Datenschutzbehörde (DPA) – Court Ruling (Austria, 2024)

The controller was a political party, the data subjects were recipients of two campaign emails. On 22 November 2021, a staff member of the controller sent two emails with attached “open letters” as part of a political campaign, using an open distribution list in the “To” field instead of using blind copy (BCC). Each email exposed around 400 email addresses, including at least 100 personalised addresses showing first and last names. The controller had collected the email addresses from publicly accessible sources and relied on legitimate interest under Article 6(1)(f) GDPR for the processing, instead of asking for consent. On 4 December 2021, the controller notified the DPA of the personal data breach. On 22 April 2022, in separate supervisory proceedings, the DPA found that the controller had unlawfully disclosed political opinions through the open distribution list. Subsequently, it initiated administrative fine proceedings. On 14 December 2023, the DPA imposed a fine of €50,700 under Article 83(5)(a) GDPR for infringements of Article 5(1)(a) and (c) GDPR and Article 9(1) GDPR. The controller appealed to the court. It argued that the email addresses did not reveal political opinions, that [https://www.jusline.at/gesetz/dsg/paragraf/artikel2zu30 § 30 DSG] required attribution to a natural person in a leadership position, and that the fine was disproportionate. The court partly upheld the appeal and amended part of the decision. First, the court held that the combination of the personalised email addresses and the political content attributed a political opinion to at least part of the recipients. By making the distribution list visible to all recipients, the controller disclosed special categories of personal data within the meaning of Article 9(1) GDPR and no exception under Article 9(2) GDPR applied. Legitimate interests under Article 6(1)(f) GDPR can not justify the processing of special categories of data. Second, the court confirmed a violation of Article 5