Austrian Postal Service (fined controller) – Court Ruling (Austria, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Austrian Postal Service was fined for processing people's political party preferences without permission. This case is significant because it clarifies that companies can be fined under GDPR even if individual wrongdoing isn't proven. Businesses should review their data handling practices to ensure compliance.
What happened
The Austrian Postal Service was fined for unlawfully processing data on political party preferences.
Who was affected
Individuals whose political party preferences were processed by the Austrian Postal Service.
What the authority found
The Austrian Federal Administrative Court confirmed that fines can be imposed on companies for GDPR violations without proving individual fault.
Why this matters
This decision emphasizes that companies are accountable for GDPR compliance, regardless of individual culpability. It serves as a warning to ensure proper data protection measures are in place.
GDPR Articles Cited
National Law Articles
The facts and cirumstances that lead to the fine can be read in the summary of BVwG - W258 2217446-1, another decision of the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) dealing with different legal issues of the same case. Based on the unlawful processing of data on the "affinity for a political party", the DSB imposed a 18 Mio Euro fine on the Austrian Postal Service. In detail, the DSB held the Austrian Postal Service responsible for violating *Article 5(1) GDPR *Article 6 (1) GDPR *Article 6(4) GDPR *Article 9 GDPR *Article 14 GDPR *Article 30 GDPR *Article 35 GDPR and *Article 36 GDPR. The fine was issued directly against the Austrian Postal Service as controller under Article 4(7) GDPR without establishing culpable conduct of natural persons acting on behalf of the Austrian Postal Service. Based on this omission, the Austrian Postal service appealed against the fine. Can the DSB impose a fine under Article 83 GDPR directly on a legal person, without having to investigate and establish culpable conduct of natural persons acting on behalf of the legal person? Are the national rules of administrative penal law of any relevance to this question or is it to be answered solely under the rules of the GDPR? The BVwG held that the provisions of the Austrian Administrative Penal Act (Verwaltungsstrafgesetz - VStG) and the Austrian Data Protection Act (Datenschutzgesetz - DSG) apply on fines imposed by the DSB under Article 83 GDPR: Pursuant to Article 83(8) GDPR, the exercise by the supervisory authority of its powers under Article 83 GDPR shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process. In light of this provision, the BVwG held, that national procedural rules are in fact to be applied when imposing a fine for a GDPR violation. According to the BVwG, the DSB had violated § 44a and § 45 VStG and § 30 DSG by not establishing culpable con
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Austrian Postal Service (fined controller) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Austrian Postal Service (fined controller) - Austria (2020). Retrieved from cookiefines.eu
Last updated: