Disziplinarrat der Österreichischen Ärztekammer – Complaint Upheld (Austria, 2021)

The complainant is a data subject who learned a general practitioner was spreading misinformation about COVID-19 by displaying booklets containing non-scientific and partially conspirational information in their practice. The complainant reported the doctor to the Medical Association for Lower Austria, attaching a picture of the booklets as evidence. This body forwarded the complaint to the Disciplinary Council of the Austrian Medical Association to begin an inquiry into the matter. The Council then notified the practitioner that was complained about in the inquiry. In doing so it attached the original (non-redacted) email from the complainant, de facto revealing their identity to the practitioner. Thus, they complained to the Austrian DPA about a violation of their right to secrecy under §1 DSG. The DSB assessed whether the Disciplinary Council of the Austrian Medical Association violated the complainant's right to secrecy by sharing their name to the doctor they reported to the body, which should be done in light of the GDPR, with a particular emphasis on its 'general principles'. The Disciplinary Council of the Austrian Medical Association argued the transfer of personal data to the practitioner was lawful under §153(4) of the national 'Ärztegesetz' ('Doctor Law'). The DSB disagreed, stating the forwarding of the complainant's name does not comply with the principle of data minimisation. Thus, the DSB held that the Disciplinary Council of the Austrian Medical Association violated a data subject's right to secrecy by sharing the email containing their name to the doctor they reported.