unnkown individual (controller and perpetrator) – €600 Fine (Austria, 2021)

Person A is employed at a municipality and has been on sick leave for several weeks in 2013 and 2014. In September 2014, the municipality concluded that Person A's sickness had been caused by another individual (Person B) who was then asked for damages. In another proceeding between Person A and Person B, the latter obtained a medical assessment concerning Person A's state of health. According to Person B's view, this document would have proved the municipality's claim wrong. The document was therefore shared with the municipality (even though no further steps had been taken following the initial claim). For this reasons, Person B is considered controller of Person A's personal data. The DPA held that there was no legal basis under Article 9(2) GDPR for sending the medical assessment, which contained health data under Article 14 GDPR#15Article 4(15) GDPR, to the municipality. In particular, the controller could not invoke Article 9(2)(f) GDPR ("necessary for the establishment, exercise or defence of legal claims") because i) the municipality had taken no further steps to claim damages from the controller since September 2014 and ii) the claim had already been time-barred under § 1489 General Civil Code (Allgemeines Bürgerliches Gesetzbuch - ABGB) since more than three years had passed since the event that allegedly caused the damage (harming behaviour towards the data subject). Consequently, the DPA held that the disclosure of the data subject's health data were not necessary "for the establishment, exercise or defence of legal claims". To lawfully disclose the data, the data subject's explicit consent would have been required. When deciding on the amount of the administrative fine, the DSB took into account the sensitive nature of the data and wilful conduct of the controller but also the controller's low income and the fact that the controller collaborated with the DSB in the course of the procedure.