On 23 October 2019, Austrian Data Protection Authority – Datenschutzbehörde or DPA, has issued an €18 million GDPR fine (plus 1.8 million costs of investigation) to the Austrian national postal service.
For a postal service to receive a fine of such magnitude, you are probably asking what could have happened?
The story started to unravel earlier in 2019, when the public was informed that 2.2 million data sets were used to determine or outline the political affinity of Austrian citizens.
The Austrian Post used collected personal data to offer marketing services to various political parties for advertising. Prompted by the numerous complaints and data subject requests to the Post, the Supervisory authority launched an investigation.
Interestingly enough, while conducting the investigation, the DPA encountered more GDPR violations.
Apparently, the Austrian Post was processing data related to the frequency of the packages that were delivered to a certain address and how frequently do individuals move to a new address without any legal basis for it.
The amount of the GDPR fine definitely implies the seriousness of the violation and remains, to this day one, of the top GDPR fines issued so far.