Dr. Walter A. (complainant) – Dismissed (Austria, 2021)

The respondent operates a primary care centre. Among other things, PCR tests for SARS CoV-2 are carried out under its responsibility. The complainant had a voluntary PCR test (SARS-CoV-2) carried out at the respondent's primary care centre. By text message of 28 September 2020, he had been informed that the result of his PCR test was available and that the result was negative. The following day, he received an SMS with the following text: "Your test result of the sample collection of 28 September 2020 has been received. COVID-19 test for Walter, born 19** is NEGATIVE. Your district administrative authority". The respondent argued that it was allowed to pass on the data on the basis of the Ordinance of the Federal Minister of Health concerning electronic laboratory reports in the register of notifiable diseases, Federal Law Gazette II No. 184/2013 as amended by Federal Law Gazette II 323/2020. However, this was contested. The dispute concerns the question whether the respondent violated the complainant's right to confidentiality by forwarding his information of a negative PCR (SARS-CoV-2) test to a district administrative authority. The DPA held “that the wording of Art. 4(15) GDPR does not link a certain (minimum) impairment of physical or mental health, which argues in favour of a broad interpretation of the term "health data". This is even clearer in Recital 35 of the Regulation, which states that personal data concerning health should include any data revealing information about the past, present and future physical or mental health status of the data subject. These considerations are also covered by the case law of the ECJ, according to which the term "date of health" is to be interpreted broadly (cf. on the comparable legal situation under Directive 95/46 the judgement of the ECJ of 6 November 2003, C 101/01, Rs Lindqvist, para 50 f). As an interim result, it must therefore be noted that (also) the negative test of the complainant is to be qualified as