DSB (Austria) - Austrian Postal Service

From GDPRhub
Revision as of 16:12, 6 December 2023 by Ar (talk | contribs) (Ar moved page DSB - Austrian Postal Service to DSB (Austria) - Austrian Postal Service)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - DSB-D550.148/0017-DSB/2019
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Article 9(1) GDPR
§ 151 GewO 1994
Type: Investigation
Outcome: Enforcement
Decided: 29.10.2019
Fine: 18000000 EUR
Parties: Österreichische Post AG
National Case Number/Name: DSB-D550.148/0017-DSB/2019
European Case Law Identifier: n/a
Appeal: Successfully Appealed
BVwG (Austria)
[BVwG - W258 2227269-1/14E W258 2227269-1]
Original Language(s): German
Original Source: 2019 Report of the DSB (p. 52) (in DE)
Initial Contributor: n/a

The DSB fined the Austrian Postal Service a record fine of € 18 Mio for generating the likeliness of the political affiliations of Austrian citizens without consent.

English Summary


The Austrian postal service ("Österreichische Post AG", a private stock company, of which 52,9% is owned by the Republic of Austria) also sells data for direct marketing purposes ("list brokerage"). These lists include names and addresses and other factors that are largely generated using other public information and predictive models. The postal service also sold data that included a likeliness of the political affiliation (similar to: 45% social-democratic, 20% conservative, 5% Green Party). This was mainly intended for postal mailings by said political parties. The data was generated using public information about voting behavior in each voting district in Austria, aga and alike and was sold publicly.

The postal service mainly relied on § 151 of the Austrian Business Code of 1994 ("Gewerbeordnung 1994", GewO) that regulates address brokers. The national law does not differentiate between different types of data, but limits the use solely to marketing purposes.

The postal service took the view that predictions about the political affiliation of a data subject does not itself constitute "special categories of data" under Article 9 GDPR.


What is the relationship between national laws (like § 151 GewO) and GDPR?

Is a prediction of a political affiliation a "special category of data" under Article 9(1) GDPR?


The decision of the DSB is not published. So far there are only news reports on the case (see e.g. ORF.at) On 29. 10. 2019 the postal service issued a warning to its stock holders that it was fined with € 18 Mio by the DSB in this case. The postal service has announced that the fine will be appealed to the Austrian Federal Administrative Court (BVwG):

"This does not include provisions totalling EUR 18m for an administrative fine imposed on Austrian Post by the Austrian Data Protection Authority on grounds of the alleged illegal use of marketing data. The penalty decision is not legally binding, and Austrian Post intends to exercise its right to file an appeal in a court of first instance."


Your comment can be added here!

See also

The Regional Court of Feldkirch ("Landesgericht Feldkrich") has issues a similar decision against the postal service in a private lawsuit under Article 79 GDPR and awarded € 800 in emotional damages. The case is under appeal. See LG Feldkirch - 57 Cg 30/19b - 15.

Further Reseouces

Share blogs or news articles here!

English Machine Translation of the 2019 report

The decision below is a machine translation of the original. Please refer to the German original for more details.

Direct marketing and data broking

On 23 October 2019, GZ: DSB-D550.148/0017-DSB/2019, the DSB imposed a fine of € 18,000,000.00 on Österreichische Post AG for, among other things, compiling data on the political affinity of individually identified persons in the course of its commercial activities as an address publisher and direct marketing company and marketing this data to political parties. This was done by assigning alleged political preferences to individual persons in an address database through statistical procedures and then marketing this information. In addition, it was found that Austrian Post had marketed data on the frequency of relocation and the number of parcels received by individual customers, which it had initially collected as part of its activities as a postal service provider under the Postal Market Act, to other companies within the scope of its address publishing and direct marketing business.

The penalty imposed for the identified violations of Articles 5(1), 6(1) and (4) and 9 of the GDPR is not final, as the defendant has appealed against it to the Federal Administrative Court.