Court case Az. 1 WRB 1.25 – Court Ruling (Germany, 2026)

A disciplinary superior ordered a soldier (the data subject) to provide proof of her COVID-19 vaccination by presenting her vaccination certificate to the disciplinary superior in March 2023. She refused and lodged a complaint against the order in May 2023. The complaint was rejected in a decision in June 2023. The data subject appealed this decision. A military court rejected the data subject’s appeal and held that the order to provide proof of coronavirus vaccination was lawful and binding. The data subject appealed the case further to the Federal Administrative Court and contested the lawfulness of the order. The Federal Administrative Court held that there was no legal basis for the order to present the vaccination certificate in national law. In addition, the order was unlawful under the GDPR. The court considered the inspection of a vaccination certificate and its evaluation for the decision on a vaccination order to be processing of personal data. According to the court, a vaccination certificate contains information on the vaccination status of an individual and other health data that can only be processed if one of the narrowly defined exceptions in Article 9(2) GDPR is applicable. The court pointed out that German national law allows the personnel of the the medical service of the German Armed Forces to process health data of soldiers for the purposes of preventive medicine within the meaning of Article 9(2)(h) GDPR. However, the disciplinary superior was not part of the medical service and therefore not authorised to process health data. The exceptions in Articles 9(2)(b), (g) and (i) were not applicable to the present case either as the necessity requirement was not fulfilled. The court held that the data subject’s vaccination status could have been verified in a procedure less intrusive to the rights and freedoms of the data subject.