Datenschutzbehörde DSB (DPA) – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a social insurance provider lawfully disclosed a person's rehabilitation location to a district court. This matters because it clarifies that certain disclosures can be legal when required by law, even if they involve sensitive health information. Companies should understand when they can share personal data legally without consent.
What happened
An Austrian social insurance provider disclosed a person's rehabilitation stay location to a court as part of enforcement proceedings.
Who was affected
The individual undergoing rehabilitation whose location was disclosed was affected.
What the authority found
The court found the disclosure lawful under legal obligations, as it was necessary for the court's proceedings.
Why this matters
This ruling illustrates that legal obligations can justify the sharing of sensitive personal data. Organizations should be aware of their legal duties when handling personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject underwent a rehabilitation stay in a therapy centre approved by the controller, a social insurance provider. On 27 June 2022, a district court requested the controller to disclose the location of the data subject’s rehabilitation stay in the context of enforcement proceedings. The controller provided the name and address of the therapy centre. The data subject later argued that this information revealed sensitive health data and that the disclosure was unlawful. He also claimed that the controller failed to properly assess the legality of the court’s request and should have refused or sought clarification. On 10 January 2023, the data subject filed a complaint with the DPA, alleging a violation of his right to confidentiality and unlawful processing of health data. The DPA rejected the complaint. The data subject appealed to the court, maintaining that the disclosure lacked a legal basis and exceeded what was necessary. First, the court classified the information about the rehabilitation location as health data within the meaning of Article 9 GDPR, as it allowed inferences about the data subject’s medical condition. Second, the court held that the disclosure was lawful under Article 6(1)(c) GDPR and Article 6(1)(e) GDPR because the controller acted under a legal obligation and in the exercise of a task in the public interest. The relevant legal basis derived from national provisions requiring social insurance bodies to provide information to courts. Third, the court found that Article 9(2)(g) GDPR applied, as the processing was necessary for reasons of substantial public interest based on national law. Fourth, the court emphasised that the controller complied with the principle of data minimisation under Article 5(1)(c) GDPR, as it disclosed only the specific information requested by the court and nothing beyond that. Fifth, the court rejected the argument that the controller had to assess the legality of the court order in detail. It held that th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Datenschutzbehörde DSB (DPA) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
7 October 2024
Authority
About this data
Cite as: Cookie Fines. Datenschutzbehörde DSB (DPA) - Austria (2024). Retrieved from cookiefines.eu
Last updated: