Austria: Developments In Austrian Case Law: Data Privacy Breaches And The GDPR
Author: Sharon Schmidt
In a recent decision rendered on 26.11.2020,1 the Austrian Federal Administrative Court (Bundesverwaltungsgericht, BVwG) overturned a fine of EUR 18 million that had been imposed on the Austrian Postal Service (APS) by the Austrian data protection authority (DPA). The case centres on the same facts considered by the BVwG in a separate decision.2 Therein the Court upheld the DPA’s administrative penalty against the APS, which had been accused of unlawfully processing and selling personal data of customers, such as private addresses and assumed political allegiances, to third parties for marketing purposes.
In the decision at hand, the BVwG acknowledged the unlawful nature of APS’s conduct, yet overturned the DPA’s penalty, based on its omission to establish that both legal and natural persons, acting on behalf of APS, had been responsible for the culpability in question.
Facts
The factual origins of the case date back to a report by the journalism platform Addendum in January 2019,3 stating that in addition to information on private addresses, gender and age, education as well as preferences regarding investments or donations, the APS had also collected data on the perceived political leanings of ca. 3 million customers.4
Following an ex-officio investigation, the DPA:
- Concluded that the conduct of inquiring into sociodemographic factors and processing information regarding an individual’s political preferences without any legal basis, qualifies as a special category of personal data pursuant to Article 9(1) General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), thus necessitating prior explicit approval by the party concerned (Article 9(2)(a) GDPR; § 151(4) Gewerbeordnung, GewO);
- Ordered the processing of data to be terminated and already gathered information to be deleted within a timeframe of two weeks;
- Held that the APS did not conduct an adequate data protection impact assessment (prior to 25.05.2018), as it wrongly failed to consider political affiliation as a special category of personal data.
The APS responded by way of appeal, arguing that information on the political affinity of a private individual did not qualify as personal data given that such information is gathered through anonymized polls delivering general projections. Since these probability calculations cannot be rectified (Article 16 GDPR), they are considered marketing information and classification pursuant to §151(6) GewO. Yet, it was added that even if regarded as personal data, it did not qualify as a special category the latter.
As recently as November, the BVwG confirmed the DPA’s decision and held that the conduct of processing data on the affinity for a political party did qualify as personal data pursuant to Article 4(1) GDPR. Given that the information obtained could be assigned to a specifically identifiable private individual, whose political convictions are to be protected from discrimination pursuant to Article 9 GDPR, it is to be treated as a special category of personal data, thus requiring prior consent. This part of the decision is now pending before the Austrian Supreme Administrative Court (Verwaltungsgerichtshof, VwGH).
The matter considered in this article, however, concerns a different legal aspect of the same case.
Drawing on the facts outlined above, the case centres on the APS’s alleged violation of Articles 5(1), 6(2), 6(4), 9, 14, 30, 35 and 36 GDPR. It follows an appeal submitted by the APS based on the argument that the fine had been issued without establishing culpability on the part of natural persons acting on its behalf (Article 4(7) GDPR).
The following will focus on the recent decision by the BVwG to overturn the DPA’s fine in light of earlier conclusions drawn by the VwGH. There the Court held that the alleged factual, illegal and culpable behaviour must also be attributable to a natural person (Section 44a VStG) for a legal person to be held liable.5
The Issue
Since the GDPR intends and indeed provides for direct liability of legal persons without having to prove individual wrongdoing by a private person, the BVwG had to consider the following:
- Whether the DPA was entitled to impose a fine pursuant to Article 83 GDPR on a legal person in absence of showing culpable conduct by natural person acting on behalf of a legal entity;
- Whether the national administrative penal law rules find application or whether the issue under consideration is to be examined in light of the GDPR rules.
Decision
The Court held that the DPA fine, imposed on the basis of the Article 83 GDPR provisions, fall within the provisions of the Austrian Administrative Penal Act (Verwaltungsstrafgesetz, VStG) as well as the Austrian Data Protection Act (Datenschutzgesetz, DSG). National procedural rules are applicable in the context of fines imposed due to a violation under the GDPR since Article 83(8) states: ‘The exercise by the supervisory authority of its powers […] shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.’6
It further established that the DPA had failed to act in accordance with §§ 44a, 45 VStG as well as § 30 DSG by neglecting to prove culpability on part of natural persons, who had acted on behalf of the APS such as individuals representing, exercising control within or making decisions on behalf of the latter.
Comment
Although the penalty imposed on the APS may have been overturned by the BVwG, its decision is based on a formality error on part of the DPA. As such, it is to be treated separately and does not stand at odds with the BVwG’s earlier ruling, in which it was concluded that the conduct of processing data concerning personal affinity for a political party gives rise to liability.
Footnotes
1 Docket Number: Docket Number W258 2217446-1/14E. Available via: https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=c4b7610d-5502-49f6-af50-791b9361c9f1&Position=1&SkipToDocumentPage=
True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=
&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum
=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2227269_1_00.
2 Docket Number: Docket Number W258 2217446-1/35E. Available via: https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=e9b780cb-e5e0-4be8-81e7-7a49b08cc25b&Position=1&SkipToDocumentPage=True&Abfrage=
Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=
&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=
&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20201126_W258_2217446_1_00.
3 “Wenn Die Post Partei Ergreift.” Addendum, 28 July 2020, www.addendum.org/datenhandel/parteiaffinitaet/ [accessed 10.12.2020].
4 For further information please refer to the press releases of both the Austrian postal service entitled ‘Milestones and outlook for 2019 and 2020’ (29.10.2019) as well as by the European Data Protection Board entitled ‘Administrative criminal proceedings of the Austrian data protection authority against Österreichische Post AG (23.10.2019), available via: https://edpb.europa.eu/news/national-news/2019/administrative-criminal-proceedings-austrian-data-protection-authority_fr.
5 Docket Number R2019/04/0229. Available via: https://www.ris.bka.gv.at/Dokumente/Vwgh/JWT_2019040229_20200512J00/JWT_2019040229_20200512J00.html.
6 “Art. 83 GDPR – General Conditions for Imposing Administrative Fines.” General Data Protection Regulation (GDPR), 29 Mar. 2018, gdpr-info.eu/art-83-gdpr/ [accessed 14.12.2020].
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.