Court case W2522299666-1/6E – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Austria ruled that a public body unlawfully accessed a person's vaccination records without proper consent. This decision is significant because it reinforces the importance of confidentiality and proper data handling by organizations. It serves as a reminder for all businesses to ensure they have a legal basis for processing personal data.
What happened
A public body accessed an individual's vaccination records without a valid legal basis.
Who was affected
The individual whose vaccination records were accessed without their consent.
What the authority found
The Austrian data protection authority found that the public body violated the individual's right to confidentiality by unlawfully processing their data.
Why this matters
This case highlights the need for organizations to have clear legal grounds for accessing personal data. It serves as a warning that improper handling of personal information can lead to serious consequences.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A public-law body (the data controller) sent a letter to an individual (the data subject) inviting them to receive a Covid-19 vaccination. On 14 December 2021, the data subject submitted a complaint with the Datenschutzbehörde (hereinafter DSB/data protection authority), alleging that the controller had violated their right to confidentiality of personal data under §1(2) DSG since they could not establish how the controller obtained information about their vaccination. Following a series of proceedings conducted against the wrong responsible party, the data subject identified the correct controller through a letter dated 01 August 2024. In particular, the data subject requested: (i) a finding of a violation of their fundamental rights; (ii) a prohibition of further data processing under §22(4) DSG; and (iii) the imposition of a fine. Decision of the Data Protection Authority (DSB) By means of a decision rendered on 03 September 2024, the DSB upheld the complaint in part. Firstly, it held that the controller had unlawfully accessed and processed the data subject’s records from the central vaccination register and central patient index. In the absence of a legal basis in accordance with §1 para. 2 DSG, the DSB maintained that the data subject’s right to confidentiality was infringed upon. Secondly, the DSB dismissed the request for prohibition of processing given that the processing had already been completed and therefore fell short of the standard stipulated under §22 para 4 DSG. Thirdly, it rejected the request for a fine for two-fold reasons: the data subject held no subject right to demand one, and fines cannot be imposed on bodies of public law under §30(5) DSG. The data subject subsequently appealed the decision to the Federal Administrative Court on grounds that they found it “outrageous” that their vaccination data had been shared. Despite a court order issued on 02 October 2024 to clarify their grounds of appeal, the data subject did not submit further st
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W2522299666-1/6E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W2522299666-1/6E - Austria (2024). Retrieved from cookiefines.eu
Last updated: