On 23 October 2019, Austrian Data Protection Authority – Datenschutzbehörde (DSB), has issued an €18 million GDPR fine (plus 1.8 million costs of investigation) to the Austrian national postal service.
For a postal service to receive a fine of such magnitude, you are probably asking what could have happened?
The story started to unravel earlier in 2019 when the public was informed that 2.2 million data sets were used to determine or outline the political affinity of Austrian citizens.
The Austrian Post used collected personal data to offer marketing services to various political parties for advertising. Prompted by the numerous complaints and data subject requests to the Post, the Supervisory authority launched an investigation.
Interestingly enough, while conducting the investigation, the DPA encountered more GDPR violations.
Apparently, the Austrian Post was processing data related to the frequency of the packages that were delivered to a certain address and how frequently do individuals move to a new address without any legal basis for it.
The amount of the GDPR fine definitely implies the seriousness of the violation and remains, to this day one, of the top GDPR fines issued so far.
Update:
On 2 December 2020, the Federal Administrative Court overturned an €18 million fine due to violation of its administrative proceeding of the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data.
In addition, the decision finds that the DSB’s did not provide the name of the natural person to which the violation of the GDPR was to be attributed, meaning the DSB did not identify the individual who carried out the data processing activities that were in violation of the GDPR.