Datenschutzbehörde DSB (DPA) – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a social insurance provider acted lawfully when it disclosed a person's rehabilitation location to a court. This is significant because it clarifies how sensitive health data can be shared under certain legal obligations, which is important for both individuals and service providers.
What happened
A court upheld the disclosure of a person's rehabilitation location by a social insurance provider to a court during enforcement proceedings.
Who was affected
The individual whose sensitive health information was disclosed was the data subject in this case.
What the authority found
The court decided that the disclosure was lawful because it was required by law and served a public interest under GDPR's provisions.
Why this matters
This ruling sets a precedent for how sensitive health data can be shared in legal contexts, reminding service providers to understand their legal obligations when handling such data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject underwent a rehabilitation stay in a therapy centre approved by the controller, a social insurance provider. On 27 June 2022, a district court requested the controller to disclose the location of the data subject’s rehabilitation stay in the context of enforcement proceedings. The controller provided the name and address of the therapy centre. The data subject later argued that this information revealed sensitive health data and that the disclosure was unlawful. He also claimed that the controller failed to properly assess the legality of the court’s request and should have refused or sought clarification. On 10 January 2023, the data subject filed a complaint with the DPA, alleging a violation of his right to confidentiality and unlawful processing of health data. The DPA rejected the complaint. The data subject appealed to the court, maintaining that the disclosure lacked a legal basis and exceeded what was necessary. First, the court classified the information about the rehabilitation location as health data within the meaning of Article 9 GDPR, as it allowed inferences about the data subject’s medical condition. Second, the court held that the disclosure was lawful under Article 6(1)(c) GDPR and Article 6(1)(e) GDPR because the controller acted under a legal obligation and in the exercise of a task in the public interest. The relevant legal basis derived from national provisions requiring social insurance bodies to provide information to courts. Third, the court found that Article 9(2)(g) GDPR applied, as the processing was necessary for reasons of substantial public interest based on national law. Fourth, the court emphasised that the controller complied with the principle of data minimisation under Article 5(1)(c) GDPR, as it disclosed only the specific information requested by the court and nothing beyond that. Fifth, the court rejected the argument that the controller had to assess the legality of the court order in detail. It held that th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Datenschutzbehörde DSB (DPA) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Datenschutzbehörde DSB (DPA) - Austria (2024). Retrieved from cookiefines.eu
Last updated: