Your postman might know too much about you – but if so, it risks 18 million euros.

This was the fine issued on 23 October by the Austrian Data Protection agency (‘the Agency’) for breaches of the General Data Protection Regulation (‘GDPR’) committed by the Austrian postal service, Österreichische Post AG (Austrian Post). This institution, partly owned by the Austrian state, had collected data and created individual data profiles on about 2.2 million citizens, including even their assumed political preferences. Other data included the frequency of deliveries, the frequency of change of address ‒and details of where to. This led to the fourth biggest fine in Europe so far for GDPR breaches.

Already in January the Austrian media informed society that Austrian Post had compiled this data together with the names, addresses, age and gender of its consumers and sold these profiles to other companies and political parties to be used for direct marketing purposes. Together data was collected regarding more than 50 criteria. According to the Agency, who then investigated those breaches, the violations were committed unlawfully and culpably, which is why the administrative penalty imposed was appropriate to prevent other or similar violations.

As explained by its representatives, Austrian Post had gathered the data with a special model of calculation, using polls, election results, extrapolations and statistics. Age, gender and place of residence were then added to this model and compared to the basic data.  From this, sympathy for a political party could be derived, meaning that this did not portray “actual political attitudes, opinions or voting behaviour”, but only a probability. However, these “guesses” were already too infringing, in the opinion of the Agency. Here we note that someone’s political affiliation falls under the scope of ‘sensitive data’ which enjoys specific protection under the GDPR. The fact that the data was later sold increases the infringing nature of the activities. Some political parties have admitted that they have used this data bank.

Austrian Post, which also received the anti-prize “Big Brother Award” for its actions, has announced that it will challenge the decision. The term for doing so is four weeks. At the same time, Austrian Post has also promised to stop gathering and selling data about its consumers’ political interests.

This decision follows individual complaints against the Post under Article 9 of the GDPR, which has so far resulted in individual compensation in the amount of EUR 800. Several other ongoing individual proceedings are still under way against the Post – however, for them the decision of 23 October has little influence since during individual cases each applicant must prove their individual interest and breach of their personal data.

This certainly is a shining example of how breaches of the GDPR can occur, firstly, even by institutions connected to the state, and, secondly, outside the clearly digital world (as has been the case with other comparably high fines). At the same time it is also a strong hint that all misuses of personal data are unacceptable, even if they are just “guesses”.