Court case W245 2247035-1/8E and W245 2251274-1/6E – Court Ruling (Austria, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that a hospital department head wrongly denied a patient's request for their personal data. The court found that the patient's request was clear enough under GDPR rules, even if it was not perfectly worded. This decision highlights the importance of responding to data access requests promptly and accurately.
What happened
A hospital department head denied a patient's request for access to their personal data.
Who was affected
The patient who requested access to their personal data from the hospital department.
What the authority found
The court decided that the hospital department head should have provided the requested data, as the patient's request was clear under GDPR rules.
Why this matters
This case emphasizes that companies must respond to data access requests even if they are not perfectly worded, as long as the intent is clear. It serves as a reminder for businesses to ensure they have processes in place to handle such requests efficiently.
GDPR Articles Cited
National Law Articles
The data subject was a patient in a hospital department. The controller was the head of such department. The data subject was of the opinion that there had been medical negligence during the treatment. Consequently, the data subject sent the following access request to the controller. It was titled "Application for data information in accordance with DSG, GDPR and any other conceivable legal basis", and read: "I hereby submit the request for information in accordance with § 44 DSG and thus make use of my right to receive confirmation as to whether you process personal data concerning me and if this is the case, I make use of my right, To obtain information about the personal data concerned in accordance with § 44 DSG." Although § 44 DSG does grant data subjects a right to access, according to its chapter in the DSG, it only applies to the "Processing of personal data for the purposes of the security police, including the protection of the constitution, military self-defence, the investigation and prosecution of criminal offenses, the execution of sentences and the enforcement of measures". The controller objected to the request, arguing that they were not a controller pursuant to § 44 DSG. Subsequently, the data subject complaint to the Austrian DPA. In its assessment, the DPA stated that Article 15 GDPR, the appropriate right to access in the present case, does not require any specific formulation. The only requirement for the applicability of a right, according to the GDPR, is that the addressed controller can recognize which right the data subject wished to apply. If this was the case, a controller would be obliged to respond to an access request within the time limits set by Article 12(3) GDPR. This was objectively possible in the case at hand. It was clear from the request that the data subject wanted to rely on its right to access. Therefore, the controller should not have denied the data subject its right simply because the data subject mistakenly
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W245 2247035-1/8E and W245 2251274-1/6E in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W245 2247035-1/8E and W245 2251274-1/6E - Austria (2022). Retrieved from cookiefines.eu
Last updated: