A postal service – Court Ruling (Austria, 2025)

Austria’s main postal service is the controller for the case. In addition to providing postal services, the controller is also licensed as an “address publisher" and "direct marketing company”. The controller collected data about Austrian residents (the data subjects) without their consent. In particular, the controller used certain socio-demographic circumstances (e.g. age, place of residence, level of education) for profiling. The profiling consisted in an estimation of the likelihood that a data subject fell within certains categories (e.g. "do-it-yourselfer", "night owl", "person with affinity for investments"). One of the data subjects claimed that the controller processed his data unlawfully and sought immaterial damages for €7,000 under Article 82 GDPR. The courts of first and second instance both denied his claim. In particular, the Court of Appeal held that the data subject failed to prove the occurrence of immaterial damage. It is worth noting that the controller did not disclose the subject’s data. The controller also deleted the data at the request of the data subject, following a 2021 Supreme Court ruling between the same parties. The Court upheld the previous findings of the Court of Appeal and denied compensation. In the Court’s view, the data subject showed failed to prove that he suffered him anxiety or annoyance as a result of the processing of his data. On these grounds, the Court concluded that non-material damages were not proven and could not be compensated. The Court did not assess whether the subject's data were processed lawfully, as he would not have been able to claim damages either way.