Dr. Uwe A*** (complainant) – Complaint Upheld (Austria, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian restaurant was found to have violated data protection rules by requiring customers to provide personal information for COVID-19 contact tracing without proper consent. This case is important because it shows that even during a pandemic, businesses must respect privacy laws and ensure data collection is lawful.
What happened
A restaurant required customers to provide personal data for COVID-19 contact tracing without valid consent.
Who was affected
The affected individuals were restaurant customers who were asked to provide personal information.
What the authority found
The authority decided that the restaurant's data collection for contact tracing was not compliant with GDPR, as consent was not freely given.
Why this matters
This decision highlights that businesses must carefully consider legal requirements when collecting data, even for public health reasons. It serves as a warning that consent must be genuinely voluntary and alternatives should be available.
GDPR Articles Cited
National Law Articles
Entities Involved
The data subject (customer) filed a complaint against a Viennese restaurant claiming a violation of § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG) and Article 6 GDPR: the restaurant required customers to provide their name, phone number, email (optional) and table number upon being seated. In its data protection notice, the restaurant stated that it collected said data "to protect the life and health of our employees and our guests in connection with the occurrence of the coronavirus and the COVID-19 epidemic". The customer provided his data by using a QR-Code Scanner on 2 October 2020 and sent an access request under Article 15 GDPR afterwards. In their reply the restaurant stated that the processing was based on the Viennese Regulation on Contact Tracing (Wiener Contact-Tracing Verordnung). Was it lawful under Articles 6 and 9 GDPR to collect data on the customer for the purposes stated by the restaurant? The DSB held, that the data provided by the customer qualify as health data under Article 4(15) GDPR. Data such as name, phone number, email do not qualify as health data per se but in the context of COVID-19 contact tracing they contain information about the past, present and future physical or mental state of health of the customer. The data are supposed to be processed solely to protect the health of restaurant customers and to forward this data to the local authorities in accordance with the Austrian Epidemic Law. Accordingly, the data processing must also be compliant with the requirements of Article 9 GDPR. In the DSB held that the processing violated Articles 5, 6 and 9 GDPR: *Consent under Articles 6(1)(a), 7 and 9(2)(a) GDPR cannot be considered as freely given in the context at hand. It was obligatory for the customer to provide his data to the restaurant, otherwise he would not have been allowed to enter the restaurant or would have been asked to leave. In addition, there was no acceptable alternative for the customer, because all resta
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Dr. Uwe A*** (complainant) in AT
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Dr. Uwe A*** (complainant) - Austria (2020). Retrieved from cookiefines.eu
Last updated: