Österreichische Post AG
Issued by Datenschutzbehörde (DSB) on 2019-10-23
What happened
Austria's DSB fined Österreichische Post AG (Austrian Post) €18 million for creating profiles on the political party affinities of approximately 3 million Austrians without their knowledge or consent. The postal service used an algorithm to estimate political preferences based on demographic data, addresses, and other factors, then sold these profiles to political parties for targeted election campaigns. The DSB found this processing of data revealing political opinions constituted special category data under Art. 9 GDPR, which requires explicit consent. Austrian Post had no legal basis for creating or selling these profiles.
Articles violated
Lessons learned
Algorithmic profiling that reveals political opinions, religious beliefs, or other special category data triggers Art. 9 GDPR requirements regardless of whether the data was directly collected. Selling profiling data to political parties without explicit consent is a clear GDPR violation. Companies should conduct Data Protection Impact Assessments before developing profiling products. The commercial sale of personal data profiles requires a clear, specific legal basis.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Other
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.
Related enforcement actions
Department of Justice and Constitutional Development
Information Regulator of South Africa · Security Measures
Read caseMinistry of Defence
Information Commissioner's Office (ICO) · Data Breach
Read caseInterserve Group
Information Commissioner's Office (ICO) · Security Measures
Read case