Court case W298 2269087-1 – Court Ruling (Austria, 2023)

A medical doctor, the controller, used the national health care portal to access information about the vaccination status of a data subject who had applied for a job. The DPA opened an investigation against the controller who, in turn, acknowledged a violation of Article 9 GDPR, as they unlawfully processed health data of the data subject. The DPA imposed a €3,500 fine for the violation of Article 9 GDPR. The fact that the controller was a doctor, that they processed special categories of data and that they did it intentionally were considered aggravating factors in the quantification of the fine. The controller appealed the decision, claiming that the fine was disproportionate. In assessing the proportionality of the fine, the Federal Administrative Court examined how the DPA applied Article 83(2) GDPR at the facts at issue. Concerning Article 83(2)(a) GDPR, it is true that the controller position as a doctor should be considered an aggravating factor. However, the court also found that these data should have been disclosed in any case to the controller during the job interview, according to Austrian law. In this context, the court found particularly relevant that the controller processed only vaccination data and no other special categories of personal data pursuant to Article 9 GDPR. The court also regarded the fact that the processing occurred during highly stressful times of the pandemic as a mitigating factor pursuant to Article 83(2)(k) GDPR. Finally, the court disregarded the intentional character of the violation (Article 83(2)(b) GDPR) as an element to determine the amount of the fine. In light of the above, the court reduced the amount of the fine to €2,000.