The Risks of Customer Data Processing Under the GDPR: The Austria Post Case

On 23 October 2019, the Austrian data protection authority (Datenschutzbehörde, “DSB”) imposed a fine of €18 million on Österreichische Post AG (“Austria Post”) for various violations of the EU General Data Protection Regulation (“GDPR”). The DSB established that Austria Post had unlawfully processed customers’ data to extrapolate “political affinity” (i.e., presumed voting behavior), which was then sold to political parties for targeted advertising. In addition, according to the DSB, Austria Post had further processed data on package frequency and frequency of relocations for the purpose of direct marketing in the absence of a legal basis. The fine, which is not final as Austria Post has challenged the DSB’s decision (“Decision”) before the Federal Administrative Court (Bundesverwaltungsgericht). The fine was at the time of issuance the largest ever imposed in Austria for GDPR infringements.