Austrian Supervisory Authority Issues Record Breaking 18 Million Euro Fine to Post AG
Several sources report that the Austrian Datenschutzbehoerde (“DSB”), the national independent Austrian Supervisory Authority (Art 51 GDPR ss.) has imposed an 18 Million Euro fine against the Austrian Post AG.
As reported previously in this blog (Sie sehen aus wie ein FPOE Waehler), the Austrian Post AG, the privatized and now publicly traded successor to the governmental monopoly for mail and package delivery services in Austria, had drawn the ire of privacy advocates in 2018 when it became known that the Post AG allegedly engaged in pervasive profiling activities to further the accuracy of its lucrative list brokering business.
Among other things, the Post AG was said to have assessed the likely political leanings and potential investment and savings habits/preferences of all surveyed households and individuals. Given the Post AG’s monopoly as Austria’s sole mail service provider, it meant that every household, if not every person living in Austria was featured in the Post AG’s database.
Faced with public backlash, the Post AG announced last year that it would terminate or curtail its profiling activities, while insisting that it was acting within its legal rights under its data broker’s license (Section 151 of Austrian Industrial Code). Not so, apparently in the eyes of the usually low-key and restrained Austrian DSB, which issued the record-breaking 18 Million Euro fine in a ruling against Post AG which is not available on the DSB’s website as of yet. As Post AG’s attorneys do not tire of emphasizing, this ruling is viewed by their client as incorrectly decided and a flagrant violation of the proportionality principle enshrined in Austria’s Administrative Penal Code, and is, thus, currently on appeal before the administrative court in Vienna.
A more profound legal analysis is to follow once the text of the ruling is published. However, already at this stage this is another cautionary tale against excessive, and perhaps wanton, reliance on the “legitimate pursuit of interests” (Art 6(1)(f) GDPR) as sole legal basis for processing personal data.
Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.Right of Access by the Data Subject
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.Subject Access Request Automation
Individuals have the right to access their personal data, commonly referred to as subject access. But can this process be automated?