Court case W258 2271494-1 – Court Ruling (Austria, 2025)

In late 2021, the data subject received a personalised COVID-19 vaccination reminder letter containing the data subject’s name, address and proposed vaccination appointments. This information was taken from the central vaccination register and patient index, and the letter displayed logos of several public bodies and social insurance entities. On 10 December 2021, the data subject filed a complaint with the DPA. They alleged that the municipal authority (assumed to be the controller) had unlawfully processed and disclosed sensitive health data by sending the vaccination reminder. Separately, the DPA opened an ex officio investigation into the vaccination reminder campaign. In that investigation, the DPA concluded that the municipal authority involved in the campaign acted as controller under Article 4(7) GDPR. The DPA later upheld the data subject’s complaint, as it held that the assumed controller had unlawfully accessed and processed data from the central vaccination register and patient index while having no sufficient legal basis. It rejected the data subject’s request to prohibit further processing and rejected the request for a fine. The municipal authority appealed before the court. It argued, among other things, that it was not the controller for the processing and that the processing had formed part of pandemic management measures. First, the court examined who acted as controller under Article 4(7) GDPR. The court found that the relevant political officeholder, acting within the framework of public health administration, had determined the purpose and essential means of the processing. The municipal authority involved in the campaign merely implemented their instructions. The court therefore held that it had not determined the purposes and means of the processing and was actually not the controller under Article 4(7) GDPR. Second, the court considered that the data subject could not reasonably identify the correct controller because the vaccination rem