Austrian authorities and courts have been dealing with the processing of "Sinus-Geo-Milieu" data for some time now. The term "Sinus-Geo-Milieu" data refers to data used to create a typology of societal and target groups based on social milieus which are then mapped onto a geographical area.
Point of departure
In the proceedings in question, a data controller processed "Sinus-Geo-Milieu" data supplied by an address publishing house. The data contained information about the level of probability at which each household could be attributed a dominant milieu. Specifically, the data subjects were classified according to their social position/class and their basic orientation, e.g. modern/traditional, as well as according to milieus such as "conservatives", "performers" or "hedonists".
A data subject who had been attributed to the "post-material" milieu lodged a complaint with the data protection authority ("DPA") as she had not given consent to the processing of her personal data, so the activity constituted a breach of Articles 5 and 9 GDPR.
On the one hand, the controller argued that the data in question could not be attributed to a specific natural person, but only to residential addresses/buildings and thus to all persons residing there. Therefore, the activity merely involved "anonymous geographical criteria", not personal data. Moreover, this would definitely not involve special category personal data (Article 9 GDPR) because mere geographical criteria were used and the Sinus-Geo-Milieus would not represent ideological beliefs.
On the other hand, the controller argued that it would have been able to rely on the address publishing house’s compliance with the code of conduct approved by the DPA, i.e. that the publishing house had obtained relevant consent from the data subjects and that it would not have to check again as the data controller. The code of conduct provided for an obligation on the part of the address publishing house to obtain consent. By approving the code of conduct, the DPA would have created a basis for trust and grounds for justification.
Special categories of personal data pursuant to Article 9 GDPR
In the present case, persons who had already been identified as they had been named were attributed to Sinus-Geo-Milieus containing certain statements about probabilities. The Austrian Supreme Administrative Court qualified such data as information "about" the respective person identified, which meant that it was irrelevant whether such information actually applied or whether Sinus-Geo-Milieus were merely mathematical-statistical models. Through the link between the Sinus-Geo-Milieus - previously only attributed to buildings - and natural persons, personal data would be created.
As there was an indirect indication of ideological convictions and as data concerning presumed political preferences already entails the risk of negative consequences according to case law, the Supreme Administrative Court considered such personal data to be specially protected under Article 9 GDPR.
No reliance on an officially approved code of conduct pursuant to Article 40 GDPR
The Supreme Administrative Court clarified that an approved code of conduct would only serve the purpose of self-commitment and facilitate the application of the GDPR in practice, but should not lead to a level of protection below the one granted by the GDPR. The court ruled that a code of conduct could not be considered authorisation for the processing of sensitive data without compliance with the requirements of Article 9 GDPR. The code of conduct would not enable lawful processing without the existence of an exemption, nor would it in itself constitute an exemption under Article 9 (2) GDPR. As a result, enterprises could not rely on the fact that the address publishing houses supplying them had actually obtained the relevant consents while they would evade their responsibility.
Conclusion
With this ruling, the Supreme Administrative Court clarified that even merely statistical data linked with geographical areas can be qualified as personal data if they are attributed to natural persons. Indirect references to sensitive information are also sufficient to oblige companies to ensuring a heightened degree of protection under Article 9 GDPR.
Even an officially approved code of conduct according to which the upstream address publishing house is obliged to obtain consent, does not discharge downstream data controllers from their responsibility under data protection law. In practice, the selection of contractual partners thus requires special care.
The KWR Data Protection Team and the New Technologies & Digitalisation Team will be happy to answer any questions you might have.