

3.1.3. As a result, the GDPR applies to the specific case and the data protection authority is responsible for the administrative criminal proceedings in question, both factually and locally.

3.2. On the lawfulness of data processing

3.2.1. The GDPR defines the term “processing” in Art. 4 Z 2 GDPR by listing a number of possible usage processes. This includes collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or linking , restriction, deletion or destruction. The GDPR defines the term “processing” in Article 4, Section 2, GDPR by listing a number of possible usage processes. This includes collecting, recording, organizing, arranging, storing, adapting or changing, reading out, querying, using, disclosing through transmission, distribution or any other form of provision, comparison or linking , restriction, deletion or destruction.

3.2.2. By saving the contact details of the data entered on the physical forms in his private mobile phone in order to send political advertising to them at a later date, the accused has in any case processed personal data as the person responsible within the meaning of Art. 4 Z 2 GDPR. By saving the contact details of the data entered on the physical forms in his private mobile phone in order to send political advertising to them at a later date, the accused has in any case processed personal data as the person responsible within the meaning of Article 4, Number 2, GDPR.

3.2.3. The requirements for lawful data processing are conclusively specified in Art. 6 GDPR. Accordingly, the lawfulness of any processing requires that the processing - cumulatively to the other principles regulated in Art. 5 Para. 1 - must comply with at least one of the legal grounds conclusively set out in Art. 6 Para. 1 GDPR (see The requirements for lawful data processing are conclusively specified in Article 6, GDPR. Accordingly, the lawfulness of any processing requires that the processing - cumulative to the other principles regulated in Article 5, paragraph one - must satisfy at least one of the legal grounds conclusively set out in Article 6, paragraph one, GDPR compare Selmayr in Ehmann/Selmayr, General Data Protection Regulation, Comment², Art 5 Rz 8f)., General Data Protection Regulation, Comment², Article 5, Rz 8f).

3.2.4. In the present case, only the justification according to Art. 6 Para. 1 lit. f GDPR comes into question. There was no consent from those affected for the accused to save their contact details on his private mobile phone. No other justification was put forward by the accused during the proceedings. Accordingly, the existence of legitimate interests of the accused or third parties within the meaning of Article 6 Paragraph 1 Letter f GDPR had to be examined. With regard to the lawfulness of processing operations with regard to Article 6 Para. 1 lit do not predominate; The reasonable expectations of the data subject based on their relationship with the person responsible must be taken into account. In any case, the existence of a legitimate interest must be assessed particularly carefully, including whether a data subject could reasonably foresee, at the time of collecting the personal data and given the circumstances in which it takes place, that processing may be necessary for this purpose Purpose will be done. In particular, when personal data are processed in situations in which a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject will outweigh the interests of the controller. In the present case, only the justification provided for in Article 6 applies, Paragraph one, letter f, GDPR in question. There was no consent from those affected for the accused to save their contact details on his private mobile phone. No other justification was put forward by the accused during the proceedings. Accordingly, the existence of legitimate interests of the accused or third parties within the meaning of Article 6, paragraph one, letter f, GDPR had to be examined. With regard to the lawfulness of processing operations with regard to Article 6, paragraph one, letter f, GDPR, recital 47 of the GDPR explains, among other things, that this can be justified by the legitimate interests of a controller, provided that the interests or the fundamental rights and freedoms of the data subject do not predominate; The reasonable expectations of the data subject based on their relationship with the person responsible must be taken into account. In any case, the existence of a legitimate interest must be assessed particularly carefully, including whether a data subject could reasonably foresee, at the time of collecting the personal data and given the circumstances in which it takes place, that processing may be necessary for this purpose Purpose will be done. In particular, when personal data is processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject will outweigh the interests of the controller.

3.2.5. Article 6 (1) (f) of the GDPR therefore allows processing under three cumulative conditions: (i) the pursuit of a legitimate interest; (ii) necessity of the processing and (iii) no outweighing of the rights and freedoms of others (cf. judgment of the ECJ of December 11, 2019, Rs C-708/18, paragraph 36 with further references). Article 6, paragraph one, letter f, of GDPR therefore allows processing under three cumulative conditions: (i) the pursuit of a legitimate interest; (ii) Necessity of the processing and (iii) no predominance of the rights and freedoms of others compare judgment of the ECJ of December 11, 2019, Case C-708/18, paragraph 36 with further references).

3.2.6. In the present case, the defendant's interest in collecting the contact details of those affected was to “expand his circle of acquaintances” and subsequently generate more preferential votes for the state elections in Lower Austria. If it is assumed that the data processing carried out is necessary to achieve this goal, the interests of the data subjects outweigh:

3.2.7. Due to their relationship with the accused, they could not reasonably expect him to provide their contact details, which they only provided to him in his capacity as an employee of N*** Strassenbaugesellschaft m.b.H. subsequently saved it on his private mobile phone and could in no way foresee that the contact details they had provided would be used by the accused for a completely different purpose - namely to contact them for political purposes.

3.2.8. After weighing up interests, the conclusion is that the confidentiality interests and fundamental rights of those affected (right to secrecy according to Section 1 Para. 1 DSG and the right to respect for private and family life according to Article 7 EU-GRC as well as the right to protection personal data according to Art. 8 EU-GRC) outweigh the interests of the accused. After carrying out a balancing of interests, the conclusion is that the confidentiality interests and fundamental rights of those affected (right to secrecy according to paragraph one, paragraph one, DSG and the right to respect). of private and family life according to Article 7, EU-GRC and the right to protection of personal data according to Article 8, EU-GRC) outweigh the interests of the accused.

3.2.9. As a result, the legal basis according to Art. 6 Para. 1 lit. f GDPR is not suitable for the specific processing. Any other legal basis according to Article 6 Paragraph 1 GDPR is not possible and was not put forward by the accused. As a result, the legal basis according to Article 6 Paragraph 1, Letter f, GDPR is not suitable for the specific processing. Any other legal basis under Article 6, paragraph one, GDPR is not possible and was not put forward by the accused.

3.2.10. According to Article 5 Paragraph 1 Letter b GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a manner that is incompatible with these purposes (“purpose limitation”). According to Article 5 Paragraph One, Litera b, GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a manner that is incompatible with these purposes (“purpose limitation”).

3.2.11. In addition, pursuant to Article 6(4) of the GDPR, if the processing for a purpose other than that for which the data was collected is not based on the consent of the data subject or on a legal provision of the Union or of the Member States, it is necessary to determine: whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, including to take into account, firstly, whether there is a connection between the purposes for which the personal data were collected and the purposes of the intended further processing, secondly, the context in which the personal data were collected, in particular the relationship between the data subjects and the controller, thirdly, what type of personal data is involved, fourthly, what consequences the intended further processing has for the data subjects and fifthly, whether there are appropriate guarantees in both the original and the intended further processing operations. In addition, in accordance with Article 6, Paragraph 4, GDPR , if the processing for a purpose other than that for which the data were collected is not based on the consent of the data subject or on a Union or Member State law, to determine whether the processing is carried out for a purpose other than that for which the data were collected is compatible with which the personal data was originally collected, including: to take into account, firstly, whether there is a connection between the purposes for which the personal data were collected and the purposes of the intended further processing, secondly, the context in which the personal data were collected, in particular the relationship between the data subjects and the controller, thirdly, what type of personal data is involved, fourthly, what consequences the intended further processing will have for the data subjects and fifthly, whether appropriate safeguards exist in both the original and the intended further processing operations.

3.2.12. According to the ECJ, these criteria are intended to reflect the need for a concrete, coherent and sufficiently close link between the purpose of data collection and further processing of the data and to limit the re-use of previously collected personal data, while striking a balance between the need for predictability and legal certainty Reference to the purposes of processing the previously collected personal data on the one hand and the recognition of a certain flexibility for the benefit of the controller in the management of these data on the other hand (see the judgment of the ECJ of October 20, 2022, C-77/21, paragraphs 36 and 37 ). According to the ECJ, these criteria are intended to reflect the need for a concrete, coherent and sufficiently close link between the purpose of data collection and further processing of the data and to limit the re-use of previously collected personal data, while striking a balance between the need for predictability and legal certainty With regard to the purposes of processing the previously collected personal data on the one hand and the recognition of a certain flexibility for the benefit of the controller in the management of this data on the other hand, see the judgment of the ECJ of October 20, 2022, C-77/21, paragraphs 36 and 37).

3.2.13. In the present case, there was neither a concrete, coherent or sufficiently close connection between the purpose of data collection and further processing of the data, nor was it in any way foreseeable to those affected that their data would be processed for a completely different purpose (see above under 3.2.7).

3.2.14. By the accused using the contact details of the customers of N*** Straßenbaugesellschaft m.b.H. further processed data in a manner that is incompatible with the original purpose of the collection, it has violated the principle of purpose limitation in accordance with Article 5 Paragraph 1 Letter b GDPR and Article 6 Paragraph 1 Letter f in conjunction with Paragraph 4 GDPR . By the accused using the contact details of the customers of N*** Straßenbaugesellschaft m.b.H. has further processed the data in a manner that is incompatible with the original purpose of the collection, it has violated the principle of purpose limitation in accordance with Article 5, paragraph one, letter b, GDPR and Article 6, paragraph one, letter f, in conjunction with paragraph 4, GDPR violated.

3.2.15. Against the background of the facts assumed to be proven, the accused processed personal data unlawfully and without a legitimate purpose, contrary to the provisions of Article 5 Paragraph 1 Letters a and b as well as Article 6 Paragraphs 1 and 4 GDPR. This means that the objective side of the crime is fulfilled. Against the background of the facts assumed to be proven, the accused processed the data unlawfully and without a legitimate basis, contrary to the provisions of Article 5, paragraph one, letters a and b as well as Article 6, paragraph one, and 4 GDPR Purpose of personal data. This means that the objective side of the crime is fulfilled.

3.3. On the subjective side of the crime

3.3.1. From a subjective point of view, it should be noted in the present case that due to the deliberate storage of the contact details for future contact for political elections, it can be assumed that the accused carried out the processing in question intentionally. Therefore, on the subjective side of the offense, there is culpability in the form of intent within the meaning of Art. 83 Para. 2 lit It can be assumed that the accused carried out the processing in question intentionally. Therefore, on the subjective side of the crime, there is culpability in the form of intent within the meaning of Article 83, Paragraph 2, Letter b, GDPR.

4.   For sentencing, the following must be noted:

4.1. Pursuant to Article 83 (1) GDPR, the data protection authority must ensure that the imposition of fines for violations pursuant to paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. In more detail, paragraph 2 leg cit stipulates that when deciding on the imposition of a fine and its amount in each individual case, the following must be duly taken into account: According to Article 83, paragraph one, GDPR, the data protection authority must ensure that the imposition of fines for violations in accordance with paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case. In more detail, paragraph 2, leg cit, provides that, when deciding on the imposition of a fine and its amount, the following shall be duly taken into account in each individual case:

a)   The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of persons affected by the processing and the extent of the damage suffered by them;

b)   Intentional or negligent breach;

c)   any measures taken by the controller or processor to mitigate the harm caused to data subjects;

d)   Degree of responsibility of the controller or processor, taking into account the technical and organizational measures taken by them in accordance with Articles 25 and 32;

e)   any relevant previous breaches by the controller or processor;

f)   The extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;

g)   Categories of personal data affected by the breach;

h)   How the violation became known to the supervisory authority, in particular whether and, if applicable, to what extent the controller or processor reported the violation;

i)   […]

j)   […]

k)   any other aggravating or mitigating circumstances in the relevant case, such as financial benefits gained or losses avoided directly or indirectly as a result of the breach.

4.2. The assessment of punishment within a statutory penalty framework is a discretionary decision that must be made in accordance with the criteria set by the legislature in Section 19 VStG (cf. VwGH September 5, 2013, 2013/09/0106). The assessment of punishment within a statutory penalty framework is a discretionary decision that is made according to The criteria set by the legislature in paragraph 19, VStG must be carried out (see VwGH 09/05/2013, 2013/09/0106).

4.3. According to Section 19 Para. 1 VStG, the basis for determining the punishment is the significance of the legal interest protected by criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The defendant's income and financial circumstances and any care obligations must be taken into account when determining fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83 Para. 8 GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed Paragraph 19, paragraph one, VStG, the basis for determining the punishment is the significance of the legal interest protected under criminal law and the intensity of its impairment by the crime. Furthermore, depending on the purpose of the threat of punishment, the possible aggravating and mitigating reasons must be weighed up against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the fault. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The defendant's income and financial circumstances and any care obligations must be taken into account when determining fines; However, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the VStG and to the extent required by Article 83, Paragraph 8, GDPR and Recital 148 with regard to the procedural guarantees to be guaranteed.

4.4. If a fine is imposed on a natural person, in accordance with Section 16 Para. 1 VStG, a substitute prison sentence must also be imposed in the event that it cannot be collected. The substitute prison sentence may not exceed the maximum prison sentence threatened for the administrative offense and, if no prison sentence is threatened and nothing else is stipulated, two weeks. If a fine is imposed on a natural person, according to paragraph 16, paragraph one, VStG is also for in the event of their irrecoverability, to impose a substitute prison sentence. The substitute prison sentence may not exceed the maximum prison sentence threatened for the administrative offense and, if no prison sentence is threatened and nothing else is specified, two weeks.

4.5. In relation to the facts at hand, the following aggravating factors were taken into account when determining the sentence:

    Nature and severity of the violation: The processing in question by the accused represents a serious interference with the data protection rights of seven data subjects. The data subjects could trust that their personal data, which they disclosed to the accused as an employee of a private company, would not be used by the accused will subsequently be kept on record as contact details for election calls. Individuals running for political office should not gain an electoral advantage by using personal information that has been entrusted to them for an entirely different purpose. As a result, the type and intensity of the interference with fundamental rights can be classified as high.

    Intentionality: The violation was committed intentionally by the accused (see point 3.3.1.).

4.6. In relation to the facts at hand, the following was taken into account as a mitigating factor when determining the sentence:

    Previous convictions: To date, the data protection authority has not had any relevant previous convictions against the accused due to violations of the GDPR or the DSG.

    Participation in administrative criminal proceedings: The accused responded to the requests of the data protection authority in the administrative criminal proceedings in a timely manner. The accused admitted to the data protection authority that he had sent the messages, was cooperative in working with the authority and confessed. This contributed significantly to clarifying the matter. Furthermore, through his confession, the accused recognized the injustice of his act.

4.7. According to the established jurisprudence of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the punishment (see VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89 /04/0061). Pursuant to Article 83 (1) of the GDPR, the supervisory authorities must also ensure that the fines are effective, proportionate and dissuasive in each individual case. are included compare VwGH May 15, 1990, 89/02/0093, VwGH April 22, 1997, 96/04/0253, VwGH January 29, 1991, 89/04/0061). Pursuant to Article 83, paragraph one, GDPR, the supervisory authorities must also ensure that the fines are effective, proportionate and dissuasive in each individual case.

4.8. In any case, the imposition is necessary in a general preventative sense in order to make those responsible (such as other people who aspire to or hold political office) aware of such unlawful data processing.

4.9. There are no special preventive reasons. The data protection authority was given the impression that the accused would no longer commit such violations in the future.

4.10. The specific fine imposed in the amount of EUR 1,000.00 therefore appears in the light of the actual value of the crime, measured against the available penalty range of Art. 83 Para. 5 GDPR (here up to EUR 20,000,000) in conjunction with the income and financial circumstances of the accused in accordance with the crime and guilt. The specific fine imposed in the amount of EUR 1,000.00 therefore appears in the light of the actual value of the crime, measured against the available penalty range of Article 83, Paragraph 5, GDPR (here up to EUR 20,000,000). Connection with the income and financial circumstances of the accused in accordance with the crime and guilt.