Court case W258 2227269-1/39E – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On the 8 January 2019, the Austrian DPA (Datenschutzbehörde – DSB) launched an investigation into the actions of the Austrian postal service as it also had a business license for address publishing and direct marketing. Media reports had claimed that the postal service (the controller) sold data concerning the political affinities of data subjects to third parties. The controller ran a platform entitled “Adress Shop” on which it sold personal data to legal entities. The datasets included names and addresses but more importantly it included data subjects’ affinities to certain things such as an affinity to moving house, an affinity to organic products or how frequently a data subject receives packages. The purpose of the data processing was to sell this data to third parties who would use it for marketing purposes and therefore could avoid scattering losses. In order to create this database, the controller abused its position as postal service provider. In the postal service contract provided to data subjects the controller had included a notice stating that data subject are agreeing to their personal data being processed for marketing purposes. The contract however also included a box which could be ticked in order to refuse the data processing for marketing purposes. One of these affinities was concluded through an affinity score concerning the main political parties in Austria. For example, data subjects would be assessed with either a “very low”, “low”, “high” or “very high” affinity towards the SPÖ (the Socialist Party of Austria), the ÖVP (the Conservative Party of Austria) or any other major political party. The controller calculated this score through combing anonymous survey results, socio-demographic data (e.g., age or level of income and education) and voting results of particular region. On the 20 Febuary 2019, the DSB alleged that the controller had unlawfully processed sensitive data under Article 9 GDPR. The DSB found that the controller could no
GDPR Articles Cited
On the 8 January 2019, the Austrian DPA (Datenschutzbehörde – DSB) launched an investigation into the actions of the Austrian postal service as it also had a business license for address publishing and direct marketing. Media reports had claimed that the postal service (the controller) sold data concerning the political affinities of data subjects to third parties. The controller ran a platform entitled “Adress Shop” on which it sold personal data to legal entities. The datasets included names and addresses but more importantly it included data subjects’ affinities to certain things such as an affinity to moving house, an affinity to organic products or how frequently a data subject receives packages. The purpose of the data processing was to sell this data to third parties who would use it for marketing purposes and therefore could avoid scattering losses. In order to create this database, the controller abused its position as postal service provider. In the postal service contract provided to data subjects the controller had included a notice stating that data subject are agreeing to their personal data being processed for marketing purposes. The contract however also included a box which could be ticked in order to refuse the data processing for marketing purposes. One of these affinities was concluded through an affinity score concerning the main political parties in Austria. For example, data subjects would be assessed with either a “very low”, “low”, “high” or “very high” affinity towards the SPÖ (the Socialist Party of Austria), the ÖVP (the Conservative Party of Austria) or any other major political party. The controller calculated this score through combing anonymous survey results, socio-demographic data (e.g., age or level of income and education) and voting results of particular region. On the 20 Febuary 2019, the DSB alleged that the controller had unlawfully processed sensitive data under Article 9 GDPR. The DSB found that the controller could no
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W258 2227269-1/39E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W258 2227269-1/39E - Austria (2024). Retrieved from cookiefines.eu
Last updated: