BVwG - W258 2227269-1/39E
From GDPRhub
| BVwG - W258 2227269-1/39E | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(4) GDPR Article 9 GDPR Article 35 GDPR Article 30(1)(c) GDPR |
| Decided: | 27.12.2024 |
| Published: | 14.02.2025 |
| Parties: | |
| National Case Number/Name: | W258 2227269-1/39E |
| European Case Law Identifier: | ECLI:AT:BVWG:2024:W258.2227269.1.01 |
| Appeal from: | DSB (Austria) D550.148/0017-DSB/2019 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | RIS (in German) |
| Initial Contributor: | ao |
A court partially upheld a decision by the DPA on the unlawful processing of data subjects’ estimated political affiliation by the Austrian postal service. The court reduced the fine from €18 million to €16 million.
English Summary
Facts
On the 8 January 2019, the Austrian DPA (Datenschutzbehörde – DSB) launched an investigation into the actions of the Austrian postal service as it also had a business license for address publishing and direct marketing. Media reports had claimed that the postal service (the controller) sold data concerning the political affinities of data subjects to third parties.
The controller ran a platform entitled “Adress Shop” on which it sold personal data to legal entities. The datasets included names and addresses but more importantly it included data subjects’ affinities to certain things such as an affinity to moving house, an affinity to organic products or how frequently a data subject receives packages. The purpose of the data processing was to sell this data to third parties who would use it for marketing purposes and therefore could avoid scattering losses. In order to create this database, the controller abused its position as postal service provider. In the postal service contract provided to data subjects the controller had included a notice stating that data subject are agreeing to their personal data being processed for marketing purposes. The contract however also included a box which could be ticked in order to refuse the data processing for marketing purposes.
One of these affinities was concluded through an affinity score concerning the main political parties in Austria. For example, data subjects would be assessed with either a “very low”, “low”, “high” or “very high” affinity towards the SPÖ (the Socialist Party of Austria), the ÖVP (the Conservative Party of Austria) or any other major political party. The controller calculated this score through combing anonymous survey results, socio-demographic data (e.g., age or level of income and education) and voting results of particular region.
On the 20 Febuary 2019, the DSB alleged that the controller had unlawfully processed sensitive data under Article 9 GDPR. The DSB found that the controller could not rely on a legal basis for the processing of this data and that the controller had sold the data to third parties. The DSB issued a fine of fine of €18,000,000 for the processing of sensitive data and other violations. The full details can be found here.
On the 25 November 2019, the controller appealed the decision of the DSB to the Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) and alleged that the DSB had inadequately assessed the situation. On the 26 November, the BVwG annulled the decision of the DSB stating that the DSB had failed to name a natural person to whom the actions of the controller could be attributed to. Based on an Austrian provision, namely paragraph 45(1)(3) of the Administrative Penal Code (Verwaltungsstrafgesetz - VStG), in order to fine a legal person for a violation of the GDPR all necessary requirements for the penalization of a natural person must be fulfilled.
This finding was however annulled by the Supreme Administrative Court (Verwaltungsgerichtshof – VwGH) on the 1 February 2024. The VwGH explained that although the BVwG correctly applied the national provision, the CJEU case C-807/21 Deutsche Wohnen showed that Article 58(2)(i) GDPR and Article 83 GDPR are excluded from national derogations. Therefore, the BVwG should not have applied the national provision. The case was therefore reverted back to the BVwG.
Holding
The BVwG reassessed the case and partly upheld the DSB decision but made the following alterations.
Article 9 GDPR data related to political affinities
The BVwG confirmed that the controller had at no point in time obtained the consent of the data subject and therefore was processing data in violation of Article 9(1) GDPR since the 25 May 2018. The BVwG held that the controller's conduct had proved negligent. The BVwG noted that the controller had made efforts to apply the GDPR correctly but criticized for example that the DPO had to monitor all processing activities which did not prove an effective monitoring and controlling system as it would require too much time for just one person.
The BVwG held that it was clearly unacceptable that the DPO thought that the data processed did not constitute personal data, especially when it was explicitly connected to an individual person. Further, The BVwG found that the controller never conducted an assessment on whether certain affinities could constitute sensitive data under Article 9 GDPR. The BVwG classified this as grossly negligent behaviour on the part of the controller. The BVwG concluded that the controller should have consulted an external expert around the uncertainties it had concerning the correct application of the GDPR.
Affinity towards receiving packages
In relation to the data processed to assess their affinity for receiving packages, the controller was in a privileged position to have access to the relevant data. However, it then further processed this data contrary to their legal mandate for creating projection models for marketing purposes in violation of Article 6(4) GDPR. The court also held that this violated the principles of fairness and transparency under Article 5(1)(a) GDPR. The BVwG highlighted that the controller knew that its positions as postal service provider and data broker is likely to cause issues, therefore its behaviour was classified as negligent.
Affinity towards moving house
Assessing whether data subjects were likely to move house differed to the assessment of an affinity towards receiving packages as there was a contractual relationship between the data subject and the controller due to contractual redirection orders. The BVwG assessed that the minimal information provided to data subjects on the processing for marketing purposes, proved to be just about enough as the personal data was made up of a calculation of averages which was then anonymized. The court found that this could be classified as processing which, based on the controllers description, could be expected from the notice included in the contract. In addition, data subjects could easily refuse the data processing.
Data Protection Impact Assessment
The controller had processed an extensive amount of sensitive data which requires a data protection impact assessment. The controller’s assessment that this data processing was of low risk was therefore faulty. The controller had therefore violated Article 35(3)(b) GDPR and Article 35(7) GDPR. The BVwG held that as the controller had negligently categorized its processing as not concerning any sensitive data, it consequently also proves to have acted negligently in assessing the risks under Article 35 GDPR. The BVwG rejected the controller’s argument that penalization under Article 35 GDPR would result in a double punishment for the same offence. It explained that the general obligations under the GDPR pursue a different aim to the provisions governing lawfulness of the processing. Further, the DPIA is to be conducted prior to processing.
Records of processing
The faulty and therefore inadequate DPIA resulted in a violation of Article 30(1)(c) GDPR, which requires the records of data processing to include the categories of data processed. The BVwG again assessed that the controller had acted negligently in relation to this aftereffect of its faulty categorization of the processed data. The controller had merely stated that the data would be processed for marketing purposes and this was held to have been inadequate as the controller processed data such as the political affinities. The BVwG held that the controller had failed to provide a full description of all the processed categories.
Fine
The BVwG reduced the fine to €16 million mainly based on the controller's low annual turnover. Further, the BVwG noted that the political data had only been sold to two political parties which resulted in a limited amount of data subjects being affected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Headquarters Vienna
Erdbergstrasse 192 – 196, 1030 Vienna
Tel: +43 1 601 49 – 0
Fax: +43 1 711 23–889 15 41
www.bvwg.gv.at
Decision date
December 27, 2024
Reference number
W258 2227269-1/39E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Mag. Gerold PAWELKA-SCHMIDT as
chairman and the expert lay judge Mag. Julia Maria WEISS as assessor and
the expert lay judge Gerhard RAUB as assessor, has rightly ruled on the appeal by XXXX,
represented by Schönherr Rechtsanwälte GmbH, 1010 Vienna, against points I., II.a),
IV., V. and VI. of the penal decision of the data protection authority dated 23.10.2019, GZXXXX, after
conducting an oral hearing on 20.11.2024 and 28.11.2024, by circulation:
A)
The appeal is partially upheld and
I.) the proceedings with regard to point II.a., insofar as it relates to the frequency of moving,
according to Section 45 Paragraph 1 Item 1 2nd Case VStG discontinued,
II.) the period of the offense under II. limited to: "from May 25, 2018 to February 2019" and
III.) the fine pursuant to Section 30 DSG to
EUR 16,000,000 (in words: sixteen million euros) - 2 -
and
III.) the procedural costs pursuant to Section 64 Paragraph 2 VStG reduced to EUR 1,600,000 (in words: one million
and six hundred thousand euros).
III.) In all other respects, the contested penal decision is confirmed with the proviso that it should read
a) in point I.
“As part of the exercise of the business of “address publishers and direct marketing companies”, it processed the
probability with which a natural person is interested in election advertising of a
particular party (“XXXX affinities”) for its product “DAM target group addresses”, namely calculated for the natural persons contained in its
DAM database, assigned to them and
stored and sold, the latter in order to enable third parties to reduce wastage in
advertising, namely
a) assigned and stored until February 21, 2019 for approximately XXXX natural
persons and
b) calculated until June 30, 2018 for and sold to XXXX with regard to all
data mentioned in a) and until February 21, 2019 to XXXX and the XXXX
with regard to all data mentioned in a) limited to natural persons
with addresses in XXXX .",
II.a)
"1.) For its product "DAM target group addresses" with regard to the persons contained in its DAM database, it has taken at least a list of the packages received, including
the time of their receipt, from the parcel delivery business area (“key figures”) and from this calculated the package frequency of the respective person,
i.e. the number of packages that the person received in a certain period of time,
and subsequently anonymized the data in order to create a projection model for marketing purposes.
2.) With regard to the allegation that she unlawfully processed the “moving affinity” or the “moving frequency” used to calculate it in the course of carrying out the business of
“address publishers and direct marketing companies”, the
proceedings are discontinued in accordance with Section 45 Paragraph 1 Item 1 2nd Case VStG.” and - 3 -
VI.)
“She failed to create a flawless list of processing activities for
the application of “DAM target group addresses” by failing to
include a sufficient description of the data category “marketing”,
namely
“MARKETING, such as installment payers, customer cards, bargain hunters, animal lovers,
sport, Sinus Milieu, neurotypes, travel, organic, night owls, leisure grillers,
package score, DIY enthusiasts, online shoppers, brand, style high fashion,
life phase, XXXX affinity, income, purchasing power, agriculture, Number
Children, baby, toddler, child, schoolchild, adolescent, marital status";"
and
b) in the violated legal provisions on the points of the ruling:
I. "Article 5 paragraph 1 lit a in conjunction with Article 9 paragraph 1 in conjunction with Article 83 paragraph 5 lit a GDPR",
II.a.1.): "Article 5 paragraph 1 lit a 2nd and 3rd case in conjunction with Article 83 paragraph 5 lit a GDPR, Article 5 paragraph 1 lit b in conjunction with
Article 6 paragraph 4 in conjunction with Article 83 paragraph 5 lit a GDPR",
IV.: "Article 35 paragraph 3 lit b in conjunction with Article 35 paragraph 7 lit c in conjunction with Article 83 paragraph 4 lit a GDPR" and
V. and VI.: "Article 30 paragraph 1 lit c GDPR in conjunction with Article 83 paragraph 4 lit a GDPR".
B)
The appeal is admissible in accordance with Article 133 Paragraph 4 of the Federal Constitutional Law.
Reasons for the decision:
I. Procedure:
1. Due to media reports about the alleged sale of personal data,
in particular information about the "political affinity" of certain persons, the
authority concerned initiated an official investigation procedure against the
complainant on January 8, 2019, which was concluded with a decision dated February 11, 2019, GZ DSB-
XXXX. - 4 -
2. Based on the results of the investigation of the official review procedure, the authority concerned initiated administrative penal proceedings against the complainant and, with a request for justification dated February 20, 2019, charged her with the following administrative offenses: The complainant is suspected of having unlawfully processed special categories of personal data in accordance with Art. 9 GDPR ("XXXX affinities") in the context of the exercise of the business of "address publishers and direct marketing companies" by not obtaining the consent of the data subjects and the data processing could not otherwise be based on any of the facts exhaustively listed in Art. 9 GDPR,
2. personal data such as, for example,
affinity for donations
affinity for bio-affinity
affinity for partnerships
affinity for annual income
affinity for employment
affinity for qualifications
‒ Consumer-oriented basis
‒ Night owls
‒ Package frequency (number of packages in a certain period of time)
‒ Moving affinity
‒ Investment affinity
‒ Life phase
to have unlawfully processed data (storage and sale to third parties) in the context of the exercise of the business of “address publishers and direct marketing companies” by not obtaining the consent of the data subjects - 5 -
and the data processing could not otherwise be based on any of the legality provisions exhaustively listed in Art. 6 Paragraph 1 GDPR,
3. to have thereby violated its obligation to carry out a data protection impact assessment
concerning the application “DAM target group addresses” (note: DAM stands for data and address management) by not carrying out the data protection impact assessment
in the period from March to June, contrary to the time information in the data protection impact assessment 2018, but at a later date, but in any case after 25 May 2018,
4. the data protection impact assessment for the application “DAM – target group addresses”
was incorrectly prepared because it denied the processing of special categories of personal data, although according to Appendix 2D the “XXXX affinity”
was calculated and as a result the existence of a high risk was therefore in any case
denied,
5. the directory for the processing activity “DAM – target group addresses” was incorrectly
prepared because it
‒ a. contained the processing of particularly sensitive data, including political
opinions, and
‒ b. extensive processing of sensitive data is denied,
6. the list of processing activities “DAM – target group addresses” was inadequately
created because it did not list all the data categories actually processed,
7. it failed to carry out a consultation in accordance with Art. 36 GDPR and
8. it did not fulfil its obligations under Art. 14 GDPR by not informing those affected to the required extent about which data not collected directly from the data subject is collected by whom and in what way and subsequently transmitted to third parties – e.g. sold or made available in another way – thus administrative offences in accordance with
Re 1): Art. 5 para. 1, Art. 9 in conjunction with Art. 83 para. 5 lit. a GDPR - 6 -
Re 2): Art. 5 para. 1, Art. 6 para. 1 in conjunction with Art. 83 para. 5 lit. a GDPR
Re 3) + 4): Art 35 in conjunction with Art 83 Para 4 lit a GDPR
Regarding 5 + 6): Art 30 in conjunction with Art 83 Para 4 lit a GDPR
Regarding 7): Art 36 in conjunction with Art 83 Para 4 lit a GDPR
Regarding 8): Art 14 in conjunction with Art 83 Para 5 lit b GDPR
to have committed.
3. After conducting an evidentiary procedure and an oral hearing on
23.09.2019, the authority concerned issued a penal order dated 23.10.2019, stating that
the accused, as the controller within the meaning of Article 4 Z 7 of Regulation (EU)
2016/679 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016, p. 1,
was responsible for the following:
for I.: from 25.05.2018 to 21.02.2019,
for II.: from 25.05.2018,
for IV.: from 25.05.2018,
for V.: from 25.05.2018 and
to VI.: from 25.05.2018,
I. the unlawful processing of special categories of personal data within the meaning of Art 9 GDPR (“XXXX affinities”) in the context of the exercise of the trade
“address publishers and direct marketing companies”; this because no consent was obtained from the
persons concerned and the data processing cannot otherwise be based on any of the
facts exhaustively listed in Art 9 GDPR;
II.
a) the unlawful further processing of personal data, namely the
number of packages received during a certain period of time (package frequency) and
the frequency of moves of data subjects in the context of the exercise of the - 7 -
business "address publishers and direct marketing companies"; this because no
consent of the data subjects was obtained and the data processing cannot otherwise be based on any of the legality provisions exhaustively listed in Art. 6 Para. 1 GDPR and the data relating to the
package frequency and the frequency of moves were used for a purpose not covered by Art. 6 Para. 4 GDPR;
IV. the incorrectness of the data protection impact assessment for the application “DAM –
target group addresses”, since it denied the processing of special categories of
personal data, although the “XXXX affinity” had been calculated
and processed, and yet the result was that the existence of a high risk was in any case denied,
V. the incorrectness of the directory for the processing activity “DAM –
target group addresses”, since according to this
a) the processing of particularly sensitive data, including political
opinions, and
b) the extensive processing of sensitive data was denied and
VI. the inadequacy of the directory for the processing activity “DAM –
target group addresses”, since it did not list all the data categories actually processed and was therefore not prepared in sufficient detail.
The breach of duty is attributed to the legal entity XXXX because the
natural persons responsible for the violations belong to the economic unit formed by the controller as a legal entity.
The controller has thereby violated the following legal provision(s):
Re: I.: Art. 5 para. 1 lit. a, Art. 9 in conjunction with Art. 83 para. 5 lit. a GDPR
Re: II.a): Art. 5 para. 1 lit. a and lit. b, Art. 6 para. 1 and para. 4 in conjunction with Art. 83 para. 5 lit. a GDPR
Re: IV.: Art. 35 in conjunction with Art. 83 para. 4 lit. a GDPR
Re: V. and VI.: Art. 30 in conjunction with Art. 83 para. 4 lit. a GDPR. - 8 -
According to Article 83 paragraph 5 letter a of the GDPR, a fine of XXXX will be imposed on them and reimbursement of the procedural costs in the amount of XXXX will be imposed.
On the other hand, the proceedings will be discontinued in relation to the allegation,
II b) of unlawful processing through the storage and sale of
personal data in the categories
- donation affinity
- bioaffinity
- partnership
- annual income
- type of employment
- qualification
- consumption-oriented basis
- night owl
- investment affinity
- phase of life,
III. the accused thereby violated her obligation to carry out a data protection
impact assessment regarding the application “DAM target group addresses”
by not carrying out the data protection impact assessment in the period March to June 2018, but at a later date, but in any case after May 25, 2018,
VII. according to which the accused (wrongly) failed to carry out a consultation in accordance with Art. 36 GDPR,
VIII. according to which the accused failed to fulfil her obligations under Art. 14 GDPR by not informing the data subject to the required extent about which data not collected directly from the data subject is collected by whom and in what way and subsequently transmitted to third parties - e.g. sold or made available in another way - - 9 -
in each case discontinued in accordance with Section 45 Paragraph 1 Item 1 (1st case) VStG.
4. The present complaint of November 25, 2019 is directed against this decision
due to deficiencies in the determination, incorrect legal assessment, unlawful
assessment of guilt and assessment of the level of punishment and requested, with further justification,
that the penalty decision be repealed without replacement and that the proceedings be discontinued in accordance with Section 38 VwGVG
in conjunction with Section 45 Paragraph 1 VStG, in the event that the proceedings be discontinued in accordance with Section 38 VwGVG in conjunction with Section 45 Paragraph 1
Z 4 VStG in conjunction with Section 11 DSG with the issuing of a warning or in conjunction with Section 33a VStG by counseling
or in conjunction with Section 45 Paragraph 1 Z 1 VStG with a warning, in the event that the level of punishment be reduced to a
level appropriate to the offense and guilt. Among other things, in order to impose a fine under the GDPR on a legal person such as the person concerned, it is not sufficient to commit a criminal offence; as a legal person who cannot act on his own, the actions of a natural person must also be attributed to him. The authority concerned failed to make this attribution pursuant to Section 30 of the Data Protection Act. 5. With a file submission dated January 7, 2020, received on January 9, 2020, the authority concerned submitted the complaint to the Federal Administrative Court, attaching the administrative act, contested the complaint and requested that the complaint be dismissed with further justification. Among other things, the authority concerned stated that since
fines under the GDPR are a type of association liability model that does not reduce the procedural guarantees required by fundamental rights, there is no room for an attribution rule such as Section 30 of the DSG.
6. By decision of the Federal Administrative Court of November 26, 2020, W258 2227269-1/14E, the complaint was upheld, the contested penal decision was overturned and the
proceedings were discontinued in accordance with Section 45 Paragraph 1 Item 3 of the Administrative Penalty Act. In its justification, the Federal Administrative Court stated, with reference to VwGH 12.05.2020, Ro 2019/04/0229, that the authority concerned had not named a natural person either in the administrative evidence procedure or in the ruling whose conduct should have been attributed to the complainant. The reasons for the penal decision also did not set out any factual, unlawful and culpable conduct by a natural person that should be attributed to the legal person. However, according to the case law of the VwGH, if the accusation is directed against the complainant as a legal person - because the criminal liability of the legal person depends on the transgression of the natural person attributable to it - this also contains the accusation against the natural person to be named therein. The penal decision therefore had to be annulled. - 10 -
7. By decision of the Administrative Court of February 1, 2024, Ra 2020/04/0187, this decision was overturned due to the illegality of its content. In its reasoning, the VwGH stated that the BVwG had in principle applied the requirement derived from national law (the VStG) in accordance with the case law of the VwGH, according to which, in order to impose a fine under the GDPR on a legal person, all the necessary elements for punishing the natural person must be included in the judgment of the penal decision. However, in its judgment of December 5, 2023, C-807/21, Deutsche Wohnen, the ECJ has since ruled that Article 58(2)(i) and Article 83 GDPR are contrary to a national regulation according to which a fine for a violation referred to in Article 83(4) to (6) GDPR can only be imposed on a legal person in its capacity as controller if this violation was previously attributed to an identified natural person. This national requirement applied by the Federal Administrative Court must therefore now remain inapplicable. The Federal Administrative Court should therefore not have annulled the contested penal decision on the grounds that the authority concerned did not name the natural person whose violation of the GDPR was to be attributed to the party involved in the penal decision. 8. In a statement dated November 11, 2024 (OZ 27), the complainant announced that she accepted the legal opinion of the supreme courts and no longer maintained her argument that the XXXX affinities were not personal data or data on political opinions. In addition, with regard to the packet frequency, she argued that the processing in question was limited to data anonymization and that she had not processed the packet frequencies, but rather the packet affinities - which are not the subject of the judgment - for marketing purposes. In addition, the use of the data protection impact assessment violated the prohibition of coercion to self-incrimination. On the subjective side of the offense, she stated that she had been unclear about the illegality of her behavior and that, due to the lack of clear regulation or established case law, she could not be blamed for this. With regard to the sentencing, the complainant cited various mitigating factors and stated under the heading "Confession" that she now realizes that she had processed data on the political opinions of people without consent, but that she had never intended to do so and was unclear about it. She regrets having processed data on the political opinions - 11 - and has since deleted them. Furthermore, the procedural costs are disproportionately high due to the level of the sentence and are therefore unlawful. 9. On November 19, 2024, the Federal Administrative Court obtained information from the authority concerned regarding legally binding administrative penalties imposed on the complainant (OZ 29, 30). 10. In a letter dated November 26, 2024 (OZ 33), the complainant submitted, among other things, the contracts, notices of termination and confirmations of deletion from the customers of XXXX affinities. 11. The complaint was heard orally on November 20, 2024 (OZ 31) and November 28, 2024 (OZ 34). 12. In a written submission dated December 20, 2024 (OZ 37), the complainant submitted a decision of the European Data Protection Supervisor (“EDPS”) on the case number 2023-1205.
Evidence was obtained by examining the administrative act, the hg act on the
official procedure W258 2217446-1, in particular the minutes of the hearing
from November 22nd, 2019 OZ 8 and from October 30th, 2020 OZ 27, the
data protection impact assessment (“DSFA”) submitted in the procedure (W258 2217446-1 OZ 1, p. 45) and the
procedure directory (“VVZ”) (W258 2217446-1 OZ 1, p. 39), each concerning the
data application “DAM target group address”, the license for the personal data set
including personal characteristics of XXXX, concluded on August 23rd, 2017 between
the BF on the one hand and the XXXX and the XXXX on the other hand (OZ 33, appendix ./1) (hereinafter XXXX
), the letter of termination of the license for the personal data set including
personal characteristics of the XXXX of the XXXX and the XXXX dated November 16, 2018, received by the BF on November 20, 2018 (OZ 33, appendix ./2) (hereinafter XXXX ), the license for the
personal data set including personal characteristics of the XXXX , concluded on August 2, 2017 between the BF on the one hand and the XXXX on the other hand (OZ33, appendix ./3) (hereinafter
XXXX ) the letter "contract termination" from the XXXX dated November 3, 2017 (OZ 33, appendix ./4) (hereinafter
XXXX ) and the deletion confirmation/e-mail correspondence dated March 4, 2019 until April 1, 2019
between the BF and XXXX (OZ 33, appendix ./6) and by questioning XXXX as
informed representative of the complainant and XXXX, XXXX, XXXX, XXXX and XXXX
. as witnesses. - 12 -
II. The Federal Administrative Court considered:
1. The following facts are established:
1.1. General:
1.1.1. The complainant has been operating the business of "address publishing and direct marketing company" since April 3, 2001.
1.1.2. In carrying out this business, it operates a data application called “DAM target group addresses” in order to sell personal data to legal entities for marketing purposes as part of its “Address Shop” product. In addition to various processing operations for commercial support, target group addresses are processed, customer base data is enriched with additional marketing information, suitable people are counted and, if necessary, selected according to the request of an interested party, and the data is delivered to customers.
1.1.3. As far as relevant to the procedure, at least the following information from natural persons is used:
Master data, such as salutation, gender, title, first and last name, address, date of birth,
and certain marketing information, such as “XXXX affinity”, “package affinity” and
“moving affinity”.
1.2. To determine and assign the marketing information:
The complainant obtained the raw data for the data application DAM target group addresses from address dealers and its own database. The raw data
contains around XXXX data records, including duplicates, outdated data records, data records of deceased persons, etc.
The data were then cleaned up as part of quality assurance. After that,
the marketing information was calculated for the remaining individual data records and
assigned to the individual data subjects.
The data subjects who objected to the data being passed on,
were entered in the Robinson list or other blocking lists, and minors,
underage persons and persons without a date of birth were then filtered out. - 13 -
After this process, the complainant had around XXXX data records available for data passing on over the processing period, with around XXXX
data records actually being marketed.
1.3. On the processing of the “XXXX affinities”:
1.3.1. The marketing category “XXXX affinity” is made up of the data fields “ÖVPAFFIN”,
“SPÖ AFFIN”, “FPÖ AFFIN”, “NEOS AFFIN” and “GRÜN AFFIN”, each of which can be assigned a
individual value, namely “very low”, “low”, “high” or “very high”.
1.3.2. The complainant determines the specific value for the data fields for “XXXX affinity” by conducting anonymous opinion polls. Sociodemographic data such as age, formal education and income, place of residence and any interest in election advertising from the respective political parties are requested. Marketing groups are then formed within a grid based on the socio-demographic data and place of residence, and for each of these marketing groups, taking into account opinion polls and regional election results, it is calculated with what probability a person with certain socio-demographic data and a certain region of affiliation is interested in advertising from the political parties mentioned. By classifying a specific person into a specific marketing group, the probability values calculated for this marketing group are also assigned to them, which ultimately allows the specific values of the data fields for the respective XXXX affinity to be filled. 1.3.3. The preparatory work for calculating the selection criteria with the internal
name “XXXX affinity” began in January 2015. In April 2015, the first
concrete order for this marketing feature was placed and the “XXXX affinity” was calculated for the first time. The XXXX affinities were created individually for each customer by the technician.
1.3.4. As far as relevant, two contracts were concluded for the delivery, updating and use of the
“XXXX affinities”, among other things:
Between the BF on the one hand and the XXXX and the XXXX on the other hand, restricted to
natural persons with addresses in the federal state of XXXX, with monthly updates,
contract start on August 1, 2017 and a six-month notice period with the
termination dates of July 31. and February 1st, for the first time on July 31st, 2018. The contract was terminated by - 14 -
XXXX and XXXX with a notice of termination dated November 16th, 2018, received by BF on November 20th, 2018, and thus ended on July 31st, 2019.
Between BF and XXXX with regard to all available natural persons
in Austria, with monthly updates, contract start on July 1st, 2017 and a
six-month notice period for the termination dates June 30th and December 31st, for the first time on June 30th, 2018. The contract was terminated by XXXX with a notice of termination dated November 3, 2017, which was received by BF on November 8, 2017, and thus ended on June 30, 2018.
1.3.5. The complainant provided the data in accordance with the contract until February 22, 2019 while the contract was still in effect. From February 22, 2019, she no longer provided any data.
1.3.6. In total, approximately XXXX different people were assigned an “XXXX affinity.”
1.3.7. Since there was hardly any demand for the “XXXX affinities” and a risk to the company’s image was recognized in light of the media coverage of the GDPR, the complainant considered no longer marketing the “XXXX affinities” in February 2018. After the last customer’s notice of termination was received on November 20, 2018, it was decided to no longer market the “XXXX affinities” and the complainant no longer marketed the data in general after November 20, 2018, but only in relation to the existing, but already terminated, contract with XXXX and XXXX. 1.3.8. The complainant has not processed the data type “XXXX affinity” for address trading or marketing purposes since February 22, 2019 and deleted it on that day with regard to those persons who had not sent a request for information to BF.
1.3.9. The calculation and forwarding of the “XXXX affinity” to the persons contained in the data application “DAM target group addresses” had – in addition to the economic - 15 -
aspect for BF – the purpose of enabling BF customers to reduce wastage in advertising.
1.3.10. The complainant did not obtain the consent of the persons from whom the value was determined or assigned for the processing of the “XXXX affinity”.
1.4. On processing the “package frequency”:
In the DAM target group addresses data application of the “Address publishers
and direct marketing” business area, the “package affinities” value was also determined for people who were
in the DAM database at least from August 2017 to February 2019 and
assigned to them in order to market them. The “package affinity” indicates the
probability with which a person is interested in receiving packages. The
“package affinities” were deleted on March 15, 2019. If the data was the subject of a
request for information under Art. 15 GDPR, it may not have been deleted until after that,
but no later than May 13, 2019.
The “package affinity” of a specific person was calculated by applying their address and
certain socio-demographic data to a projection model
and assigning the value determined by the model to the respective person.
The complainant created the projection model annually. To do this, it used statistical methods based on the parcel frequency of a specific region and socio-demographic data to determine a probability value with which a person from a specific region and with specific demographic data would be interested in receiving parcels. The complainant determined the parcel frequency of a region required for the model in two steps: In the first step, it took at least a list of the parcels received, including the time of their receipt, from the parcel delivery business area for the people in its DAM database (“key figures”) and used this to calculate the parcel frequency of the respective person, i.e. the number of parcels that the person received in a specific period of time. The key figures were also taken from people who were not customers of the complainant, for example by using the confirmations of receipt of the parcels. At least XXXX people were affected. - 16 -
In the second step, several people in a certain region were grouped together based on their
addresses and an average
packet frequency for this region was calculated from their packet frequencies.
The persons concerned have not consented to the further processing of the delivery data to create the
package frequency and subsequently to the creation of the extrapolation model for the
"package affinities".
1.5. On the processing of the "moving frequency":
1.5.1. On data processing:
In the DAM target group addresses data application of the "address publishers
and direct marketing" division, the complainant also determined so-called "moving affinities" from January 2017 to February 2019 and assigned them to individual people in order to
market them.
A projection model was created with which, based on certain
input information, namely the address, the
probability of a move taking place at this address could be calculated.
The projection model was then applied to the people in the DAM database by entering their respective addresses into the projection model and assigning the returned value to the person as a "moving affinity" in the form of a categorization, namely "high", "medium" and "low". The projection model was checked annually and adjusted or recreated if necessary. In any case, the frequency of moving of a person was used to create the projection model. The frequency of moving was purchased externally, namely from XXXX. On the other hand, the frequency of moving was also derived from forwarding orders that the "Address Publishers and Direct Marketing" division received from the "Postal Delivery" division, namely the area of the forwarding order service offering (hereinafter "forwarding orders area"). - 17 - 1.5.2. Regarding the possible legal basis:
The persons concerned have not consented to the further processing of the forwarding orders for
the creation of the "moving frequency" and subsequently for the creation of the
extrapolation model for the "moving affinities".
If they do not wish their moving data to be used for marketing purposes,
they must actively object to this. To this end, the persons concerned are informed about the further use of the forwarding order data when the
forwarding order is created and
have the opportunity to object to the further use of the data. In addition,
they will receive an information letter with a reply card within one week,
in which they are again informed of the data being passed on for marketing purposes and
are informed of the possibility of prohibiting this. A prohibition is also possible in one of the complainant's branches or via the complainant's website.
The specific text of the information and the possibility of objection is:
“Information about data usage: Your personal data (salutation, title,
first name, last name, date of birth, address) can be transmitted by XXXX to third parties in accordance with Section
151 of the Trade Regulations for marketing purposes.
You are entitled to prohibit transmission to third parties
for marketing purposes at any time and without giving reasons. In this case, tick the box below
or address your objection to XXXX.
[Selection box] I do not agree to data being passed on.”
1.6. On the subjective side of the act:
1.6.1. Regarding the XXXX affinities:
To prepare the complainant for the GDPR:
The complainant started the “Fit for the GDPR” project to prepare for the GDPR in terms of data protection. Project goals were defined, a
steering committee was set up which met regularly from December 2017 onwards, and progress was monitored using a traffic light system. An external consultant was brought in to organize the data protection structure. The total cost was around two million euros. Organizationally, so-called “data protection managers” were set up in the individual departments, who were responsible for assessing the legality of processing activities under data protection law. The - 18 -
data protection officer was to be involved in the review of the data applications of the respective departments.
The legal departments specified the framework for the work of the data protection managers; however, she was not involved in the assessment of individual data applications - apart from the fact that the data protection officer was organizationally assigned to the legal department -
until January 2019.
On the data protection manager of the “DAM target group addresses” department:
XXXX was responsible for the “DAM target group addresses” department as data protection manager.
She had completed a technical degree but not a law degree. During her studies, she attended a course on data protection and dealt with the topic of data protection as part of her work in the student union. After that, she did not deal with data protection issues for about 10.5 years. Then she started working for the complainant. One of her tasks was to answer requests for information under data protection law. That was about two to three per year. She also prepared reports to the data processing register (DVR reports). To do this, she read the DSG 2000 and relevant decisions, spoke to friends who had something to do with the matter and clarified individual questions with a lawyer from the complainant who was responsible for data protection issues. She was very interested in the topic of data protection. To prepare for the GDPR, she then attended a one-day seminar and a three-day TÜV course to become a certified data protection officer, and passed the latter. She has attended several other data protection seminars and events and has also given lectures on the topic of how the complainant is preparing for the GDPR. She does not know the definition of personal data. About the complainant's data protection officer: From 2017 to 2020, XXXX was the BF's data protection officer. She studied law in Germany and is a licensed lawyer in Germany. She already dealt with data protection during her studies and gained experience in data protection law in a German corporation. During this activity, she also attended data protection seminars and completed additional training, such as a master's degree in IT law in Germany. She was certified as a data protection officer before May 25, 2018. - 19 -
On the data protection review of the “XXXX affinities” by the complainant:
XXXX reviewed the “DAM target group addresses” data application before the introduction of the
GDPR, namely in around 2010 or 2011, and found it to be permissible. It was also
entered into the data processing register. However, the “XXXX affinities” were not yet
processed at that time.
It reviewed the data application, and thus also the “Sinus geo-milieus” and “XXXX affinities”
in the course of preparing for the GDPR and again due to a
high-profile debate in Germany.
XXXX contacted and maintained contact with XXXX on this matter. In this context,
the admissibility of processing “Sinus geo-milieus”, a special type of marketing classification, was also discussed. The admissibility of XXXX affinities was not
an issue. The result of these discussions was that the processing of marketing classifications was permissible under data protection law.
She was also in contact with colleagues at XXXX regarding the “Sinus Geo Milieus” and was informed that they had examined their use in Germany with the involvement of a German supervisory authority and found it permissible. There is also an expert opinion on this, but for contractual reasons it cannot be viewed.
The permissibility of XXXX affinities was not an issue.
Although the processing of affinities was deemed permissible by XXXX and XXXX, it was essentially justified on the basis of Section 151 of the Trade Code; they did not justify the permissibility on the grounds that the affinities are not personal data.
She also carried out a legal search in the Federal Legal Database (RIS).
In doing so, it found a decision by the data protection authority or the data protection commission
on the "Sinus geo-milieus".
It misinterpreted these decisions by assuming
that the data protection authority viewed marketing classifications or statistical values that
are attributed to individual people as non-personal. It
deduced the "XXXX affinities" from the supposed classification of the "Sinus geo-milieus" as non-personal. - 20 -
In fact, before the GDPR came into force, the Data Protection Commission or the Data Protection Authority dealt more or less with the question of the classification of marketing classifications under data protection law in at least four decisions, namely DSK 20.05.2005,
K120.908/0009-DSK/2005, DSB 10.03.2016,DSB-D122.322/0001-DSB/2016, 06.12.2017,DSB-
D216.435/0005-DSB/2017 and 13.02.2018, DSB-D122.754/0002-DSB/2018. From all these decisions it can be deduced that marketing classifications or probability values that are attributed to individual persons are personal data (see also point 1.6.1.1). She also asked lecturers in data protection courses that she attended in preparation for the GDPR about the question of the admissibility of processing marketing classifications with regard to Section 151 of the German Trade Code, including lawyers, but did not receive a satisfactory answer. There was no further exchange with lawyers.
Ultimately, she also discussed the question of the admissibility of the data application in her team.
One of her employees, XXXX, expressed concerns in February 2018 that the "XXXX affinities" could be personal data and could be problematic. XXXX discussed these concerns in the weekly Jour Fixe with the
team leaders of the "DAM" department and its head, XXXX, (hereinafter "Jour Fixe"),
but the opinion did not gain a majority. Both she and the witness XXXX assumed
that the concerns were not valid because the affinities were not personal data; witness XXXX also assumed that their
processing was covered by the Trade Code. A further examination of the concerns of
XXXX took place.
XXXX came to the conclusion that "Sinus Geo-Milieus" are statistical data that are not personal. This is true even if they have been attributed to specific people. Due to the similarity of the "Sinus Geo-Milieus", it subsequently assumed that the "XXXX affinities" are not personal data either. It also discussed this result with the complainant's data protection officer, XXXX. The data protection officer was also of the opinion that statistical data - despite being assigned to a specific person - is not personal data and therefore also viewed the data application DAM target group addresses and the "XXXX affinities" as unproblematic from a data protection perspective without questioning or legally (re-)examining her opinion on the personal reference. On the legal situation regarding marketing classifications before May 25, 2018:
The Data Protection Commission and the Data Protection Authority made at least four decisions in connection with
marketing classifications before May 25, 2018:
In DSK K120.908/0009-DSK/2005 of May 20, 2005 (cited by the complainant),
among other things, the completeness of information (also) in relation to statistically calculated
data, such as annual minimum income, was the subject matter. The DSK states that
using this data for other purposes is factually pointless because its accuracy is not given in the individual case. However, it affirms that personal data exists, especially since it discusses the question of the extent to which the origin of these types of data must also be disclosed, which - because the right to information pursuant to Section 26 of the Data Protection Act 2000 requires the existence of personal data - would not be necessary if the statistically determined data had not been personal data. This decision was available in the RIS before the GDPR became applicable. In DSB-D122.322/0001-DSB/2016 of March 10, 2016, it stated that the attribution of marketing classifications is not a process of automated individual decision-making that is subject to the special right to information pursuant to Section 49 (3) of the Data Protection Act 2000 (para. 29). Furthermore, the client has provided the data subject with information on the content of the data, including the marketing classification data attributed to the data subject, in accordance with Section 26 Paragraph 1 of the Data Protection Act 2000 (para. 31). This decision has been available in the RIS since at least June 3, 2016. In DSB-D216.435/0005-DSB/2017 of December 6, 2017, it stated that the attribution of marketing classifications in accordance with Section 151 Paragraph 6 of the Trade Regulation Act, as in the present case, is not a process of automated individual decision that is subject to the special right to information in accordance with Section 49 Paragraph 3 of the Data Protection Act 2000. Furthermore, the general right to information pursuant to Section 26 Paragraph 1 and 4 of the Data Protection Act includes in any case understandable explanations for internal key terms (such as "innovative up-and-comers"), for the evaluation of which and assignment to the complainant also requires a more detailed explanation (para. 16 f). This decision has been available in the RIS at least since January 3, 2018. In DSB-D122.754/0002-DSB/2018 dated February 13, 2018 (cited by the complainant), it stated with regard to "marketing classifications assigned on the basis of socio-demographic data according to a probability calculation", namely "probability value_traditional", that the complainant's right to information had been violated because this term had not been explained in an understandable way. This presupposes that the data protection authority assumed that "probability value_traditional" was personal data, otherwise it would have denied a right to information under Section 26 of the Data Protection Act with regard to this type of data. It cannot be determined whether the decision was already available in the RIS before May 25, 2018. In the Austrian literature, Jahnel also assumes in Handbook of Data Protection Law (2010) para. 3/72 that assessments of a person's probable membership of a certain target or age group determined with the help of statistical projections are to be qualified as personal data. The German Federal Court of Justice also decided in this sense on January 28, 2014, VI ZR 156/13 - contrary to the opinion of the BF - (dtBGH January 28, 2014, VI ZR 156/13; OZ 1, DSB-D550.148/0003-DSB/2019), especially since in the judgment it affirmed the fundamental correction of a "score value" as well as the obligation to provide information about it and thus also its personal reference (judgment of the Federal Court of Justice of January 28, 2014 on VI ZR 156/13). The ECJ has also already dealt in detail with the personal nature of information, stating in ECJ 22.06.2017, C-434/16, NOWAK:
“33 As the Court has already stated, the scope of application of
Directive 95/46 is very broad and the personal data it covers are
diverse (judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, para. 59 and the
case law cited therein).
34 The use of the expression ‘all information’ in connection with the
definition of the term ‘personal data’ in Article 2(a) of Directive 95/46 reflects the Union legislature’s aim of giving this term a
broad meaning. It is not limited to sensitive or private information, but potentially includes all types of information of both an objective and subjective nature in the form of opinions or assessments, provided that it is information "about" the person in question. - 23 - 35 The latter requirement is met if the information is linked to a specific person due to its content, purpose or effects." 1.6.2. Regarding the "package frequency": The complainant was aware that linking its activity as an address dealer with its activity as a postal service provider could be legally problematic. It had therefore erected a "Chinese Wall" between the areas, which was, however, permeable with regard to the package frequency and the frequency of moving. There was no detailed legal review of the demarcation of the business areas. It was not until January 2019 that work began to close these gaps. 1.6.3. Regarding the “frequency of moving”:
See the comments on point 1.6.2.
1.7. Regarding the data protection impact assessment for the data application “DAM target group addresses”:
1.7.1. Regarding the objective side of the matter:
The data protection manager, XXXX , has prepared the data protection impact assessment (DPIA) regarding
the DAM target group addresses. As part of the preparation of the DPIA, she sought the
advice of the data protection officer, XXXX .
The DSFA for the application “DAM target group addresses” states in part:
In Appendix 2B-1, with the title “PRIVACY IMPACT ASSESSMENT / DSFA (ACCORDING TO ARTICLE 35) -
TARGET GROUP ADDRESSES BEFORE TAKING INTO ACCOUNT THE TECHNICAL AND
ORGANIZATIONAL MEASURES”:
in Appendix 2D, “Target group addresses according to Section 151 GewO” under the heading “According to. § 151
Paragraph 6 collected marketing classifications" - 24 -
Category Type of determination Content Note
MARKETING Calculated XXXX affinity Based on
marketing analysis procedures
assigned
marketing classification
and under point 2, "SUMMARY RESULT":
"Based on the assessment of the necessity and proportionality of the
described processing activity and the measures listed for
dealing with identified risks, XXXX assumes that
there is no high risk [...]
for the rights and freedoms of natural persons."
1.7.2. On the subjective side of the matter:
As the data protection manager is of the opinion that the marketing classification “XXXX affinities” is not personal data (see point 1.6.1 “On the data protection review of the “XXXX affinities” by the complainant”),
she did not check the “XXXX affinities” to see whether they could be special categories of data and, accordingly, denied the existence of special categories of data and, as a result, the existence of a high risk in the DPIA.
The data protection officer also assumed that the “XXXX affinities” are
not personal data (see point 1.6.1 “On the data protection review of the “XXXX affinities” by the complainant”), which is why she followed the assessment of the data protection manager and did not advise otherwise.
1.8. On the list of processing activities for the data application “DAM
Target group addresses”
1.8.1. On the objective side of the offense:
In the complainant’s list of processing activities (VVZ) for the application
“DAM Target group addresses”, the types of data processed are broken down as follows: - 25 -
“[…]
DATA
Categories of personal data | Address data, identification data,
Contact details, marketing, personal master data
[…]”
A more detailed breakdown of the data type “marketing” can be found neither in the
main document nor in any appendices to the VVZ.
In fact, the complainant has processed the following types of data in connection with the “data” mentioned:
MARKETING, such as installment payers, customer cards, bargain hunters, animal lovers,
sport, Sinus Milieu, neurotypes, travel, organic, night owls, leisure grillers,
package score, DIY enthusiasts, online shoppers, brand, style high fashion,
phase of life, XXXX affinity, income, purchasing power, agriculture, number
children, baby, toddler, child, schoolchild, young person, marital status;
In the complainant’s list of processing activities for the “DAM target group addresses” application, the “RISKS” section states the following:
“Is extensive processing of sensitive data carried out? | No […]
Is particularly sensitive data processed (ethnic origin,
political opinion, ...)? | No”
1.8.2. On the subjective side of the offense:
The data protection manager decided that extensive processing of sensitive data and processing of data requiring special protection, including political opinion, should be denied because she was of the opinion that the marketing classification “XXXX affinities” does not constitute personal data and therefore does not constitute special categories of personal data (see point 1.6.1
“On the data protection review of the “XXXX affinities” by the
complainant”).
The VVZ should have provided a detailed breakdown of the types of data processed in an appendix.
By mistake, however, the appendix was only added to the DSFA as appendix 2D “Processed - 26 -
data”, but not to the VVZ. This appendix contains a detailed breakdown of the types of data used, such as the individual affinities.
1.9. On the assessment of the penalty:
1.9.1. According to the profit and loss statement, the complainant's turnover for the 2018 financial year is XXXX and for the 2023 financial year is XXXX. According to the profit and loss statement, the complainant's group-wide turnover for the 2018 financial year is XXXX and for the 2023 financial year is XXXX. In Q1-3 2024, the complainant generated sales revenue of XXXX. 1.9.2. The criminal judgment in question was served on the complainant on October 28, 2019 and thus issued. 1.9.3. Scope of cooperation (Article 83 (2) (f) GDPR) The complainant cooperated in the investigation before the data protection authority and in the proceedings before the Federal Administrative Court and thereby made a significant contribution to finding the truth. 1.9.4. Measures taken by the complainant to mitigate the damage (Article 83
Paragraph 2 lit c GDPR)
The complainant reached settlements with the majority of the affected persons
and in this context paid XXXX to affected persons. The
complainant offered affected persons via its website the opportunity to submit both simple and
notarized cease and desist declarations for affected persons.
1.9.5. Previous convictions (Article 83 Para 2 lit e GDPR)
The complainant was fined EUR 600 by a penal order dated September 6, 2019 (D550.150/0001-
DSB/2019) for violating her duty to cooperate with the supervisory authority
in accordance with Article 31 in conjunction with Article 83 Para 4 lit a GDPR.
By decision of the Federal Administrative Court of February 23, 2024, W137 2248575-1/31E, the
complainant was fined EUR 500,000 for violating her duty to facilitate the exercise of rights of those affected pursuant to Section 28 Paragraph 2 VwGVG in conjunction with Article 12 Paragraph 2 in conjunction with Article 83 Paragraph 5 Letter b of GDPR. - 27 -
1.9.6. How the violation became known (Article 83 Paragraph 2 Letter h of GDPR)
The authority concerned took the media coverage of the XXXX's actions, according to which it allegedly sold personal data, among other things, and that some of this data also included special categories of data ("sensitive data") - in particular political opinion - as an opportunity to initiate an official investigation procedure. Based on the results of the investigation, the authority concerned initiated the administrative penal proceedings in question.
1.9.7. Financial advantages gained, losses avoided (Article 83 paragraph 2 letter k GDPR)
The complainant has gained financial advantages
by processing the XXXX affinities.
The turnover for the entire area of data provision for addressed advertising in the
framework of data and address management in 2018 was XXXX.
The total turnover from the marketing of the XXXX affinities was XXXX.
2. The established facts are based on the following assessment of the evidence:
2.1. On the general findings:
2.1.1. The finding in 1.1.1 is based on the unobjectionable statement of the
complainant and a consistent inspection of the
Trade Information System Austria, GISA number XXXX.
2.1.2. The findings in 1.1.2 are based on the submitted data protection impact assessment target group addresses, in particular Chapter 1.3.3 and Appendix 2D of the complainant's statement of 22 January 2019 (OZ 1 "DSB-D550.148001-DSB2019| Request for justification 20 February 2019", p. 33, 64 ff.).
2.1.3. The findings under 1.3.1 are based on the exemplary extract from the complainant's database presented in her statement of January 22, 2019, from which the different assignable values emerge (OZ 1 "DSB-D550.148001-
DSB2019 | Request for justification February 20, 2019", p. 16). Although this list does not contain the information on "package affinity" and "moving affinity", their use is evident from the complainant's submission to the data protection authority (BF statement of September 10, 2019, points 2.4 f, OZ 1; DSB-D550.148/0015-DSB/2019, p. 176 f) and the corresponding statements made by witness XXXX to the authority concerned - 28 - on the calculation and use of these affinities (transcript of the audio recording of May 24, 2019, p. 5 f; OZ 1, D550.148/0014-DSB/2019, p. 20 f). 2.2. Regarding the findings in 1.2., determination and allocation of marketing information: The findings on the procedure for determining marketing information are based on the corresponding information in the DPFA (DPFA p. 6 f). The information on the number of data sets is contradictory in the DPFA, such as the number of data sets available for forwarding XXXX on the one hand (DPFA) and XXXX on the other hand (DPFA Appendix 2B-1 S 1) or the number of data sets actually marketed XXXX on the one hand (DPFA S 6) and XXXX on the other hand (DPFA Appendix 2B-1 S 1). However, XXXX was able to explain in her interview that these were snapshots taken at different points in time (VH protocol dated November 28, 2024 S7), which is why the respective values were determined as the range of the data sets processed over the entire processing period. At first glance, it does not seem understandable why only some of the available data sets should actually have been marketed; However, from Appendix 2B-1 S 1 of the DPFA it emerges that only a portion of the data sets that are generally tradable are available for postal advertising mailings (“[…] addresses are available for the marketing of target group addresses for postal advertising mailings”), which is why the data sets that were not marketed can be explained by the fact that they were not suitable for the delivery of postal advertising mailings, for example due to the lack of postal addresses, and thus were not useful for the purpose of the data use, i.e. the provision of target group addresses. 2.3. On the findings regarding XXXX affinity: 2.3.1. The findings regarding 1.3.1. are based on the exemplary allocation of XXXX affinities contained in the complainant's statement of 22 January 2019 (OZ1 "DSB-D550.148001-DSB2019 | Request for justification 20 February 2019", p. 16) and on its appendix 3 "Database extract XXXX affinity for different residences" (W258 2217446-1, OZ 1 p. 185). 2.3.2. The findings under 1.3.2 are based in principle on the arguments put forward by the
appellant in the official review procedure, in particular the
appellant’s statement of 22 January 2019, page 2 (OZ 1 “DSB-D550.148001-DSB2019 |
Request for justification 20 February 2019”, p. 14); also on page 4 (OZ 1 “DSB- - 29 -
D550.148001-DSB2019 | Request for justification 20.02.2019”, p. 16), according to which regional election results are heavily weighted when calculating the probability values for the respective XXXX affinity, and on Appendix 3 to the complainant’s statement of 22.01.2019 – “Database extract XXXX affinity for different places of residence” (W258 2217446-1, OZ 1 p. 185), according to which the respective XXXX affinities are stored in the database for the respective persons.
2.3.3. The findings under 1.3.3 are based on the statement of the complainant dated November 11, 2024, which was raised as part of the statement of the informed representative XXXX (VH protocol dated November 20, 2024, p. 5), in which the complainant explained the timeline of the provision of the XXXX affinities and the sale to political parties in detail and in a comprehensible manner (see OZ 27, p. 3, 22). The fact that the XXXX affinities were created individually for each customer by the technology is based on the statements of the witness XXXX from the authority in question, according to which the XXXX affinity was always created individually by the technology because it affected a specific target group (OZ 1, DSB-
D550.148/0014-DSB/2019, p. 20).
2.3.4.The determinations regarding the delivery of data to the contractual partners (point 1.3.5) are based
on the license agreements; the findings regarding the end of the data delivery are based on the
statement of the informed representative (“There was a relatively long notice period. After the
reporting at the beginning of 2019, however, we deleted the
data despite the contractual relationship being in force. On February 22, 2019, we deleted the first part, namely all
those data records of people who had not made a request for information.” (VH protocol dated November 20, 2024, p. 10)) and the considerations under point 2.3.6. The differing argument
of the complainant in the administrative penal proceedings, according to which the contract with
XXXX or with XXXX had already ended with termination on November 18, 2018, could therefore
not be followed (BF statement dated September 10, 2019, p. 10, OZ 1, DSB-
D550.148/0015-DSB/2019 p. 174), especially in the correspondence between XXXX and BF, in which XXXX states on March 7, 2019 that "we terminated the contract in November 2018 and that it [...] expires on July 31, 2019." (Statement and
document submission by BF dated November 26, 2024, OZ 33, appendix ./6 "Confirmation of deletion / email
communication XXXX" p. 2). Against this background, the statement of witness XXXX, according to which the deletion had to be postponed until after Christmas solely for technical reasons, could only be understood to mean that by technical - 30 -
considerations she must have meant contractual considerations (negotiation minutes of
November 20, 2024, OZ 31, p. 22).
2.3.5. The number of attributed "XXXX affinities" (point 1.3.6) is based on the
consistent statements of XXXX (VH minutes of November 20, 2024, OZ 31, p. 9) and witness XXXX (VH minutes of November 20, 2024, OZ 31, p. 28). It is noticeable that the number of people affected is lower than the number of data records stated in the DSFA. However, this can be explained by the essentially consistent justification of the BF (VH protocol of November 20, 2024, OZ 31, p. 10) and the statement of witness XXXX (VH protocol of November 20, 2024, OZ 31, p. 28 f.), according to which several affinities were assigned to some people on the basis of different addresses and thus several data sets concerning them were created, as well as by the additional statement of witness XXXX that no XXXX affinity could be calculated for some addresses for statistical reasons (VH protocol of November 20, 2024, OZ 31, p. 35 f.). The information in point 1 of the XXXX, according to which
“Consumer Data [currently] includes around XXXX natural persons” is also of no harm because
on the one hand, the specific address data is only determined from a mapping with the also licensed
database XXXX, which is the address database of the BF (point 1.2. paragraph)
and the license is granted, among other things, for the use of data for direct mailings (i.e. sending
advertising mail by post) (point 3.2) and on the other hand, it does not follow from the
contract that the XXXX affinities have also been calculated for all persons;
however, as previously stated, both circumstances can lead to a reduction in the
unique persons for whom the XXXX affinities have been calculated or assigned.
2.3.6.The findings on the exit from the marketing of the "XXXX affinities" and their
backgrounds are fundamentally based on the statements of the witness XXXX, which must be reconciled in this regard ("In the course of the media coverage of the
introduction of the GDPR, where we saw that the public is very sensitized to
this issue, we discussed in the DAM group whether we should delete the data of the affinities and Sinus-Geo-Milieus." Negotiation minutes from November 20, 2024, OZ 31, p. 22 and "It was a
mixture of several causes. As I have already said, there was still a customer
who was purchasing it, but he had already said that he no longer needed the
data after the contract period had expired. From this point of view, too, deletion made sense."
Negotiation minutes from November 20, 2024, OZ 31, p. 32 f) and the witness XXXX (“The background was also that with regard to the XXXX affinities we had a small number of customers and did not earn much from them. That is why it was decided to "phase out" the product - 31 -
[...] that was a reputational decision"" Minutes of the negotiations dated
20.11.2024, OZ 31, p. 49).
The receipt of the notice of termination is based on the
receipt stamp contained on the XXXX.
The fact that it was only after the notice of termination had been received that it was decided to no longer market the "XXXX affinities" is based on the statements of the witness XXXX. It does state that
the decision was made in October 2018 (negotiation minutes of November 20, 2024, OZ 31, p. 22)
or in the fall (negotiation minutes of November 20, 2024, OZ 31, p. 24), which could also indicate
an earlier date.
On the one hand, however, it is understandable that a decision to exit, which was also made for
economic reasons, is made when the last customer has canceled
; this is particularly true because in this specific case, an exit had already been considered
since February 2018
(negotiation minutes of November 20, 2024, OZ 31, p. 24) without success. On the other hand, the witness XXXX stated that the basis for the decision to withdraw from the “XXXX affinities” was that there was still a customer who was still receiving the data, “but he had already said that he no longer needed the data after the contract period had expired.” It must therefore have been clear to those involved at the time of the statement that the contract would only expire, which is why the statement – and thus also the decision – must have been made after the receipt of the notice of termination (minutes of the hearing dated November 20, 2024, OZ 31, p. 32 f). The fact that the existing contract should still be fulfilled is based on the considerations in point 2.3.5. 2.3.7. The findings regarding the deletion of the XXXX affinities (point 1.3.8) arise, among other things, from the BF's justification for deleting the data on February 22, 2019 due to media reports at the beginning of 2019 - despite the contractual relationships being in place - unless they were the subject of a request for information (PV XXXX, minutes of the hearing dated November 20, 2024, OZ 31, p. 10 f). It is understandable that the decision to stop using the data that was criticized was made due to negative public reporting. The statement of witness XXXX, which differs slightly in terms of the time but otherwise essentially agrees with it, according to which the data had not been deleted from January 2019 onwards because there had been so many inquiries as a result of a press article (minutes of the hearing dated November 20, 2024, OZ 31, p. 22), must be reconciled with the - 32 -
justification, especially since the facts of the case date back several years and the witness's memories may therefore be inaccurate, particularly with regard to the exact time, and in her questioning before the authority concerned she assumed February 2019 as the time of deletion anyway (transcript of the audio recording of the witness questioning dated May 24, 2019, OZ 1 DSB-D550.148/0014-DSB/2019, ZV XXXX, p. 23).
2.3.8. The findings in 1.3.9 are based on the purpose of processing the
XXXX affinities for BF customers in the complainant's statement of
22.01.2019, page 2 (OZ 1 "DSB-D550.148001-DSB2019 | Request for justification
20.02.2019", p. 14) and the statement of XXXX, the then head of the data and address management department ("We mapped the [...] [...] to avoid wastage in advertising." (VH protocol of 20.11.2024, p. 49) and "But the aim of the product is
in any case to minimize wastage in advertising." VH protocol of 20.11.2024, p. 51)).
The fact that the complainant pursued economic aspects with the use of the "XXXX affinities" is based on the fact that the BF marketed the XXXX affinities for a fee (XXXX and XXXX, point 11. in each case) and the statement of the witness XXXX, according to which the cessation of marketing of the XXXX affinities was also discussed because "we [...] did not earn much from it" (VH protocol of November 20, 2024, p. 49). 2.3.9. The finding at 1.3.10, according to which the complainant did not obtain consent, is based on the information - collected in connection with the statement of the informed representative XXXX - provided by the complainant in her statement of November 11, 2024, p. 21, according to which she admits to having processed the XXXX affinities "without consent" (see OZ 27, p. 21). The informed representative added, in response to a specific query, that around 2017 and “at least before the GDPR”, the BF switched from an “opt-in” to an “opt-out” model (VH protocol dated November 28, 2024, OZ 34, p. 8); however, in view of the confession, it can be assumed that with regard to the determination and disclosure of the XXXX affinities, there were no longer any “opt-in” declarations with regard to the beginning of the period of the offense, i.e. since May 25, 2018. 2.4. On the processing of the "package frequency":
The findings on the processing of the package affinities and moving frequency are
basically based on the essentially identical statements of the witness XXXX before the
authority concerned and of XXXX as the complainant's representative before the
authority concerned and before the court of first instance. - 33 -
The findings on the start date of the use of the package affinities are based on the
information of the witness XXXX, according to which "this [...] has probably not been done since February 2019" and "this [...] was done for about 1.5 years" (ZV XXXX DSB on May 24, 2019,
OZ 1, D550.148014, p. 24); Although the complainant stated that the package affinities had already been calculated since January 2016 (statement XXXX dated September 10, 2019;
point 2.4 p. 12 (OZ 1; DSB-D550.148/0015-DSB/2019 p. 176)), against the background of the
relevant period of the offense with the applicability of the GDPR on May 25, 2018, the
start date could be determined to be "at least" August 2017. The finding that the
package affinity with the designation "package frequency" was assigned to a specific person
is based on information provided by the complainant in accordance with Art. 15 GDPR
(criminal judgment, OZ 1, XXXX , p. 57); The fact that the "packet frequency" is not the
average number of packets that this person received in a certain period of time
but actually the calculated "affinity" is
due to the fact that the "packet frequency" was given a name, such as "low", and not a
specific number, as would be expected for a frequency that is intended to serve as the basis for calculating
a model.The end date for the calculation and marketing of the package affinities is based on the statement by XXXX that “the package affinity has not been calculated or used since the first half of 2019.” (criminal proceedings dated September 23, 2019, OZ 1, DSB-D550.148/0016-DSB/2019 September 23, 2019, p. 36) and “this has probably not been done since February 2019” (ZV XXXXDSB on May 24, 2019, OZ 1, D550.148014, p. 24) and is understandable in light of the media reports that made the processing of the “XXXX affinities” in particular but also of the “affinities” in general appear problematic in February 2019. The statements are also consistent with the statements made by XXXX in the hg hearing on November 28, 2024, according to which she decided to delete the data after the media coverage and before the receipt of the "request for a statement" in the administrative penal proceedings (minutes of the hearing dated November 28, 2024, OZ 34, p. 2 f) and the request for justification is dated February 20, 2019. The time of deletion of the "package affinities" is based on the information provided by XXXX, according to which
the actual deletion could only take place later for technical reasons
(negotiation minutes of November 28, 2024, OZ 34, p. 2f) and in the case of pending requests for information
were processed for longer, but at the latest until May 13, 2019 (negotiation minutes of
November 28, 2024, OZ 34, p. 7). - 34 -
The findings on the creation of the projection model and the determination of the
"packet frequency" and the "packet affinity" are based on a summary of the
comprehensible statements of XXXX in the hearing on November 20, 2024 (VH protocol of
November 20, 2024, OZ 31, p. 11) and of the witness XXXX before the authority concerned ("From this you can
calculate a packet frequency. Afterwards [...] you then make projection models again for the
following years. From this you can then make projections again.
" (transcript of the audio recording of May 24, 2019, OZ 1, D550.148/0014-DSB/2019, p. 21) as well as their statements on the basic procedure for creating the
"calculation models" (transcript of the audio recording of 24.05.2019, OZ 1, D550.148/0014-
DSB/2019, p. 20)) with the essentially consistent information on the calculation of the target group addresses or affinities in the data protection impact assessment (p.
6 f; W258 2217446-1, OZ 1, p. 50 ff). The finding that at least the list of received
packages and the time of receipt was taken over by the parcel delivery business unit is based on the general information provided by witness XXXX, according to which “we
[…] know from the parcel department that the person […] receives […] packages in a […] period of time”
and “following this data transmission by the parcel department […] they then make
[…] extrapolation models” (ZV XXXX, transcript of the audio recording dated 24.05.2019, OZ 1,
D550.148014, p. 21) and XXXX, according to which “a key figure from the parcel department is transmitted to the DAM department and then statistically evaluated” (criminal hearing dated 23.09.2019, OZ 1, DSB-D550.148016-DSB2019, p. 35) and that there is indeed a "Chinese Wall"
between the individual business areas, but which was permeable,
"for example in the packet frequencies that were used for extrapolations" (VH-
minutes of November 20, 2024, OZ 31, p. 6) and, on the other hand, on the consideration that when
calculating a frequency, the number of events in a certain period of time
is calculated and therefore both a list of the received
packets and the reception period are required for the calculation.
The fact that the projection models were created annually is based on the statement of the
witness XXXX, according to which all models are checked every year and recalculated if necessary
and that this also applies to the package affinities (“And then we check the model with the
data of the year that we previously separated out. Because this probability
must then apply to this year. If we then have strong deviations, then
we change the model. We calculate it again and see how good the forecast is according to the
new model. That is the general procedure for all projections.” or “we […]
from the parcel department [know] that the person […] will receive […] packages in a […] period” and
“following this data transmission by the parcel department […] they then make projection models again for the following years”) (ZV XXXX , transcript of the audio recording
from May 24, 2019, OZ 1, D550.148014, p. 21).
The fact that the calculation also affected people who were not customers of the
complainant, and how they could still be taken into account, is based on the
comprehensible statements of the witness XXXX (DSB dated May 24, 2019, OZ 1 D550.148014, p.
23).
The number of people affected by the passing on of the "package frequencies" is based on the
consideration that the complainant XXXX is responsible for a large proportion of parcel deliveries in
Austria and therefore carries out parcel deliveries to most addresses in Austria,
the entire database of DAM target group addresses for postal advertising mailings contains around XXXX addresses (DSFA Appendix 2B-1 S 1, S 25),
but not all of these people have received parcels from the complainant and
some people have several addresses, which is why not XXXX but XXXX people
were identified.
The fact that no consent was obtained for the further processing of the parcel frequencies is evident from the statements made by XXXX in the hg hearing (VH protocol of November 28, 2024, OZ 34,
S 8). The informed representative added in response to a specific query that around 2017
and “at least before the GDPR” the BF switched from an “opt in” to an “opt out” model
(VH protocol dated November 28, 2024, OZ34, p. 8); against the background of the admission of the
XXXX affinities and a lack of evidence, it can be assumed that with regard to
packet frequencies at the beginning of the period of the offense, i.e. since May 25, 2018, there was no
“opt in” declaration (anymore).
2.4.1. The findings on the contracts for the licensing of the XXXX affinities (point
1.3.4) are based on the contracts submitted (XXXX and XXXX), which essentially correspond to
the information provided by the informed representative XXXX (VH minutes of November 20, 2024, p. 10) and
the statements made in connection with her statement (OZ 27, p. 3, 22). The monthly
updates of the data are based in particular on points 8.4 (monthly updates)
and 11.1 (license fee including delivery of monthly updates) of the license agreements. The
information on the termination of the contracts could be objectified by the termination declarations, namely
from XXXX and XXXX, and also by the correspondence between
XXXX on March 7, 2019, stating that "we terminated the contract in November 2018
and that it [...] expires on July 31, 2019." (Statement and document submission by the
BF dated November 26, 2024, OZ 33, Appendix ./6 "Deletion confirmation / email traffic XXXX" p. 2) which is why - 36 -
the partially differing information of the informed representative XXXX ("That means we terminated in
November 2018" (VH protocol dated November 20, 2024 p. 10)) could not be followed.
With regard to the scope of the data deliveries, it is noticeable that the data types listed in the appendix to the license agreements include the data type "XXXX affinity" and its type is only specified as "1BIT" (XXXX and XXXX on page 16, respectively), which would mean that the data type "XXXX affinity" can only have two states and would therefore not be suitable for depicting the XXXX affinities for several parties in several forms. However, it cannot be concluded from this that the XXXX affinities were actually not the subject of the contract, especially since some data fields in the appendix to the license agreements have been blacked out and the scope of the data transmission cannot therefore be conclusively determined from them. On the other hand, the
use of a binary data type of length 1, which is usually used in the sense of "true" and
"false" or "present" and "not present", indicates that
there are or are not affinities for transmission for your data set XXXX.
2.5. On processing the frequency of moves:
2.5.1. On data processing:
The findings on the basic determination and allocation of the "moving affinities"
as well as the purpose are based on the consistent statements of the witness XXXX and of
XXXX.
The findings on the start time are based on the complainant's statements ("The
first forecast and allocation to persons took place [...] in January 2017.",
BF statement of September 10, 2019, p. 13; OZ 1, DSB-D550.148/0015-DSB/2019, p. 177).
The findings on the projection model and the frequency of testing are based on the
statements of witness XXXX in the proceedings before the authority in question, in which she described the creation
of the projection models for the area of parcel affinity and moving affinity
(transcript of the audio recording of the witness interview of Ms. XXXX ", p. 5 f; OZ 1, DSB-
D550.148/0014-DSB/2019 p. 20 f). The fact that the values were assigned in the form of a
categorization is based on the complainant’s submission
(BF statement of 10.09.2019, points 2.5, OZ 1; DSB-D550.148/0015-DSB/2019, p. 177),
which corresponds to information provided by the complainant in accordance with Art. 15 GDPR - 37 -
in which the affinity for moving is classified as “low” (criminal judgment; OZ
1; XXXX , p. 57).
It is disputed where the complainant obtained the data on the “frequency of moving”.
While the authority concerned assumed that the complainant derived this data both from past forwarding orders and also purchased it from XXXX, the complainant denies – with further justification – the use of past forwarding orders. The complainant's statements cannot be accepted.
For example, witness XXXX, who as the person responsible for the target group addresses must have had the
most immediate overview of the determination of affinities, stated before the DSB
generally regarding the selection criteria for the target group addresses that "another
data source [...] is the forwarding order" and that the complainant "[takes] past forwarding orders [for the
moving affinity] and [...] calculates a probability of how likely it is that another move will take place at this address.
[…]” and “[taking] data from other XXXX, data that [they] have received from alternative sources/ and combining[…] these with [their] own forwarding order data.” (Transcript of the audio recording of the witness interview XXXX dated May 24, 2019,
S 6 or OZ 1, DSB-D550.148/0014-DSB/2019, 21).
When asked about the origin of the data type
“frequency of moving” in the hearing on November 20, 2024, the witness could only remember XXXX. However, this statement cannot cast doubt on her statement before the
authority concerned. On the one hand, her statement before the authority concerned was closer in time to the crime, which is why it can be assumed that the witness
had a better memory at the time.
On the other hand, she did not correct her statement when confronted with her earlier statement and in particular did not attempt to justify the contradiction with a vague use of the terms "moving affinities" and "moving frequencies", as the complainant believes, but rather admitted the contradiction and pointed out that she had remembered incorrectly.
The complainant is right in saying that the witness in her statement did not actually distinguish carefully between "moving frequency" on the one hand and "moving affinity" on the other. Against the background of her description of how
the affinities are calculated, in particular that models are developed in a first step based on certain types of data, which are then used to calculate - 38 -
affinities, it is clear that the forwarding orders could only be used to determine the frequency of moves, which is used to develop a suitable model for calculating "moving affinities". No other meaningful application of the
forwarding orders is apparent in any of the steps required to determine a specific "moving affinity".
The only thing that could be conceivable is that current forwarding orders are used to update the
addresses in the DAM database and thus also update moving affinities. However, the witness spoke of "past forwarding orders";
However, multiple and outdated forwarding orders are not needed to update the address, which is why there is no room for this argument. The witness's statement also seems to contradict XXXX's statements, according to which the frequency of moves was purchased exclusively from XXXX. However, XXXX also stated that "the affinity [...] was calculated [...] and [...] the forwarding order data was also used." (VH protocol dated November 20, 2024, OZ 31, p. 12) and "In the event of a move, the new address according to the forwarding order will be used if the person concerned has not objected to this in accordance with the Trade Code." (Hearing protocol dated September 23, 2019, DSB-D550.148/0016-DSB/2019, p. 34). It therefore confirms that the forwarding order data was used to calculate the “XXXX affinities”. However, since the use of forwarding orders only makes sense in the context of developing the model in the form of a “moving frequency” (see the previous considerations), it also confirms the use of forwarding orders to calculate a “moving frequency”. Ultimately, even the exemplary information provided by the complainant pursuant to Article 15 GDPR by the authority concerned cannot change this, contrary to the complainant’s statements. The data type “number of moves” is mentioned in the “Stored data” section and XXXX is shown as the data source or as the supplier of the above-mentioned data (criminal decision, OZ 1, XXXX, p. 58). However, it can only be concluded from this that XXXX provided the complainant with the date "number of moves". On the other hand, it cannot be deduced from this that the complainant did not also receive or determine the frequency of moves from other sources, as witness XXXX originally stated. - 39 - 2.5.2. On the possible legal basis: The fact that the complainant did not obtain the consent of the data subjects to process the "frequency of moves" is based on the information provided by XXXX in the hg hearing (minutes of the hearing dated November 28, 2024, OZ 34, p. 8). The informed representative added, in response to a specific query, that around 2017 and “at least before the GDPR”, the BF switched from an “opt in” to an “opt out” model (VH protocol of November 28, 2024, OZ 34, p. 8); Given that she also mentioned to the authority concerned that "with forwarding orders [...] there is the option to object to data processing (opt out according to the Trade Code)" (minutes of the hearing dated September 23, 2019, DSB-D550.148/0016-DSB/2019, p. 32), the admission of the XXXX affinities and a lack of evidence, it can be assumed that with regard to package frequencies, with the start of the period of the offense, i.e. since May 25, 2018, there was no longer an "opt in" declaration. The fact that when placing a forwarding order, those affected are informed about the
use of data and an "opt-out" option and the type of
information is also based on the statement of the witness XXXX (transcript of the
audio recording of the witness interview of Ms. XXXX dated May 24, 2019, OZ 1, DSB-
D550.148/0014-DSB/2019, p. 21). The specific text is based on the information in the DSFA on the
data application "DAM target group addresses" (DSFA p. 11).
2.6. On the findings on the subjective side of the offense:
2.6.1. Regarding the XXXX affinities:
On the preparation of the complainant for the GDPR:
The findings on the preparation of the complainant for the GDPR are based on the
information provided by the complainant in the administrative penal proceedings
(BF statement of September 10, 2019, p. 2 f, DSB-D550.148/0015-DSB/2019, p. 166 f).
The finding that the data protection officer had to be involved in the examination of individual
data applications is based on the statement made by witness XXXX
(minutes of the hearing of November 20, 2024, OZ 31, p. 39).
The finding that the legal department was not involved in the assessment of the data applications
is based on the corresponding information provided by XXXX (minutes of the hearing of November 20, 2024, OZ 31, p. 5). - 40 -
Regarding the data protection manager of the “DAM target group addresses” department:
The findings regarding the data protection manager of the “DAM target group addresses” department
are based on the statements made by witness XXXX in the hearing on November 20, 2024
(minutes of the hearing from November 20, 2024, OZ 31, p. 17 ff). The fact that she does not know the definition
of “personal data” is also based on her questioning
(minutes of the hearing from November 20, 2024, OZ 31, p. 36).
Regarding the complainant’s data protection officer:
The findings regarding the complainant’s data protection officer are based on the
statements made by witness XXXX in the hearing on November 20, 2024 (minutes of the hearing from
November 20, 2024, OZ 31, p. 38 f).
On the data protection review of the “XXXX affinities” by the complainant:
The findings on the data protection review of the “XXXX affinities” by the
complainant are fundamentally based on the statements made by witness XXXX in the
hearing on November 20, 2024 (hearing minutes of November 20, 2024, OZ 31, p. 19 ff,
in particular 19, 21, 31, 32, 34). The fact that the data application was again reviewed because of a
high-profile debate in Germany is based on the statements
of witness XXXX (hearing minutes of November 20, 2024, OZ 31, p. 49).
The findings that XXXX and XXXX did not discuss with witness XXXX that the affinities are not personal data are based on the following considerations: In her statement before the court, the witness merely mentions that the admissibility of the marketing classifications was considered permissible (“In these discussions, it was also concluded that this statistical classification was permissible”; “In principle, the opinion of all persons in this working group [of XXXX] was that these marketing characteristics are still permissible.” (Minutes of the hearing dated November 20, 2024, OZ 31, p. 21, 31)). The witness could not remember the specific question of whether the report mentioned by the colleague from the XXXX company
held the opinion that it was not personal data (minutes of the hearing dated November 20, 2024, OZ 31, p. 21), and the specific question from the BFV as to whether legal issues surrounding the topic of personal reference of marketing classification and trade regulations discussed today were also discussed within the framework of the XXXX working group, she did not address the topic of personal reference, but referred to the trade regulations - 41 -
(“In any case, because it was unclear for a long time, the trade regulations will continue to apply under the GDPR. In this respect, it was a great relief, along the lines of “yes”, when the trade regulations were amended and adapted to the GDPR.” and then continued in general terms “Nevertheless, there were many points about the was discussed […]” (minutes of the hearing of 20.11.2024, OZ 31, p. 31)). The witness XXXX also only mentioned the trade regulations in connection with the meeting with the XXXX, but not the personal reference (“We also met relatively intensively with XXXX. Everyone discussed it there. And the unanimous opinion is that as long as the trade regulations are as they are, then that’s fine.” (Negotiation minutes from November 20, 2024, OZ 31, p. 53)). Likewise, the witness XXXX only speaks of the fact that the XXXX came to the conclusion that the probabilities are “okay” (“We spoke to XXXX. The industry evaluated this and came to the conclusion that the probabilities are okay.” (Negotiation minutes from November 28, 2024, OZ 34, p. 10)) and the witness XXXX that regular inquiries about Section 151 of the Trade Regulations were made with XXXX as a priority are
(minutes of the hearing dated November 28, 2024, OZ 34, p. 26). Ultimately, it also seems unlikely, given the
background of the legal situation at the time (see point 1.6.1.1), that the XXXX
should have held the opinion that Sinus geo-milieus or other
marketing classifications, despite their assignment to specific people, were not personal data.The fact that the XXXX affinity was not a topic in the working group of XXXX and at XXXX is based on the fact that the witness XXXX, on the one hand, states that she was primarily concerned with the Sinus Geo milieus and, based on their similarity, concluded that they were related to the XXXX affinities (trial record of November 20, 2024, OZ 31, p. 20, 21) and, when asked specifically whether “XXXX affinities” were a topic in the meeting with XXXX, she refers to the “Sinus Geo milieus” (“more about the Sinus Geo milieus”, “We talked about how these Geo milieus should be classified in terms of data protection law.” (trial record of November 20, 2024, OZ 31, p. 21)); Against this background, the witness's statement on the specific question of whether the XXXX affinities were discussed in the XXXX working group, "I can't remember" (minutes of the hearing dated November 20, 2024, OZ31, p. 32) can only be interpreted as meaning that the XXXX affinities were not an issue in the XXXX working group either. The fact that the witness XXXX misinterpreted a decision by the data protection authority or the data protection commission is based on the decisions cited by the respective authorities and the statements under point 1.6.1.1. - 42 - The finding that she also spoke to lawyers in connection with data protection courses is based on the statement by the witness XXXX (minutes of the hearing dated November 20, 2024, OZ 31, p. 34). The fact that there was no further exchange with lawyers is due to the fact that none of the people who were operationally involved with the DAM target group addresses data application, i.e. the witnesses XXXX, XXXX and
XXXX, said this. This cannot be deduced from the statement of the superior of the witness XXXX, the witness
XXXX either. Only the witness XXXX speaks of having spoken to lawyers (“Lawyers were spoken to.”, “On the question of whether XXXX had sought advice, including from lawyers, regarding the XXXX affinities: Yes, exactly. I can’t say now, but the rounds have been made.”, “No, I don’t mean about the XXXX affinities. That was not on the topic in this level of detail, but it was generally about affinities.” (Transcript of the hearing dated November 20, 2024, OZ 31, p. 10)); As head of department and superior of witness XXXX, he was only involved in the review of the data application to the extent that he was informed ("I was, however, generally informed about the affinities, including data protection law. I was told that they were OK in terms of data protection law.", minutes of the hearing dated November 28, 2024, OZ 34, p. 9) and therefore, as manager for another seven to eight other areas, he only had a general overview (minutes of the hearing dated November 28, 2024, OZ 34, p. 9); it can therefore be assumed that he did not know in detail about legal contacts and that there was no legal contact mentioned by XXXX in the context of training courses. The fact that the discussions only related to Section 151 of the Trade Regulation Act is based on her
convincing statements that she had not received any satisfactory
information on Section 151 of the Trade Regulation Act and that more in-depth questions would therefore have been pointless
(minutes of the negotiations dated November 20, 2024, OZ 31, p. 34 f) in conjunction with the fact
that the opportunity to discuss case-specific questions in depth in seminars is very
limited.
The findings that the witness XXXX also discussed the admissibility of the data application in her team, regarding the concerns of XXXX, their discussion in the team leader's meeting and the result of the discussion are based on her statements before the court (“Well, that was an opinion in the discussion that we took very seriously. Nevertheless, we took it on board, or rather the opinion that was able to gain a majority among us. However, we took the concerns seriously and discussed them in the management group.”, minutes of the hearing dated November 20, 2024, OZ 31, p. 26). The fact that the witness XXXX
had concerns about the personal reference was also confirmed by him (“Well, I had - 43 -
concerns in the sense that one has to look closely at it, for example whether there is a personal reference.”, minutes of the hearing dated November 28, 2024, OZ 34, p. 13). The fact that the
witness XXXX expressed the opinion in the Jour Fixe that there was no personal reference
is based on the fact that she stated that she had no doubts about this classification
(minutes of the hearing dated November 20, 2024, OZ 31, p. 20) or was convinced by her argument
(minutes of the hearing dated November 20, 2024, OZ 31, p. 25). Although the witness XXXX
could not remember whether concerns about the admissibility of the XXXX affinities were discussed,
this can be explained by the long period of time that had passed and by the fact that
he considered the opinion to be irrelevant and contrary to his own conviction and therefore did not note it
separately (minutes of the hearing dated November 20, 2024, OZ 31, p. 49).
The fact that he assumed that the affinities were not personal data and that their processing was covered by the Trade Regulations is based on his hg interrogation (“But we did not collect this data personally from or from the persons concerned. We only mapped it and ultimately to avoid wastage in advertising.” (Negotiation minutes of November 20, 2024, OZ 31, p. 49) and “[…] but the unanimous opinion [in the discussion with the XXXX was] that as long as the Trade Regulations are as they are, then that’s fine. And the Trade Regulations were then changed, but only the term was changed from DSG to GDPR, but in terms of content it was exactly the same statement. From that we could conclude that nothing would change legally for the time being.” (Negotiation minutes of November 20, 2024, OZ 31, p. 53)). The finding that after discussing the opinion of witness XXXX in the Jour Fixe, that the XXXX affinities could be personal data, no further examination of his concerns took place is based on the following considerations: On the question of the extent to which witness XXXX had carried out a legal review of the party's admissibility, he stated that he had expressed concerns and, after his proposals for a joint examination - also for himself - came to the conclusion that the data processing was permissible (minutes of the hearing dated November 28, 2024, OZ 34, p. 15). This cannot be followed. For example, witness XXXX testified that witness XXXX had expressed concerns and that these concerns were discussed in the management group but rejected. She states that the reason for this is that this opinion did not have a majority. She does not mention that Mr. XXXX researched - 44 -
and changed his mind. But that would have been expected if Mr. XXXX had actually carried out research or a detailed check that would have led to a different result.
Witness XXXX did describe his research work, but he describes it either as a general "literature presentation" or as irrelevant with regard to his concerns about the personal reference, for example about Section 151 of the Trade Code and a literature opinion on it or whether political parties are allowed to use the data. With regard to the personal reference, he only states that he is considering changing the XXXX affinities depending on the address. He does not mention any aspects that would speak against the personal reference and should have been the subject of his research (see point 1.6.1 "On the legal situation regarding marketing classifications before May 25, 2018") (minutes of the hearing dated November 28, 2024, OZ 34, p. 14 ff). Ultimately, witness XXXX conspicuously avoided questions about his activities in connection with the examination of XXXX affinities and he is in a dependent relationship with the complainant because he is employed by her (minutes of the hearing dated November 28, 2024, OZ 34, p. 11). This dependency does not exist with witness XXXX because she is already retired (OZ 25). She also answered the questions asked of her in this context specifically, thoughtfully and calmly, which is why her statement was to be followed. The findings on the legal classification of the "Sinus-Geo-Milieus" and "XXXX-
Affinities" by the witness XXXX are based on her statements before the court of first instance
(minutes of the hearing dated November 20, 2024, OZ 31, p. 19 f and 25 "In principle, I found my
argumentation convincing from the point of view at the time."). The fact that they were nevertheless disclosed
and deleted upon request, as well as that they are mentioned in the DSFA and the VVZ
although this would not actually be necessary if they were not personal data, may be explained by the reasons for transparency asserted (e.g. PV
minutes of the hearing dated November 20, 2024, OZ 31, p. 41, ZV XXXX minutes of the hearing dated November 20, 2024, OZ 31, p. 21). She does not mention that Ms. XXXX assumes that the use of the "XXXX affinities" is permissible because Section 151 Paragraph 6 of the German Commercial Code justifies the processing (in this sense the complainant in OZ 27 S 20 or PV minutes of the hearing dated 20.11.2024, OZ 31, S 9), which is why - against the background that the audit was primarily carried out by Ms. XXXX - the BF's relevant statements could not be followed. - 45 -
The findings regarding the coordination of witness XXXX with the data protection officer and
the examination of the “XXXX affinities” by the data protection officer are based on the
information provided by the data protection officer (“I checked them at the time and also coordinated them with the
data protection manager.”, “these are statistics and probability values. […] If they are anonymous statistics, then they are
not personal data.” (Minutes of the hearing dated November 20, 2024, OZ 31, p. 39 f)).
The finding that the data protection officer failed to carry out a further examination of the personal reference of the “XXXX affinities” and to question her opinion, and that she herself held the opinion that it was not personal data, is based on the following considerations: She herself stated that the personal reference was not up for debate (“It was not up for debate that it was personal data, statistics were simply superimposed on it using a person, actually only a probability.” (Minutes of the hearing dated November 20, 2024, OZ 31, p. 40). When asked by the data protection authority about her assessment of the “XXXX affinity,” she merely referred to “no major doubts” and to the existence of statistics and probabilities (“[…] I had no major doubts about it, otherwise I would have had the product banned. […] For me, it was essential that these were statistics and probabilities and not data that has been determined or collected from the person concerned. This means that they are not relevant to me in terms of data protection law because they are statistics." (Transcript of the audio recording of the witness interview of Ms. XXXX on May 24, 2019, OZ 1, DSB-
D550.148/0014-DSB/2019, p. 35).
When asked by the BFV whether the attribution of probability values has been qualified as personal data in German jurisprudence, she does not explain any active activity of her own, but merely states that she has not heard anything that "we" have dealt with it and then reports on suspected contacts between the department and German XXXX (minutes of the hearing dated November 20, 2024, OZ 31, p. 44).
When confronted with the question of why, against the background of the definition of "personal data" according to Art. 4Z 1 GDPR, she did not assume that personal data existed despite attributing individual affinities to specific people, she again does not refer to her own research and considerations on the personal reference but rather relies on the unclear legal situation due to the new GDPR, the lack of knowledge of third parties, the essentially unchanged trade regulations and refers - 46 -
to XXXX as an "expert" ("The person who really knew about it was definitely Ms. XXXX. She knew the most about DAM, she worked there for a long time. She even dealt with the GDPR in her free time and also completed training courses." Minutes of the hearing dated November 20, 2024, OZ 31, p. 46).
This is also consistent with the impression of the Senate that the witness XXXX was
apparently completely convinced of her legal opinion, especially since she was visibly moved during the hearing to accept the judgments, but still did not understand them (“[…] We accepted the judgment […] To be honest, I still do not understand it to this day, especially because there are also consequences for other statistics that anyone can use.” Minutes of the hearing dated November 20, 2024, OZ 31, p. 44) and it cannot be assumed that someone would subject a firmly held conviction, even if it were objectively wrong, to a more in-depth review, especially not if the responsible data protection manager, XXXX, holds the same opinion.
Against this background, her statement that she coordinated with (also external) third parties (minutes of negotiations dated November 20, 2024, OZ 31, p. 40) only suggests a general coordination, but not an in-depth legal review.
On the legal situation regarding marketing classifications before May 25, 2018:
The findings regarding the legal opinion regarding marketing classifications before May 25, 2018 are based on the sources cited.
The availability of the decision DSK K120.908/0009-DSK/2005 dated May 20, 2005 in the RIS before the GDPR became applicable is based - in the absence of a publication date in the RIS - on the fact that the decision was made thirteen years before the GDPR became applicable.
The negative finding regarding the availability of the decision DSB-D122.754/0002-DSB/2018
of February 13, 2018 is based on the fact that the RIS does not specify a publication date for the decision, that it was issued relatively shortly before the GDPR came into effect, and that the date of the last change in the RIS is given as January 29, 2019.
2.6.2. Regarding the "packet frequency":
The findings are based on the information provided by the informed representative, according to which there was already a "Chinese Wall" between the business areas before the negative media coverage of the complainant's data processing, which - 47 -
has, however, proven to be full of holes (minutes of the hearing dated November 20, 2024, OZ 31, p. 6).
If the connection between the business areas had been seen as harmless,
such a "Chinese Wall", i.e. a separation between the individual
business areas, would not have been necessary. The testimony of witness XXXX also points in this direction when he says that they had considered structurally separating the direct marketing area from the other business areas ("When XXXX moved in 2017 [...], it was also discussed to what extent the direct marketing area should be designed separately from the rest of the area. This was a data protection and data security measure.";
Minutes of the hearing dated November 28, 2024, OZ 34, p. 12).
If there had been a detailed legal review of the issue, the informed representative would not have had to close any "holes" in the "Chinese Wall" ("I was therefore busy plugging the holes in the "Chinese Wall"."; minutes of the hearing dated November 20, 2024, OZ 31, p. 6); if one assumes that the complainant did not act intentionally, the review would have concluded that the data transfers between the business areas were permissible, which is why she would not have had to close any gaps (or, incidentally, build a Chinese Wall) due to the lack of illegalities. The careless statement by the responsible data protection manager “If I know that
a person has moved and no longer lives at this address, why shouldn’t I be able to use this
information for other business areas?” also indicates that
the DAM business area failed to carry out a well-founded legal analysis of the admissibility of
data exchange between the business areas (transcript of the
audio recording of the witness statement of Ms. XXXX dated May 24, 2019, p. 9, OZ 1, DSB-
D550.148/0014-DSB/2019, p. 24).
2.6.3. Regarding the “frequency of moves”:
See the comments on point 2.6.2.
2.7. Regarding the findings on the data protection impact assessment:
2.7.1. On the objective side of the matter:
The fact that the data protection manager prepared the DPIA is based on her statement
(minutes of the hearing dated November 20, 2024, OZ 31, p. 24). The findings on the advice given by
the data protection officer are also based on the statement of the data protection manager and
the data protection officer (minutes of the hearing dated November 20, 2024, OZ 31, p. 41) and in the fact
that the data protection officer confirmed this in writing (“The advice of the - 48 -
data protection officer on this data protection impact assessment was obtained:”; OZ 1
“DSB-D550.148/0001-DSB/2019 | Request for justification February 20, 2019”, p. 42).
The findings on the content of the data protection impact assessment are based in the DPFA, namely on the denial of the existence of special categories of personal data on Appendix 2B-
1 S 1 (OZ 1 "DSB-D550.148/0001-DSB/2019 | Request for justification 20.02.2019", p.
50), on the mention of the "XXXX affinity" on Appendix 2D, S 3 (OZ 1 "DSB-D550.148/0001-
DSB/2019 | Request for justification 20.02.2019", p. 66) and on the risk assessment on
S 17 (OZ 1 "DSB-D550.148/0001-DSB/2019 | Request for justification 20.02.2019", p.
42).
2.7.2. On the subjective side of the offense:
The findings on the data protection manager's motives for her assessment
are based on her statement on the DPFA as to why she did not assume special categories of data
("Now that it was statistical data, this assessment seemed incorrect to me.", "Basically, I found my argumentation convincing from the point of view at the time." (Minutes of the hearing dated November 20, 2024, OZ 31, p. 25); see
the considerations on the evaluation of evidence in point 2.6.1 "On the data protection
examination of the "XXXX affinities" by the complainant:"). The fact that she then also denied the existence of a high risk is a logical consequence.
The data protection officer could no longer remember details of the DPFA
(minutes of the hearing dated November 20, 2024, OZ 31, p. 41 f.); however, the findings regarding her role
arise from the fact that she was firmly convinced that the affinities
were not personal data, which is why it can be assumed that she
did not advise the data protection manager otherwise (see point 2.6.1, “The finding that
the data protection officer failed to carry out a further examination of the personal reference of the “
XXXX affinities” or to question her opinion […]”).
2.8. On the findings regarding the procedure directory:
2.8.1. On the objective side of the offense:
The findings on 1.8.1 arise from the list of processing activities submitted by the complainant (see OZ 1 "DSB-D550.148001-DSB2019 |
Request for justification 20.02.2019", p. 22, 24). - 49 -
The finding on the types of data actually processed by the complainant in connection with the
mentioned "data" is based on Appendix 2D of the DSFA (W258
2217446-1 OZ 1, p. 39).
2.8.2. On the subjective side of the offense:
The findings on the decision-making process of the data protection manager and her
motives are based on her statement that although her employee was in charge, she
also worked with him and was therefore bound by her instructions.(Minutes of the negotiations dated November 20, 2024, OZ 31, p. 26).
The fact that the data types in the VVZ should actually have been listed in an appendix and
the appendix was inadvertently only attached to the DPIA and not to the VVZ is based on the following considerations:
Although there is no appendix in the VVZ and no reference to an appendix. In fact,
a document was created that contains a detailed list of the data types used in the
data application "DAM target group addresses", which was attached to the
DPIA as an appendix; it is not understandable why, on the one hand, a detailed list of the data categories was made in the
DPIA, but such a list should not have been made in the VVZ, since both documents serve the same purpose, namely
to enable the national supervisory authority to obtain a quick and complete overview of the data applications. In addition, the data protection manager convincingly pointed to the appendix by expressing incomprehension about the fact that a listing of the data types in an appendix to the VVZ should be inadmissible (“I found it better to make an appendix to the procedure directory and to replace the entire appendix in the event of any changes. And then, in sum, to keep what is in the appendix as marketing data. […] In my opinion, it makes no difference whether I list the data in detail in the appendix or directly in the procedure directory. But it does make a difference in terms of effort.”; Minutes of the hearing dated November 20, 2024, OZ31, p. 27). Ultimately, it must also be taken into account that the VVZ was created in a special object management program of the complainant, XXXX, which provides for structured entries and it is therefore conceivable that there are an
input error occurred, for example, when a link was not adopted or
an upload of the attachment failed or was forgotten (“If I am specifically asked
whether I uploaded the attachment: I think so, but I can no longer swear it on the Bible. I uploaded a lot.” ZV XXXX, minutes of the hearing
from November 20, 2024, OZ 31, p. 28).
The findings on the content of the 2D appendix to the DSFA are based on the DSFA submitted (OZ
1 “DSB-D550.148/0001-DSB/2019 | Request for justification February 20, 2019”, p. 64 ff).
2.9. On the assessment of the penalty:
2.9.1. The findings under 1.9.1 are based on the profit and loss statements and quarterly results submitted by the complainant and the group (OZ 31, Appendix ./A and Appendix ./1).
2.9.2. The findings on the issuance of the penal order are based on the return receipt included in the administrative act (OZ 1, XXXX, p. 146).
2.9.3. The findings on the complainant's cooperation (point 1.9.3) are based on the course of the proceedings to date, from which it is clear that the complainant has always shown a willingness to answer the questions of the authority concerned and to provide the requested documents. Most recently, this was also evident in the oral hearing, in which the representative of the complainant (XXXX) reported transparently on the internal processes, disclosed the procedure regarding the settlements concluded and willingly disclosed documents for assessing sales and also explained them (see the minutes of the hearing dated November 20, 2024, OZ 31 and the minutes of the hearing dated November 28, 2024, OZ 34). 2.9.4. The finding under 1.9.4, according to which the complainant concluded settlements or made cease-and-desist declarations with most of the persons affected, is based on the credible testimony of XXXX. In the oral hearing, she stated that the majority of the legal disputes could be settled with settlements (minutes of the hearing dated November 20, 2024, OZ 31, p. 13). 2.9.5. The findings regarding the complainant's previous convictions in point 1.9.4 result from the information officially obtained from the authority concerned regarding the complainant's previous convictions (OZ 29). 2.9.6. The finding in 1.9.6 results from the request for justification dated 20 February 2019, according to which the media coverage prompted the authority concerned to carry out a more detailed - 51 -
examination and ultimately to initiate the proceedings in question (see OZ 1 "DSB-D550.148001-DSB2019 | Request for justification 20.02.2019", p. 5). 2.9.7. The findings on point 1.9.7 arise from the complainant's statement (minutes of the hearing dated November 20, 2024, OZ 31, p. 5) in her statement dated November 11, 2024 regarding the respective sales achieved (OZ 27, p. 23).
3. Legally, this means:
Regarding A)
The admissible complaint is partially justified.
3.1. Regarding point I of the penal decision, unlawful processing of the "XXXX affinities":
3.1.1. To meet the objective criteria:
If the principles for processing, including the conditions for consent, are violated in accordance with Articles 5 and 9 of the GDPR, fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous financial year, whichever is higher, shall be imposed in accordance with Article 83 (2) of the GDPR (Article 83 (5) of the GDPR).
According to Article 5 (1) (a) first case of the GDPR, personal data must be processed lawfully. According to Article 9 (1) third case of the GDPR, the processing of personal data that express political opinions is prohibited, unless an exception under Article 9 (2) of the GDPR applies.
As part of the business of "address publishers and
direct marketing companies", the complainant calculated for natural persons the
probability that they would be interested in advertising from five political parties ("XXXX -
affinity") and assigned it to individual persons, stored it, and sold it to third parties,
namely
assigned and stored at least from May 25, 2018 to February 22, 2019 for
approximately XXXX natural persons and - 52 -
at least from May 25, 2018 to June 30, 2018 calculated for and sold to
XXXX with regard to all data and at least from May 25, 2018 to February 22, 2019
XXXX and XXXX with regard to natural persons with addresses in XXXX .
The purpose was to sell this information to customers for marketing purposes, i.e. to enable customers to reduce wastage in advertising. The complainant did not obtain consent from the people to whom she assigned the “XXXX affinities”. The complainant has thus, contrary to the processing ban in Article 9 (1) GDPR applicable from May 25, 2018, the probability with which a data subject is interested in election advertising of a particular party (“XXXX affinities”), and thus personal data from which the political opinion emerges (on the classification of “XXXX affinities” as personal data from which the political opinion emerges, OGH April 15, 2021, 6 Ob 35/21x paras. 30, 32 ff and VwGH December 14, 2021, Ro 2021/04/0007, para. 53; the complainant expressed her reservations in a written submission dated November 11, 2024, OZ 27, withdrawn), calculated for data subjects, namely the natural persons contained in the complainant's customer database,
assigned to them, stored and sold, the latter to enable third parties to
reduce wastage in advertising, namely
assigned and stored until February 22, 2019 for approximately XXXX natural persons
and
calculated for and sold to XXXX with regard to all data until June 30, 2018
and to XXXX and XXXX with regard to natural persons with
addresses in XXXX,
and thus processed.
There is no exception to the processing ban, especially since the complainant has not obtained the
explicit consent of the data subjects within the meaning of Art. 9 Para. 2 lit. a GDPR,
and processing based on the law of a Member State within the meaning of Art. 9 Para. 2 lit. g GDPR in conjunction with Section 151 of the German Commercial Code is ruled out, because the processing of special categories of
personal data pursuant to Section 151 Para. 4 of the German Commercial Code is also only permissible if
the data subject has given his explicit consent to the processing of this data for third-party marketing purposes, and no other of the permissions under Art. 9 Para. 2 GDPR apply. - 53 -
Section 151(6) of the German Commercial Code is also not an option as a possible legal basis for the following reasons:
According to Section 151(6) of the German Commercial Code, traders authorized to carry out the business of address publishers and direct marketing companies are permitted to use marketing information and classifications collected for marketing purposes, which are attributed to specific persons by name based on marketing analysis procedures (“marketing information”), only for marketing purposes and – under further conditions – to pass them on to third parties.
As a more specific provision, Section 151(6) of the German Commercial Code could follow the principle of “lex specialis derogat legi generali” of the regulation in Section 151(4) of the German Commercial Code, according to which the consent of the data subjects is required for the use of special categories of data. Section 151 para. 6 GewO would, in this interpretation, also include the processing of special categories of data and could justify the processing of data types for “XXXX affinity” by the complainant. However, such an interpretation of Section 151 para. 6 GewO fails to be interpreted in accordance with European law in the light of Article 9 para. 2 lit. g GDPR. The exception to the prohibition on processing special categories of personal data pursuant to Article 9 para. 2 lit. g GDPR, according to which processing is permissible on the basis of Union law or the law of a Member State, is subject to a significant restriction: the legal act must be necessary for reasons of significant public interest.The interest pursued by the legal act must therefore serve the general public as such. The requirement of “significance” is also intended to exclude measures that serve the general public but are not so significant that the general public would be seriously affected without the measure in question (Schiff in Ehmann/Selmayr General Data Protection Regulation² Art 9 Rz 52). Particularly protected interests of the common good or common goods are covered (Schulz in Gola GDPR² Art 9 Rz 30). According to recitals 46, 52 and 55 of the GDPR, a public interest exists in particular when personal data are processed in the field of labour law and social security law, including pensions, for the purpose of ensuring and monitoring health and health warnings, preventing or controlling infectious diseases and other serious threats to health, for humanitarian purposes, including monitoring epidemics and their spread, - 54 - or in humanitarian emergencies, in particular in the event of natural or man-made disasters, or by state authorities for constitutional or international law-based objectives of state-recognized religious communities. Economic interests or address publishers and direct marketing companies are not mentioned. Only in one place, which does not concern special categories of data or public interests, does the EU legislator refer to data processing for the purpose of direct marketing, namely the question of when a legitimate (data processing) interest within the meaning of Article 6(1)(f) GDPR can be assumed (Recital 47 of the GDPR). Even if not explicitly mentioned in the recitals, there is a (significant) public interest in a functioning economic system, as it has significant effects on public and private budgets and thus indirect effects on the examples of public interests mentioned in the recitals, for example through the ability to finance the public health system or emergency services for disaster relief. Against the background of the recitals, this can no longer be generalized to the existence of certain - not system-critical - economic sectors. In principle, no significant public interest within the meaning of Article 9 Paragraph 2 Letter g of GDPR can be assumed if the legal norm is merely intended to facilitate the activities of a specific economic sector; in such cases, the general public would not normally be seriously affected without the measure in question. A regulation according to which address publishing and direct advertising companies may process marketing information, which is also a special category of personal data, even without the consent of the data subjects, does indeed facilitate the activities of these businesses, but its absence does not call into question the existence of the businesses. They are thus able to process marketing information without the consent of the data subjects as long as it does not correspond to any of the special categories of personal data specified in Article 9 Paragraph 1 of GDPR, which is normally sufficient. It is not apparent that the general public could be seriously affected without such a regulation. Such a regulation is therefore not in the significant public interest. - 55 -
An interpretation of Section 151 Paragraph 6 of the Trade Regulation Act, according to which, contrary to Section 151 Paragraph 4 of the Trade Regulation Act, the consent of the data subject is not required for the processing of marketing information and classifications collected for marketing purposes, even if the marketing information and classifications are special categories of personal data within the meaning of Article 9 Paragraph 1 of the GDPR, is therefore ruled out if the interpretation is in line with European law.
The complainant cannot therefore base the processing of the data types for “XXXX affinity” on Article 9 Paragraph 2 lit g of the GDPR in conjunction with Section 151 Paragraph 4 or 6 of the Trade Regulation Act.
Result
The complainant has thus violated the legality requirement of Article 5 Paragraph 1 lit a first case of the GDPR in conjunction with the prohibition on processing special categories of personal data in Article 9 Paragraph 1 of the GDPR. The criminal liability of this violation is based on Article 83
Paragraph 5 lit a GDPR.
A further attribution of the actions of a specific natural person to the
complainant as a legal person (see appeal against the decision of November 25, 2019, p. 54
ff) is not necessary, especially since Section 30 Paras. 1 and 2 DSG and the requirement derived from the VStG, according to which, in order to impose a fine under the GDPR on a legal person, all necessary elements for a punishment of the
natural person must be included in the verdict of the penal decision, must remain inapplicable (see ECJ
December 5, 2023, C-807/21, DeutscheWohnen, para. 51, 77 and VwGH February 1, 2024, Ra2020/04/0187).
3.1.2. On the subjective side of the offense:
In order to impose a fine in accordance with Art. 83 GDPR, it is necessary that the
person responsible has committed an infringement referred to in Art. 83 (4) to (6) GDPR intentionally or
negligently (ECJ 05.12.2023, C‑807/21, Deutsche Wohnen SE).
The complainant can be accused of such negligent behavior:
On the organizational side, the complainant must be acknowledged for having prepared for the applicability of the General Data Protection Regulation with
considerable expenditure of resources.
The division that emerged from the “Fit for the GDPR” project between an
initial assessment of data use in the respective department on the one hand and a - 56 -
mandatory involvement of the data protection officer on the other hand appears to be appropriate at first glance, especially since the departments have the best insight into the data use they make and the data protection officer should enable legally
independent control. In this specific case, however, this division turns out to be problematic because the
initial assessment was imposed on people who - although trained in data protection law - could be/were legal laypeople and - as they come from the department - could have a strong interest in carrying out the planned “own”
data processing. This aspect becomes particularly important when – as in this case – data uses that are already being used in the specialist department are to be assessed on the basis of a new legal situation and their inadmissibility under data protection law could lead to the discontinuation or reduction of the business area. There was therefore a considerable risk of fundamental legal misinterpretations due to a lack of general legal knowledge and a "confirmation bias" that was not taken into account organizationally – at least during the transition period to the GDPR. The problems mentioned could be prevented or at least reduced by involving the data protection officer; however, sole review by the data protection officer inevitably reaches its limits in a large company such as the complainant if, as in this case, all of the complainant's data uses have to be examined in preparation for the GDPR. In such a case, it cannot be assumed that there is enough time to adequately deal with the respective data applications. The complainant is to be blamed for this; contrary to her opinion, there was therefore no effective monitoring and control system in place that could exclude the attribution of fault to the complainant (see complaint dated November 25, 2019, p. 48 ff). With regard to the specific data processing, the data protection manager and the data protection officer assumed that statistical values are not personal data, even if they are attributed to specific people. This legal opinion was particularly untenable against the background of the case law of the Data Protection Commission, the Data Protection Authority (although the complainant cannot be blamed for the decision DSB- - 57 -
D122.754/0002-DSB/2018, especially since it could not be determined whether it had already been published in the RIS before the GDPR became applicable) and the ECJ (ECJ
June 22, 2017, C-434/16, Nowak) (see point 1.6.1. “On the legal situation regarding
marketing classifications before May 25, 2018:”; see also VwGH December 14, 2021, Ro
2021/04/0007, para. 29 f, according to which, against the background of [the Nowak case law], a
qualification of the XXXX affinities as information "about" the persons concerned "cannot be
seriously called into question" and OGH 15.04.2021, 6Ob35/21x Rn 30, according to which
the "desired interpretation result, according to which a (high)
susceptibility to party advertising attributed to the plaintiff himself [...] should not be personal data, cannot be derived from Art 4 Z 1
GDPR in any way." and the interpretation is "undoubted"); even if there has not yet been any explicit supreme court case law on the "XXXX -
affinities". Even Section 151 Paragraph 6 of the Trade Regulation Act, which the complainant has repeatedly cited, cannot change this, especially since the term “personal data” is defined in Article 4 Paragraph 1 of the GDPR, and thus in a directly applicable European legal norm which – due to the lack of an opening clause – is clearly unable to derogate a national provision such as the Trade Regulation Act.The data protection manager can be accused of being conspicuously careless in forming her opinion, especially since she interpreted a relevant data protection decision in the most unthinkable way and discussed a different legal opinion with her superior at the Jour Fixe, among others, but did not take any further research steps due to "lack of majority support" and despite the associated impending massive consequences, i.e. the impending processing of special categories of personal data of XXXX Austrians. The further research activities undertaken by the data protection manager were
unsuitable to uncover her error, especially since in the exchange with XXXX the admissibility of the
processing of affinities was not justified by the fact that it was not personal data - which is why there was no corresponding industry standard -, an expert opinion was believed that was neither available to her nor
related to the Austrian legal situation, and she did not receive satisfactory answers in data protection lectures and courses (even on more fundamental topics).
The data protection officer can be blamed for having relied - in apparent ignorance of the existing case law and despite a new legal situation - on her existing
(erroneous) opinion that statistical data is not personal data even if it is attributed to specific people,
and for not having carried out her own relevant research.
The data protection manager's superior, the head of data and address management, can be blamed for not having carried out or had carried out additional and appropriate research activities despite the dissenting opinion expressed by an employee of the data protection manager and despite the associated impending massive consequences, i.e. the impending processing of special categories of personal data of XXXX Austrians. This blameworthy misjudgment ultimately led to the complainant not further checking the "XXXX affinities" to determine whether they actually constitute a special category of data within the meaning of Art. 9 (1) GDPR and whether and under what conditions their processing could be permissible. The fact that an objective and careful examination could possibly have shown (albeit incorrectly) that the "XXXX affinities" are not special categories cannot remedy the errors, especially since such an examination was not carried out. Contrary to the complainant's opinion, there can be no talk of an excusable error of prohibition; even any legal opinions put forward by the complainant to support her view cannot change this, especially since they were only published after the period in which the offence was committed (e.g. XXXX , ecolex 2019, 715, ECJ 1 October 2019, C-673/17 and ECJ 26 April 2023, T-557/20 or OZ 37). On the contrary, it can be assumed that the conduct was grossly negligent. This negligent conduct must be attributed to the complainant; an
action or knowledge of a management body of the complainant is not
required for this (ECJ 05.12.2023, C‑807/21, Deutsche Wohnen SE, para. 77).
It can therefore be assumed, in an overall assessment, that the
complainant committed the act negligently.
3.1.3. On the arguments of the BF:
If the complainant argues that the case law has (surprisingly) developed a new
data category "calculated political opinion" (cf. OZ 34, p. 40), it must be countered that the case law has not actually created a new data category. The XXXX affinities in question were only uniformly assessed by the courts as personal data within the meaning of Art. 4 Z 1 GDPR and subsequently as a - 59 -
special category of data, namely as a type of data from which political opinions emerge.
Since the complainant has already culpably failed to classify the "XXXX affinities" as
personal data, she cannot in any case rely on any
uncertainties in classifying the XXXX affinities as special categories of data.
If the complainant refers to decisions, events or an isolated
dissenting opinion in the literature (such as on the allegedly differentiating
consideration of the personal reference ECJ 01.10.2019, C-673/17 and ECJ 26.04.2023, T-557/20;
Judgment of the Upper Tribunal 22.04.2024, UA-2023-000512-GIA, XXXX ; a first instance judgment following the article or an article by the representative in the present proceedings
Böszörmenyi, Personal reference of statistical probability values, Dako 2024/50 et al. on
credit scoring, whereby the minority opinion cited in the article, according to which such
probability values are not personal data, is now
obsolete, especially since the The German Federal Court of Justice then ruled that this was personal data (January 28, 2014, VI ZR 156/13); and most recently with OZ 37 on the decision of the European Data Protection Supervisor (“EDPS”) on the number Case 2023-1205 there), it must be countered that – regardless of their actual content – they were only issued or published after the assessment of the data processing by the complainant, which is why it cannot justify its misjudgment at the time of the offence. Even an alleged lack of uniformity in the argumentation in the administrative legal process in the ex officio procedure cannot lead to an unclear legal situation at the time of the examination by the complainant; In addition, all decisions led to the same result anyway and the different arguments related only to the question of the existence of special categories of personal data. With regard to the question of whether personal data exists, the arguments of the DSB, the BVwG, the VwGH and the OGH were consistent. Regardless of the clear legal situation established, the argument of the complainant would not be suitable to rule out her fault anyway, especially since it does not emerge from it that the "XXXX affinities" are with significant probability not personal data. The complainant could therefore have had - even if the complainant's arguments were followed - - 60 -
at most doubts about the classification of the "XXXX affinities" under data protection law. In such a case, however, it would have been required to deal with the issue in a legally sound manner, for example
with an external and legally sound report,
which it did not do.
If the complainant relies on ambiguities in and her involvement with Section 151 of the Trade Regulations, it must be countered that Section 151 of the Trade Regulations could indeed be
a permit within the meaning of Article 6 Paragraph 1 Letter e of GDPR or an exception to the
processing ban under Article 9 Paragraph 2 Letter g of GDPR, but the complainant is not accused of making a mistake about the applicability of a permit, but rather about the
existence of personal data.
3.1.4. Clarification of judgment point I.:
The judgment of a penal decision must be formulated in such a way that the subsumption of the offence assumed to be proven under the administrative regulation violated is clear and complete, i.e. the existence of the specific violation can be immediately concluded from the act. The description of the offence must be so precise in the judgment - and not only in the reasoning - that the accused can protect his rights of defence and is not exposed to the risk of double punishment, and it must leave no doubt as to what the offender was punished for (cf.
VwGH April 12, 2023, Ra 2020/05/0066, RS1). The administrative court must clarify an imprecise judgment if necessary (VwGH June 12, 2024, Ra 2022/02/0146, para. 13).
Regardless of the actual processing period (see point 3.1.1 for details),
only the period of the offense assumed by the authority concerned from
May 25, 2018 to February 21, 2019 is to be used in the case, because an extension to February 22, 2019
would be inadmissible (see VwGH June 1, 2023, Ra 2022/07/0186, para. 21 f).
As the complainant correctly noted (see appeal of the decision dated
November 25, 2019, p. 70 f), point I of the penal decision - especially with regard to the
offense assumed to be proven - is too broad. In order to meet the requirements of Section 44a Z 1 VStG,
the description of the offense had to be specified in accordance with the judgment. - 61 -
3.2. On point II. a) of the penal decision, unlawful further processing of the
package frequency and moving frequency:
3.2.1. On the (purpose-changing) further processing of the "package frequency":
To meet the objective elements of the offence:
If the principles for processing, including the conditions for
consent, are violated in accordance with Articles 5 and 9 of the GDPR, fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the previous
financial year, whichever is higher, will be imposed in accordance with Article 83 (2) GDPR (Article 83 (5) GDPR).
According to Article 5 (1) lit a 2. and 3. In the case of GDPR, personal data must be processed in good faith and in a manner that is transparent to the data subject and, in accordance with Article 5(1)(b) GDPR, they must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.Further processing is possible in accordance with Article 6 (4) GDPR if the data subject has given his or her consent or if the change of purpose is based on a legal provision of the Union or of the Member States which, in a democratic society, represents a necessary and proportionate measure to protect the objectives referred to in Article 23 (1), or if the change of purpose is compatible with Article 6 (4) lit. a to e GDPR. For such a purpose, the following must be taken into account, among other things:
any connection between the purposes for which the personal data
were collected and the purposes of the intended further processing (lit. a),
the context in which the personal data were collected,
in particular with regard to the relationship between the data subjects and
the controller (lit. b),
the nature of the personal data, in particular whether special categories
of personal data are processed pursuant to Article 9 or whether
personal data relating to criminal convictions and offences are processed pursuant to
Article 10 (lit. c), - 62 -
the possible consequences of the intended further processing for the data
subjects (lit. d) and
the existence of appropriate safeguards, which may include encryption or
pseudonymisation (lit. e).
According to Section 12 Paragraph 1 PMG, the complainant is designated by law as a
universal service provider. According to Section 6 Paragraph 1 of the law, the universal service is a
minimum range of postal services that are generally considered necessary to maintain basic services for users, that are offered across the
country and to which all users have access at an
affordable price.
According to Section 6 Paragraph 2 of the PMG, the universal service includes the services of collection, sorting,
transport and delivery of postal items up to 2 kg and up to 10 kg and services for registered and valuable items.
For the present case, this means:
With regard to the persons included in its DAM database, the complainant has taken at least a list of the packages received, including the time of their receipt, from the
parcel delivery business area (“key figures”) and used this to calculate the
package frequency of the respective person, i.e. the number of packages that the person has received in a certain period of time. In doing so, it also took the key figures from
people who were not customers of the complainant, for example by using
the confirmations of receipt of the packages. It did not obtain consent from the
people concerned for this. As a result, the data was used in anonymized form
to create a projection model for marketing purposes.
As a universal service provider, the complainant must process the data required to provide the service on the basis of its legal
remit under the PMG and
thus, due to its activity, it necessarily has a large amount of
personal data, such as information on package delivery, which it only has (privileged) access to on the basis of its
service contracts arising from the PMG.
The transfer of data from package recipients in connection with the performance of tasks as a universal service provider in order to use them to create an extrapolation model for the calculation and attribution of marketing classifications, here "package affinities", is not comprehensible and predictable for the person concerned and is therefore in contradiction to the processing principle of good faith and transparency pursuant to Art. 5 Paragraph 1 Letter a of GDPR. Furthermore, there is neither consent nor a corresponding legal basis within the meaning of Art. 6 Paragraph 4 GDPR for the purpose-changing further processing, especially since Section 151 of the Trade Regulations cited by the complainant on the one hand only allows the transmission of data from a customer and prospective customer file system without the consent of the persons concerned in accordance with Paragraph 5 of the GDPR for certain exhaustively listed data types and the data types received (packages received) and the time of receipt of the package are not reflected in it. On the other hand, Section 151 of the Trade Regulations does not constitute a legal basis under Article 6
Paragraph 4 of the GDPR, because such a basis requires the protection of one of the objectives mentioned in Article 23 Para. 1 of the GDPR. The important economic interest of the Union or a Member State mentioned in the law – as far as relevant – does not exist with regard to the mere facilitation of the activities of address dealers and direct marketing companies (see the comments on Section 151 Para. 6 of the Trade Regulations under point 3.1.1, which are based on a “significant” public interest, but can be transferred to the considerations of important economic interest).
Letters a to e of Article 6 Para. 4 of the GDPR, which are therefore to be examined, do not lead to a permissible change of purpose, especially since the complainant can obtain the data on the receipt of parcels from customers and also from non-customers solely because it offers parcel services as a universal service provider and there is no connection to marketing purposes in this regard (letters a and b). Against this background, the fact that the data types in question do not involve special categories of personal data or criminal convictions or offenses pursuant to Art. 10 GDPR (lit. c) and the consequences of the intended further processing for the data subjects are to be classified as minor, in particular because the data are anonymized by calculating a regional average after being taken over and an average value is calculated (lit. d and e), may also make the change of purpose inadmissible. The further processing of the key figures from the “parcel delivery” business area for the “address publishers and direct marketing” business area is therefore unlawful pursuant to Art. 5 lit. a 2nd and 3rd case in conjunction with Art. 83 para. 5 lit. a GDPR and Art. 5 lit. b in conjunction with Art. 6 para. 4 GDPR in conjunction with Art. 83 para. 5 lit. a GDPR. - 64 -
On the subjective side of the offense:
It would have been reasonable and appropriate for the complainant to deal substantively with the
legal question of the admissibility of the (further) processing operations she carried out under data protection law and, as a result, to bring the product range of the
"Address Publishers and Direct Marketing" division into line with the legal requirements of the
GDPR. This in particular because she was aware that the connection
between the divisions as postal service providers and as address dealers could be legally
problematic. Her behavior is therefore to be considered negligent.
Since the further processing to change the purpose was terminated in February 2019, the period of the offense had to be adjusted accordingly in the
ruling of the authority concerned.
On the complainant's arguments:
Contrary to the complainant's submission (see its argument on
data anonymization or differentiation between package frequency and package affinity, OZ 27,
p. 6 f), the illegality of its conduct already consists in the unlawful
further processing of the number of packages received during a certain
period of time from the business area of package delivery. This is precisely what point II.a. of the judgment
refers to. The complainant's argument that the model of the package frequency
was anonymized or that the package affinity was not the subject of the judgment was therefore no longer relevant.
3.2.2. On the further processing of the frequency of moves:
With regard to the further use for a different purpose, reference should be made to the legal considerations on the further processing of the packet frequency, especially since the
complainant also receives the forwarding orders (privileged) as a universal service provider
and Section 151 of the Trade Regulations, which the complainant cites, proves to be
unsuitable because Section 151 Paragraph 5 of the Trade Regulations does not represent a suitable standard within the meaning of Article
6 Paragraph 4 GDPR in conjunction with Article 23 Paragraph 1 GDPR.
The further use of the frequency of moves differs from the further use of the packet frequency in one
crucial point: a contractual relationship exists between the
complainant and the persons concerned on the basis of the
forwarding order (Article 6 Paragraph 4 lit b GDPR). - 65 -
In addition, those concerned are informed – just about
sufficiently – about the further use of the data. The description of data processing “for marketing purposes” would in principle be too general, because data subjects would not be able to form an idea of the specific data processing. In the specific case, however, the data processing essentially consists of an average calculation with subsequent anonymization and is therefore at the lowest threshold of use “for marketing purposes”. However, a data subject would in any case assume this lowest threshold in the case of use for “marketing purposes”, which is why the information in the specific case is just sufficient to enable data subjects to evaluate the data processing. Data subjects are also given the opportunity to object to the use of data simply by selecting a selection field. Furthermore, the packet frequency is only used to calculate a regional average for the creation of the extrapolation model, i.e. the possible consequences for data subjects are low. Against this background, the further processing of the forwarding orders for the “Address Publishers and Direct Marketing” business area proves to be permissible in accordance with Art. 5 lit. b in conjunction with Art. 6 para. 4 GDPR, which is why the procedure had to be discontinued on this point.
In view of this result, the question of whether the authority concerned had sufficiently specified the accusation regarding the frequency of moves
did not need to be addressed further.
3.2.3. On the arguments of the complainant:
Contrary to the complainant's assertion, the illegality of her
conduct already consists in the unlawful further processing of the number of packages received
during a certain period of time from the business area of parcel delivery. This is precisely what point II.a. of the ruling deals with. The argument of the BF that
the model of the parcel frequency was anonymized and that the parcel affinity was not the subject of the ruling (cf. its argument on data anonymization and
differentiation between parcel frequency and parcel affinity, OZ 27, p. 6 f.) was therefore
not relevant.
3.2.4. Clarification of point II.a.:
The information provided by the authority concerned in point II.a. The described act was too
general, which is why it had to be specified in accordance with the ruling (see point 3.1.4). - 66 -
3.3. On point IV of the penal decision, incorrectness of the data protection impact assessment:
The authority concerned declared the data protection impact assessment for the
application “DAM – target group addresses” to be incorrect, because it denied the processing of
special categories of personal data, although the “XXXX
affinity” was calculated and processed, and yet the result denied the existence of a
high risk.
The complainant argued that the act had been described inaccurately by the authority concerned. If the allegation is that the complainant (improperly) denied processing of special categories of personal data, she stated that Article 35 GDPR does not require that the legal basis be cited, which is why this misjudgment could inconceivably lead to a violation. If the allegation is, however, that the risk of the XXXX affinities is misjudged, this would be an offence of omission, which can only be remedied by active action. The authority concerned failed to describe this actus contrarius. In addition, recognizing the risk requires recognizing that the XXXX affinities are sensitive data. This unlawful content has already been remedied by point I of the judgment and the act described there. A further punishment is inadmissible. Furthermore, the legal provision applied was not sufficiently specified. 3.3.1. To meet the objective requirements:
If a controller violates the obligation under Art. 35 GDPR, in accordance with
Article 83 Paragraph 2 GDPR, fines of up to EUR 10,000,000 or, in the case of a
company, up to 2% of its total worldwide annual turnover of the
previous financial year, whichever is higher, will be imposed (Art. 83 Paragraph 4 lit. a GDPR).
According to Art. 35 Paragraph 1 GDPR, a controller must carry out an assessment of the consequences of the
intended processing operations for the protection of personal data
if a form of processing, in particular when using new
technologies, is likely to result in a high risk to the rights and freedoms of natural
persons due to the nature, scope, context and purposes of the processing (cf. Art. 35 Paragraph 1 GDPR). A data protection impact assessment is required, in particular, for extensive processing of special categories of - 67 -
personal data in accordance with Article 9 Paragraph 1 GDPR (cf. Article 35 Paragraph 3 Letter b
GDPR; or Article 29 Data Protection Working Party, Data Protection Impact Assessment, WP248 rev.01,
p. 9). A data protection impact assessment must, among other things, contain at least an assessment of the risks to
the rights and freedoms of the data subjects (Article 35 Paragraph 7 Letter c GDPR).
An (objective) violation of Art 35 GDPR does not only occur if a data protection impact assessment is (completely) not carried out, but also if the data protection impact assessment is incorrect (or “not carried out properly”) (cf. Trieb in XXXX, DatKomm Art 35 GDPR para. 11; as well as Article 29 Data Protection Working Party, Data Protection Impact Assessment, WP248 rev.01, p. 5 and Recital 84 GDPR, according to which the controller is responsible for carrying out the data protection impact assessment). For the present case, this means: The complainant has processed, among other things, the XXXX affinity of persons. The XXXX affinities were – as explained in point 3.1.1.2 – personal data in a special category (sensitive data) within the meaning of Art. 9 (1) GDPR (cf. VwGH 14.12.2021, Ro 2021/04/0007, para. 53). With around XXXX persons affected, the processing was also “extensive” within the meaning of Art. 35 (3) lit. b GDPR. Such extensive processing of personal data in a special category in any case entails a high risk, which must be identified in a proper data protection impact assessment. The assessment made by the complainant in the DPFA on the application “DAM – target group addresses”, which also includes the processing of the XXXX affinities in question, that there is “no high risk” is therefore incorrect. The
data protection impact assessment was therefore incorrect or was not carried out properly.
This means that the objective elements of a violation of Article 35 paragraph 3 letter b GDPR in conjunction with Article 35
paragraph 7 letter c GDPR are met. The criminal liability of this violation is based on Article 83 paragraph 4 letter a
GDPR.
3.3.2. On the subjective side of the offense:
Since the incorrectness of the assessment is based on the incorrect classification of the XXXX affinities
as non-personal data, which is to be considered negligent (see point 3.1.2),
the complainant must also be considered negligent in her subsequent error based on the careless behavior. - 68 -
The incorrect preparation of the DPIA is therefore to be considered negligent.
3.3.3. The complainant's arguments cannot change this:
Contrary to the complainant's statements in her appeal against the decision, it is clear from point IV of the penal decision in question - as already stated in point 4) of the request for justification - that the administrative offence lies in the incorrectness of the data protection impact assessment, because "in this assessment the processing of special categories of personal data was denied, although the "XXXX affinity" was calculated and processed, and yet the existence of a high risk was denied in any case." (see the penal decision of October 23, 2019, p. 3).
Due to the circumstances of the present case, the administrative court has no doubt that the complainant, as the accused, had sufficiently specified the offences she was accused of from the outset. The complainant was
able to comment comprehensively on the allegations against him throughout the proceedings and, among other things, in the oral hearing before the administrative court. The Administrative Court also does not see any danger of double punishment in the present case, as the offence (faulty data protection impact assessment) and the circumstances of the offence
(failure to recognise the existence of sensitive data and failure to recognise the high risk) can be taken from the ruling with sufficient precision (see in this regard VwGH 04.12.2017, Ra
2017/02/0118, para. 8; there with regard to the time and place of the offence).
It is not clear to what extent the implementation of an incorrect data protection impact assessment should constitute an
omission offense, after all, the accusation relates to the (active) denial of a high risk, although special categories of data
were processed.
If the complainant believes that the unlawful content has already been compensated for by point I of the judgment
and the act described therein, it must be countered that the
requirements for the legality of data processing and the regulations on the
duties of a controller pursue different objectives. According to the
case law of the ECJ, the violation of formal or general obligations of the GDPR
(Articles 26 and 30 of the GDPR) does not lead to unlawful processing (cf. ECJ
04.05.2023, C-60/22, Federal Republic of Germany, para. 59 ff.). In this decision, the ECJ highlighted the differences between the "principles" regulated in Chapter II and the "general obligations" regulated in Chapter IV, Section 1. Since the obligation to carry out a (proper) DPIA, as with the obligation to maintain a - 69 -
list of processing activities under Art. 30 GDPR, is also an obligation incumbent on the controller, the cited ECJ case law can be applied to the present case. This view is confirmed by the fact that the ECJ - as is the case here - has also referred to the different sanction norms of Art. 83 (4) and (5) GDPR for differentiation (see ECJ 04.05.2023, C-
60/22, Federal Republic of Germany, para. 63). In addition, a DPIA must be carried out before the processing activity begins, whereas the illegality can only become apparent after the processing has begun. The two violations therefore necessarily fall apart in time. In this respect, the violation of an incorrect DPIA is not, as the complainant claims, already consumed by the unlawful processing within the meaning of point I or something similar (see also EDSA, Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR, version 2.1, adopted on May 24, 2023, paras. 30-45).The complainant is obliged to carry out the data protection impact assessment with due care, which it did not do in the present case. Contrary to the complainant's opinion, the assessment of the illegality of the data protection impact assessment therefore does not depend on the question of whether the information contained in the data protection impact assessment correctly reflects the complainant's (blameably incorrect) legal opinion. Regarding the alleged violation of the right to self-incrimination "nemo tenetur" or a prohibition on the use of evidence obtained in administrative proceedings on the basis of the duty to cooperate under Art. 31 GDPR, in this case the DPFA and the VVZ, the following must be stated: The principle of the prohibition of self-incrimination is based on Art. 6 Paragraph 1 ECHR. The Administrative Court, referring to the established case law of the European Court of Human Rights on Article 6, Paragraph 1 of the European Convention on Human Rights, assumes that the accused in criminal proceedings has the fundamental right not to incriminate himself. The guarantee is not limited to statements, but also includes the obligation to hand over evidence in person. The right to remain silent (prohibition of self-incrimination) is not an absolute right, but can be subject to restrictions. The European Court of Human Rights has considered the following criteria to be decisive for their admissibility, in the nature of a flexible system: the nature and severity of the coercion to obtain evidence, the weight of the public interest in prosecuting the crime and punishing the perpetrator, the existence of appropriate procedural guarantees and the use of the evidence obtained in this way. Obligations to provide information - 70 -
to the authorities can mean a (possibly impermissible) restriction of the right not to incriminate oneself if sanctions are imposed on the person obliged to provide information on the basis of the facts thus obtained. However, according to case law, such an intervention is compatible with Article 6 Paragraph 1 of the ECHR if the obligation to provide information is not disproportionate to the intended purpose and does not violate the core content of the prohibition. The Administrative Court has repeatedly assumed that the party has an obligation to cooperate
even in criminal proceedings if, for example, it is not possible for the authorities to establish the facts essential to the decision without the cooperation of the accused
(VwGH 24.02.2014, 2013/17/0834 point 2.2.).
The standardized obligation to submit the DSFA and VVZ, which the complainant criticized (and which is subject to a penalty), now serves the authority concerned precisely to determine the facts relevant to the decision. Without these documents, the investigation would only be possible with disproportionate effort, such as house searches involving data forensics experts. In addition, the documents were not requested in the administrative procedure in order to check their accuracy, but rather to get to the bottom of media reports on the processing of the "XXXX affinities" by the complainant. If the authority concerned subsequently recognizes that the documents are incorrect and initiates and conducts criminal proceedings on the incorrectness of the DSFA or VVZ, regardless of the actual purpose of the investigation, namely to check the legality of the XXXX affinity, the "nemo tenetur" principle does not prevent this, in particular because if it were not allowed to use the documents, it would not be possible to provide evidence of their incorrectness.
3.4. Regarding point V of the criminal judgment, incorrectness of the list of processing activities:
The authority concerned stated that the VVZ was incorrect because it denied a) the processing of particularly sensitive data, including political opinion, and b) the extensive processing of sensitive data (point V).
3.4.1. To meet the objective requirements:
If a controller violates the obligation under Art. 30 GDPR, in accordance with
Article 83 Paragraph 2 GDPR, fines of up to EUR 10,000,000 or, in the case of a
company, up to 2% of its total worldwide annual turnover of the
previous financial year, whichever is higher, will be imposed (Art. 83 Paragraph 4 lit. a GDPR). - 71 -
According to Art. 30 Paragraph 1 GDPR, every controller must keep a register of
processing activities - unless one of the exceptions under Art. 30 Paragraph 5 GDPR, which are not relevant here,
applies. This must include various details on the respective processing activity, as set out in more detail in Art. 30 Paragraph 1 and 2 GDPR,
which also includes a description of the categories of personal data (cf. Art. 30 Paragraph 1 lit. c GDPR).
This is intended, among other things, to enable proof that the controller processes data in accordance with the
GDPR (see Recital 82 GDPR). A violation of the formal
obligation stipulated here can be fulfilled both by completely failing to maintain a
processing register or by an incomplete processing register (see Hartung in Kühling/Buchner, DS-GVO BDSG , Art 30, Rz 40). The purpose
of specifying the categories of personal data is to enable a
legality check. The benchmark for this is a level of detail that enables the supervisory authorities to
check (see Hartung in Kühling/Buchner, DS-GVO BDSG , Art 30, Rz 19).
For the present case, this means:
The complainant has stated in its list of processing activities regarding the categories of personal data processed that it denies “extensive
processing of sensitive data” or “processing of data requiring particular protection
(ethnic origin, political opinion, ...)”, although it has processed “XXXX affinities” and
therefore personal data from which political opinion emerges.
These statements by the complainant in its list of processing activities for the
application “DAM target group addresses” are therefore objectively incorrect or erroneous. The
explicit denial of the processing of sensitive or particularly vulnerable
data on political opinion makes it difficult and can make it impossible to use this
list to check the legality of the processing in question (see
also EDSA, Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR,
Version 2.1, adopted on May 24, 2023, para. 28, example 1b, according to which the failure to list a
processing activity in the records also constitutes an infringement).
Such data categories should even be highlighted separately (see Hartung in
Kühling/Buchner, DS-GVO BDSG , Art. 30, para. 19). The denial of the processing of
sensitive data and the political opinions of the persons concerned therefore constitutes
a violation in any case. - 72 -
This means that the objective elements of a violation of Article 30 Paragraph 1 Letter c of GDPR are fulfilled.
The criminal liability of this violation is based on Article 83 Paragraph 4 Letter a of GDPR.
3.4.2. On the subjective side of the offense:
Since the incorrectness of the information in the VVZ is based on the incorrect classification of the XXXX affinities as non-personal data, which is to be considered negligent (see
point 3.1.2), the complainant must be considered to have acted negligently for the subsequent error based on the careless behavior.
The incorrect preparation of the DSFA is therefore to be considered negligent.
3.4.3. The complainant's objections cannot change this:
If the complainant believes that the unlawful content has already been compensated for by point I of the judgment
and the act described therein, regarding the alleged violation of the
right to self-incrimination "nemo tenetur" and the truthful representation of the
complainant's opinion in the VVZ, see the relevant comments under point
3.3.3..
3.5. Regarding point VI of the penal decision, inadequacy of the list of
processing activities:
With regard to the VVZ, the authority concerned also stated that it was insufficient because
not all of the data categories actually processed were listed in it and it was therefore not
drawn up in sufficient detail (point VI of the judgment).
3.5.1. To meet the objective requirements:
With regard to the requirements for a list of processing activities, reference is made to the
explanations in point 3.4.1.
For the present case, this means:
In the list of processing activities for the data application “DAM target group addresses”, the complainant “only” stated that “address data, identification data,
contact data, marketing, personal master data” are processed in terms of the categories of personal data processed.
However, given that the complainant processes data types such as “XXXX affinity”, “package affinity” and “moving affinity”, the statement “marketing” is too general - 73 -
to make a statement about which specific marketing information is processed
and thus does not enable proof that the complainant processes data in accordance with the GDPR (cf. Recital 82 GDPR; see also Hartung in
Kühling/Buchner, DS-GVO BDSG , Art 30, para. 19). It is therefore in any case incomplete (see
also EDSA, Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR, Version 2.1, adopted on May 24, 2023, para. 28, Example 1b, according to which the failure to list a
processing activity in the records also constitutes an infringement).
Contrary to the complainant's view, it is not sufficient that the information required for a VVZ is distributed in different and unrelated documents, especially since Article 30(1) GDPR speaks of a directory in which at least all of the information contained in letters a to g must be included and such an interpretation would contradict the inherent purpose of providing a summary of the data applications used to the supervisory authority (paragraph 4 leg cit) in order to provide evidence that the complainant processes data in accordance with the GDPR (cf. Recital 82 GDPR). This means that the objective elements of a violation of Article 30(1)(c) GDPR are met. The criminal liability of this violation is based on Article 83(4)(a) GDPR.
3.5.2. On the subjective side of the offense:
The complainant has drawn up a detailed list of the categories of data processed
in order to attach them to the VVZ and the DSFA as an appendix. There are no objections to the list of the types of data used in an appendix to the VVZ. However, the
complainant inadvertently assigned this appendix not to the VVZ, but only to the
DSFA. This oversight must be attributed to negligent behavior,
although it can still be assumed that this is a criminal offense.
3.5.3. The complainant's arguments cannot change this:
When the complainant points out that the VVZ already contains an exemplary
list of the types of data, namely "e.g. purchasing power, Sinus milieus and bioaffinity",
it must be countered that the list remains only exemplary and therefore
does not enable proof that the complainant processes the data in accordance with the GDPR. Even a reference to the DPFA contained in two places in the VVZ without reference to the specific types of data processed, in which the specific types of data are then referred to in an appendix - 74 -, is not sufficient - contrary to the complainant's submission made at the hearing (OZ34, p. 29). If the complainant refers to a decision of the Supreme Court for the required level of detail in which, as part of a legality review, it referred to data such as the name, telephone number, address and opening hours of a doctor as "profile data", contrary to the complainant's view, it cannot be concluded that this would be a permissible description of the categories of personal data under Art. 30 para. 1 lit. c GDPR, especially since this statement was made in a completely different context (cf. Supreme Court 20.09.2024, 6 Ob 221/23b, para. 71; or the complainant's relevant submission in OZ 27, p. 11). Regarding the alleged violation of the right to self-incrimination "nemo tenetur", see the comments under point 3.3.3. 3.5.4. Clarification of ruling point VI.:
The complainant is correct in saying that failure to provide
but necessary detail of data categories is an offence of omission, which is why
the ruling had to be adjusted accordingly (see VwGH 19.04.2023, Ra
2022/07/0079, para. 10 on the offence of omission and VwGH 16.05.2022, Ra 2021/07/0049, para. 30 on the clarification of the ruling).
With regard to the blanket reference to Art. 30 GDPR by the authority concerned, the administrative court's clarification and restriction to Art. 30 para. 1 lit. c GDPR is covered by the subject matter of the proceedings and does not inadmissibly extend the criminal charge: The wording used by the authority concerned, "not all categories of data actually processed" - contrary to the complainant's argument - clearly shows that not only the lack of XXXX affinities, but all ("all") data processed for the application "DAM - target group addresses" is meant, which is why the complainant was able to protect her rights of defense in knowledge of the charge. 3.6. On the assessment of penalties:
The relevant provision of Article 83 GDPR for the assessment of penalties reads as follows: - 75 -
“Article 83 (1) Each supervisory authority shall ensure that the imposition of fines pursuant to this Article for infringements of this Regulation pursuant to paragraphs 5 and 6 is effective, proportionate and dissuasive in each individual case.
(2) Fines shall be imposed in addition to or instead of measures pursuant to Article 58(2)(a) to (h) and (i), depending on the circumstances of the individual case. When deciding on the imposition of a fine and on its amount, the following shall be duly taken into account in each individual case:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, as well as the number of persons affected by the processing and the extent of the damage suffered by them;
(b) the intentional or negligent nature of the infringement;
c) any measures taken by the controller or processor
to mitigate the damage caused to data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures taken by them pursuant to Articles 25 and 32;
e) any relevant previous infringements by the controller or processor;
f) the level of cooperation with the supervisory authority to remedy the infringement and
mitigate its possible adverse effects;
g) the categories of personal data concerned by the infringement;
h) the manner in which the infringement became known to the supervisory authority, in particular whether and, if so, to what extent the controller or processor
notified the infringement;
(i) compliance with measures previously ordered pursuant to Article 58(2) against the controller or processor concerned in respect of the same subject matter, where such measures have been ordered; (j) compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and - 76 - (k) any other aggravating or mitigating circumstances specific to the case, such as financial advantages gained or losses avoided, directly or indirectly, as a result of the infringement. (3) Where a controller or processor intentionally or negligently infringes several provisions of this Regulation in the case of the same or related processing operations, the total amount of the fine shall not exceed the amount for the most serious infringement. (4) Infringements of the following provisions shall be subject to administrative fines of up to EUR 10 000 or, in the case of an undertaking, up to 2 % of its total worldwide annual turnover of the preceding financial year, whichever is higher, in accordance with paragraph 2: (a) the obligations of controllers and processors under Articles 8, 11, 25 to 39, 42 and 43; [...]
(5) In the case of infringements of the following provisions, fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of its total worldwide annual turnover of the preceding financial year, whichever is higher, shall be imposed in accordance with paragraph 2:
a) the principles of processing, including the conditions for consent,
set out in Articles 5, 6, 7 and 9;
b) the rights of data subjects set out in Articles 12 to 22;
[...]"
3.6.1. On the imposition of an overall penalty for all processing operations:
If a controller or processor intentionally or negligently infringes several
provisions of this Regulation in the case of the same or related processing operations, the total amount of the fine shall not exceed the
amount for the most serious infringement (cf. Article 83(3) GDPR). The absorption principle therefore applies, which takes precedence due to the priority of application of Union law § 22 VStG, in which the cumulation principle is standardized (cf. AB 1761 BlgNR XXV. GP, 14; Jahnel, Commentary on the General Data Protection Regulation Art. 83 GDPR Rz 12). - 77 - Identical or interconnected processing operations are defined by the fact that a uniform behavior can consist of several parts, the execution of which is determined by a uniform will. The connection must exist in terms of content (data subject, purpose and type of processing), space and time, so that one can speak of a natural unit of action (see EDPB Guidelines 04/2022 for the calculation of fines within the meaning of the GDPR, version 2.1, adopted on 24 May 2023, para. 25 ff.). In the present case, it can be assumed that the processing operations were connected to one another,
because all of the acts of which the complainant is accused, namely having processed XXXX
affinities of data subjects and having created an incorrect data protection impact assessment and an incorrect
procedure directory with regard to this data processing, having further processed the number of packages received during a
certain period (package frequency) and forwarding orders
and having created an inadequate procedure directory with regard to the data processing for the “DAM target group addresses”, are based on the same intention and aim at the same
purpose, namely to create and maintain the “DAM target group addresses” marketing database in order to market the types of data contained therein, in particular the
XXXX affinities in question here and the package affinities and moving affinities calculated on the basis of the package frequencies and moving frequencies in question here,
(potentially) the same people were affected, namely (potentially) those persons who were included in the marketing database, the type of processing, namely creation of extrapolation models and their application and allocation of their results to the persons included in the marketing database, and in the same spatial and temporal context. The opposing opinion expressed by the complainant is not convincing,
especially since the case law of the Administrative Court that she cites refers to the
cumulation principle and is therefore not relevant, Section 44a VStG, which stipulates that
the verdict of the criminal conviction must contain the acts and the sentence imposed,
cannot be interpreted as relevant against the background of the absorption principle granted under European law and thus with priority, and it cannot be concluded from the required
individual - and supreme court-verifiable - assessment of the individual acts whether, on the basis of the individual assessment,
individual penalties or a total penalty should be imposed. - 78 -
3.6.2. On determining the fine
The maximum fine for the most serious violation, i.e. against Articles 5 and 9
GDPR, is up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its
total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (5)(a) GDPR).
The reference date for determining the "previous financial year" is the decision of the
authority concerned (EDPB Guidelines 04/2022 for the calculation of fines within the meaning of the
GDPR, version 2.1, adopted on May 24, 2023, para. 131; LG Bonn dated November 11, 2020 - 29
OWi 1/20, para. 101 f (available at https://openjur.de/u/2310641.html; or on the antitrust regulations under
Article 83 GDPR ECJ, January 26, 2017, C-637/13 P,
Badezimmerkartell Laufen Austria, para. 49 and ECJ September 4, 2014, C-408/12 P, YKK et al., para. 90).
The penal decision was made on 28.10.2019 against the complainant,
which is why the turnover for the 2018 financial year must be taken into account.
The complainant's consolidated turnover for the 2018 financial year amounts to XXXX
.
To classify the offenses (see EDPB, Guidelines 04/2022 for the calculation of
fines within the meaning of GDPR version 2.1):
With regard to the unlawful processing of the XXXX affinities, the complainant
illegally calculated for natural persons the probability that she was interested
in advertising from five political parties ("XXXX affinity") and assigned them to the individual
persons, stored them, and sold them to third parties, namely assigned and
stored for just under nine months for about XXXX natural persons and for
just over a month calculated and sold all data and just under nine
months with regard to natural persons with addresses in XXXX . The purpose of the assignment was to sell this information to customers for marketing purposes, i.e. to enable customers to reduce wastage in advertising. The “XXXX affinities” are special categories of personal data within the meaning of Art. 9 (1) GDPR. By processing the data, the company negligently violated Art. 5 (1) first case GDPR in conjunction with Art. 9 (1) GDPR. - 79 - Since the data was subsequently only sold to two political parties for the purpose of advertising to natural persons in a targeted manner, it can be assumed that the calculation, assignment and forwarding only caused minor non-material damage to those affected. Given that data processing over a longer period of time has systematically classified a large proportion of people living in Austria according to their presumed political interests, it is nevertheless to be assumed that this is a violation of a high degree of severity. The fact that the data - as the complainant claims - is somewhat vague does not change this classification.
With regard to the purpose-changing further processing of the "package frequency", the complainant - as far as relevant to the proceedings - transferred a list of the packages received, including the time of their receipt ("package frequency" or "key figures") from the parcel delivery division to the "address publishers and direct marketing" division for just under nine months in order to create a projection model with which it was possible to assign to certain natural persons the probability with which they were interested in receiving packages. XXXX people were affected.
The “key figures” are not a particularly protected category of personal data.
By processing them, you negligently violated the principles of “good faith” and
“transparency” within the meaning of Art. 5 Paragraph 1 Letter a, 2nd and 3rd case of the GDPR, as well as the
purpose limitation principle within the meaning of Art. 5 Paragraph 1 Letter b, GDPR in conjunction with Art. 6 Paragraph 4, GDPR in conjunction with Art. 83 Paragraph 5
GDPR.
As the data was anonymized after it was taken over from the “parcel delivery” business area and
an average value was calculated by creating a regional
average value, it cannot be assumed that the
data subjects suffered any physical damage as a result of the processing.
Significant – if any – immaterial damage cannot be assumed.
Given that the offense was committed with mere negligence, that data was not specially protected and that the data was anonymized after it was transferred - apart from the calculation of the average value - it can be assumed that the offense was of low severity despite the large number of people affected and the duration of the violation.
With regard to the incorrectness of the data protection impact assessment, the
complainant did indeed prepare an incorrect data protection impact assessment for the application "DAM - target group addresses". This is because it wrongly assumed that the
"affinities" in general and the "XXXX affinities" in particular were not personal data and therefore denied the existence of a high risk for the
people affected.
It thereby negligently violated Article 35 Paragraph 3 Letter b GDPR in conjunction with Article 35 Paragraph 7 Letter c GDPR in conjunction with Article 83 Paragraph 4 GDPR.
In view of the fact that the data protection impact assessment was prepared in principle
and the misassessment merely represents a consequential error due to a (blameably) erroneous
legal opinion and that no damage is apparent to those affected - in contrast to the processing itself -, it was assumed that the violation was of a low degree of severity.
With regard to the incorrectness of the list of processing activities
In the list of processing activities "DAM
target group addresses", the complainant denied "extensive processing of sensitive data" or "processing of data requiring particular protection (ethnic origin, political opinion, ...)" in relation to the categories of personal data processed, although it had processed "
XXXX affinities" and thus personal data from which the political opinion
emerges. This is because it culpably misclassified the “XXXX affinities” as non-personal data.
It thereby negligently violated Art. 30 para. 1 lit. c GDPR in conjunction with Art. 83 para. 4 GDPR.
Given that the procedure directory was created in principle and
the misjudgement is merely a consequential error due to a (culpably) erroneous
legal opinion and no damage is discernible for those affected - in contrast to the processing itself - it was assumed that the violation was of a low degree of severity.
With regard to the inadequacy of the list of processing activities, the
complainant only stated in the list of processing activities for the data application “DAM
target group addresses” that the categories of personal data processed were “address data, identification data, contact details, marketing, - 81 -
personal master data”, whereby the statement “marketing” is too general to make a statement about which
specific marketing information is processed, given that the complainant processes data types such as “XXXX affinity”, “package affinity” and
“moving affinity”, and it therefore did not enable it to prove that the complainant processes data in accordance with the GDPR.
This is because the complainant did create a detailed list of the data categories processed, but inadvertently assigned them only to the DSFA and not also to the VVZ.
It thereby negligently violated Article 30 Paragraph 1 Letter c of GDPR in conjunction with Article 83 Paragraph 4 of GDPR.
Given that both the procedure directory and an adequate categorization of the types of data used were made in an appendix, and
the illegality of the VVZ arises only from the fact that the appendix was
inadvertently not assigned to the VVZ and the appendix was assigned to the DSFA without hindrance, which is why it was also available to the authority concerned to examine the data application,
it was assumed that the violation was of extremely low severity.
In addition, it was considered a mitigating factor that
the complainant cooperated extensively with the data protection authority and the
Federal Administrative Court, and thus made a significant contribution to clarifying the facts (Article 83 Paragraph 2 Letter f of GDPR);
the complainant deleted the data on the XXXX affinities and closed the sharing of the
"package frequency" between the "package delivery" business areas, although only after the initiation of the official review procedure but immediately afterwards and thus
well before a decision was made, thereby reducing any damage to the
affected persons, and also concluded settlements with the majority of the affected persons and in this context paid XXXX to the affected persons
and offered affected persons via its website the opportunity to submit both simple and
notarized cease and desist declarations for affected persons, and thus
took measures to mitigate the damage to the affected persons (Article 83 Paragraph 2 Letter c GDPR);
the long duration of the proceedings of five years and ten months (Article 83 paragraph 2 letter k GDPR), which
cannot be attributed to the complainant, especially since it was caused by a second legal process and a suspension of the appeal proceedings until the ECJ’s decision in
Case C-807/21, Deutsche Wohnen, (see VwGH 27.09.2018, Ra 2017/17/0391, - 82 -
RS 5) and not significantly by isolated requests for an extension of time by the
complainant in the proceedings before the authority concerned (OZ 34, p. 37);
and aggravating the situation that
the complainant has gained an economic advantage from the unlawful processing of personal data of
XXXX data subjects, whereby it has gained an advantage
both from the sale of the XXXX affinities and from the creation of the extrapolation models
for the package affinities that were subsequently marketed (Article 83
paragraph 2 lit k GDPR).
There are no relevant previous violations by the complainant, especially since two
fines have been imposed on the complainant, namely the penal order
by the DSB dated September 6, 2019, GZ DSB-D550.150/0001-DSB/2019, and the penal decision by the
BVwG dated April 18, 2024, GZ: W137 2248575-1/31, which, however, are directed against other legal interests, namely the lack of cooperation with the data protection authority and the
difficulty in exercising the rights of those affected.
Special preventive reasons for punishing the complainant still exist, even though, according to her statements, she has "largely" withdrawn from the party's marketing business since December 31, 2021, especially since she would in principle be free to resume her activities. The only exception to this is with regard to those data processing operations and data subjects for whom the complainant has issued cease-and-desist declarations. Compared to the decision by the authority concerned, special preventive reasons were therefore less important. There are also general preventive reasons for punishment, especially since the intention of the regulatory authority to ensure the enforcement of the GDPR through the possible imposition of high fines would be thwarted if punishment were waived or a fine were significantly reduced, especially in serious cases such as the present one. Against this background, contrary to the complainant's opinion, the negative reporting on the data use in question is in no way sufficient to assume no general preventive reasons for punishment.
On the complainant's arguments:
Contrary to the complainant's opinion, any orientation towards old rules of conduct and any planning to submit to new rules of conduct should not be taken into account as a mitigating factor, especially since the complainant has not submitted to approved rules of conduct (Article 83 paragraph 2 letter j GDPR).
The fact that the complainant has only achieved minor financial benefits from processing the XXXX affinity does not change the fact that economic benefits have been achieved.
It is not clear to what extent the complainant's expenses in the course of preparing for the GDPR should be considered as a mitigating factor, especially since they did not prevent the crimes in question from being committed. If the complainant makes the mitigating argument that she tried to carry out a risk assessment in the DSIA, it must be countered that the risk assessment was carried out incorrectly and that a measure cannot be considered as mitigating if the complainant is legally obliged to carry it out anyway. There is no legal basis for the complainant's request to calculate the fine based on the turnover related to the crime, especially since Article 83 (4) and (5) GDPR refers to the total annual turnover achieved worldwide in the previous financial year. The specific data processing operations put forward by the complainant as mitigating factors
were already taken into account when classifying the criminal acts.
With regard to the flawless technical and organizational measures put forward by the complainant, no mitigating factor could be assumed because there was also organizational negligence with regard to the
assessment of the “XXXX affinities”.
The complainant's "confession" could not be considered as a mitigating factor because the mere
admission of facts without admitting the subjective characteristics of the criminal
behavior does not have a mitigating effect (RIS-Justiz RS0091585; Fabrizy/Michel-Kwapinski/Oshidari,
StGB § 34 Rz 14 (as of March 10, 2022, rdb.at)), and the complainant did not see any negligent action in her
behavior (minutes of the hearing dated November 20, 2024, OZ 31,
p. 3).
3.7. Result:
In an overall assessment, against the background of the low turnover of the complainant of XXXX still used by the authority and the now established group-wide turnover of the complainant of XXXX, the penalty of XXXX imposed by the - 84 -
authority concerned appears to be set at the lowest level in order to be just effective, proportionate and appropriate.
Against the background that, compared to the decision by the authority concerned, the court of first instance assumes a smaller number of people affected with regard to the most serious offence, namely the processing of the “XXXX affinities”, XXXX (criminal decision of October 23, 2019, p. 44, OZ 1, XXXX, p. 46), the reduction in damages is more pronounced by concluding settlements and offering cease-and-desist declarations, the proceedings with regard to the processing of the “moving frequency” or “moving affinities” have been discontinued, the period of the offence has been restricted with regard to the processing of the “package frequency”, special preventive reasons have been reduced by offering and concluding cease-and-desist declarations with the people affected – which makes it more difficult to engage in counter-infringement in the business area, the mitigating factor of the long duration of the proceedings and the aggravating factor of a relevant previous conviction has ceased to exist, the fine was nevertheless to be reduced to EUR 16,000,000.00 (sixteen million) and the procedural costs reduced accordingly, taking into account Section 64 of the Administrative Court Act. The reduction in the number of those affected did not have to be taken into account more because, in the end, the complainant nevertheless systematically classified a large proportion of people living in Austria according to their presumed political interests over a longer period of time. 3.8. The decision was therefore to be made in accordance with the ruling. On B) Admissibility of the appeal: According to Section 25a Paragraph 1 of the Administrative Court Act, the Administrative Court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 of the Federal Constitutional Court Act. This ruling must be briefly justified. The appeal is admissible pursuant to Article 133 Paragraph 4 of the Federal Constitutional Law because there is no case law of the Administrative Court on the cumulation principle of Article 83 Paragraph 3 of the GDPR, namely on the criteria according to which a distinction must be made as to whether identical or interconnected processing operations within the meaning of Article 83 Paragraph 3 of the GDPR are present.
