Austrian High Court Upholds €13 Million GDPR Fine Over Political Profiling

Austrian High Court Upholds €13 Million GDPR Fine Over Political Profiling

By
Key Takeaways
  • Political Affinities Protected: Austria's Administrative Court confirmed that inferred "party affinities" constitute special categories of personal data under Article 9(1) of the GDPR.
  • €13 Million Fine Upheld: The court reduced the administrative penalty from €16 million to €13 million while affirming the core GDPR violations.
  • Gross Negligence Confirmed: The court rejected the data controller's argument that it lacked culpability and upheld the finding of gross negligence.
  • Revenue Calculation Clarified: The judgment confirms that group-wide annual revenue, rather than revenue tied only to the offending conduct, may be used when assessing GDPR fines in this case.
Deep Dive

Austria's highest administrative court has brought one of the country's most closely watched data protection cases to a close, confirming that the creation and commercial use of inferred political preferences for millions of people violated the General Data Protection Regulation and clarifying several principles that will shape how GDPR fines are assessed in the years ahead.

The Austrian Administrative Court (Verwaltungsgerichtshof, VwGH) upheld the central findings of the Austrian Data Protection Authority that the processing of so-called "party affinities" constituted the unlawful processing of special categories of personal data under Article 9(1) of the GDPR. While the court reduced the administrative penalty from €16 million to €13 million, it left the heart of the regulator's case intact.

The decision concerns statistically calculated "party affinities", which are predicted probabilities indicating whether a person was likely to be interested in election advertising from particular political parties. According to the court, those profiles were created for approximately 2.2 million individuals. The data was stored and, in some instances, sold to third parties without the consent of the affected individuals or any other exception permitting the processing of special categories of personal data under the GDPR.

The court also upheld findings that parcel frequency data had been unlawfully processed for marketing purposes.

A Case That Spanned Nearly Seven Years

The judgment closes an enforcement action that began in October 2019, when Austria's Data Protection Authority imposed what was, at the time, the largest administrative fine in its history. The authority issued an €18 million penalty for multiple GDPR violations, only to see the Federal Administrative Court later discontinue the administrative penalty proceedings altogether. That proved to be an interim victory.

The Data Protection Authority successfully challenged the decision before the Administrative Court, which overturned the lower court's ruling and returned the matter for a fresh decision. When the Federal Administrative Court reconsidered the case in December 2024, it reaffirmed the underlying GDPR violations but reduced the penalty to €16 million after taking account of mitigating circumstances that had emerged during the lengthy proceedings.

The data controller then appealed to both Austria's Constitutional Court and the Administrative Court. The Constitutional Court declined to hear the constitutional appeal in December 2025, leaving the Administrative Court to deliver the final word. It has now done so.

The court partially rejected the appeal and partially dismissed it as unfounded, while ruling directly on the remaining issues. It ultimately fixed the administrative fine at €13 million and ordered a contribution of €100,000 toward the costs of the administrative penalty proceedings.

Political Profiles Are Sensitive Personal Data

The most consequential aspect of the judgment is not the reduction in the fine but the court's treatment of inferred political preferences themselves. The Administrative Court upheld the Data Protection Authority's conclusion that the "party affinities" amounted to special categories of personal data protected under Article 9(1) of the GDPR. That finding reinforces the principle that data does not have to record an individual's expressly stated political opinions to receive heightened protection. Statistical inferences about political interests can also fall within the GDPR's most restrictive category of personal data.

The court was equally unpersuasive to the company's argument that it had not acted culpably. It upheld the lower court's assessment that the conduct amounted to gross negligence, preserving one of the central legal findings underpinning the enforcement action.

Guidance Beyond a Single Case

The judgment reaches well beyond the facts of this dispute. Throughout the decision, the Administrative Court addresses several questions that regularly arise in GDPR enforcement but have received comparatively little judicial attention. On the issue of fault, the court held that culpability in GDPR administrative penalty proceedings must be assessed exclusively under European Union law and the case law of the Court of Justice of the European Union and the General Court. It concluded there is no room to apply Section 5 of Austria's Administrative Penal Code when determining fault in GDPR cases.

The court also examined how multiple GDPR violations should be treated when they stem from the same unlawful processing activity. It concluded that several alleged offenses were effectively absorbed into the principal infringement because of their close connection to the unlawful processing, characterizing those additional violations as formal offenses of comparatively minor significance.

The judgment also settles an important question on the calculation of administrative fines. The Administrative Court confirmed that group-wide annual revenue was the relevant benchmark in this case, rejecting the argument that only revenue directly connected to the unlawful conduct should be considered.

In reaching its conclusions, the court repeatedly referred to the European Data Protection Board's Guidelines 04/2022 on the calculation of administrative fines, using them as interpretive guidance when assessing issues including culpability. Those guidelines are intended to promote greater consistency in GDPR enforcement across supervisory authorities throughout the European Union.

Finally, the court addressed procedural costs, concluding that the statutory contribution required in administrative penalty proceedings should not produce a disproportionate outcome where exceptionally large fines are imposed. It therefore fixed the contribution at €100,000.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong