More than 18 million fine for Österreichische Post AG

Date: 23.10.2019

Responsible body: Österreichische Post AG (ÖPAG)

Nature of the data breach: Personal data were processed unlawfully

After conducting an oral hearing, the Austrian data protection authority found that Österreichische Post AG (ÖPAG) had infringed the General Data Protection Regulation (GDPR) firmly. ÖPAG is accused of personal data about the alleged political affiliation of individuals. Furthermore, the data protection authority accuses ÖPAG of having processed data on parcel frequency and frequency of relocations for the purpose of direct marketing.

In the opinion of the Austrian data protection authority, these infringements are unlawful and an administrative fine of EUR 18 million is therefore appropriate to prevent other or similar infringements.

The penalty is currently not yet final, as it can be appealed against before the Federal Administrative Court within four weeks of the notification of the fine.

Categories of data: Data on political affiliation, locations, package orders

Fines: 18 million

Country: Austria

Source: European Data Protection Board

Back to the overview of the data breaches