Datenschutzbehörde (DPA) – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian political party faced a ruling after exposing email addresses of recipients in campaign emails. The court decided that the party violated privacy rules by not protecting personal data. This case is significant because it reminds organizations to handle personal information carefully, especially in communications.
What happened
A political party disclosed email addresses of around 400 recipients in campaign emails without proper protection.
Who was affected
Recipients of the political campaign emails whose email addresses were exposed.
What the authority found
The court ruled that the political party unlawfully disclosed personal data by using an open distribution list instead of blind copy.
Why this matters
This ruling serves as a warning to all organizations about the importance of safeguarding personal data in communications to avoid breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller was a political party, the data subjects were recipients of two campaign emails. On 22 November 2021, a staff member of the controller sent two emails with attached “open letters” as part of a political campaign, using an open distribution list in the “To” field instead of using blind copy (BCC). Each email exposed around 400 email addresses, including at least 100 personalised addresses showing first and last names. The controller had collected the email addresses from publicly accessible sources and relied on legitimate interest under Article 6(1)(f) GDPR for the processing, instead of asking for consent. On 4 December 2021, the controller notified the DPA of the personal data breach. On 22 April 2022, in separate supervisory proceedings, the DPA found that the controller had unlawfully disclosed political opinions through the open distribution list. Subsequently, it initiated administrative fine proceedings. On 14 December 2023, the DPA imposed a fine of €50,700 under Article 83(5)(a) GDPR for infringements of Article 5(1)(a) and (c) GDPR and Article 9(1) GDPR. The controller appealed to the court. It argued that the email addresses did not reveal political opinions, that [https://www.jusline.at/gesetz/dsg/paragraf/artikel2zu30 § 30 DSG] required attribution to a natural person in a leadership position, and that the fine was disproportionate. The court partly upheld the appeal and amended part of the decision. First, the court held that the combination of the personalised email addresses and the political content attributed a political opinion to at least part of the recipients. By making the distribution list visible to all recipients, the controller disclosed special categories of personal data within the meaning of Article 9(1) GDPR and no exception under Article 9(2) GDPR applied. Legitimate interests under Article 6(1)(f) GDPR can not justify the processing of special categories of data. Second, the court confirmed a violation of Article 5
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Datenschutzbehörde (DPA) in AT
Details
About this data
Cite as: Cookie Fines. Datenschutzbehörde (DPA) - Austria (2024). Retrieved from cookiefines.eu
Last updated: