gynaecologist – €10,000 Fine (Austria, 2023)

On 26 September 2022 the data subject posted a negative review on a website in her own name on her experiences at a gynaecologist’s office. One day later, the controller, the gynaecologist, publically responded to the review and disclosed that the data subject was diagnosed with a vaginal infection. The controller argued that he disclosed the personal data in order to create a truthful image for readers. The response was publicly available at least until 3 October 2023. Firstly, the Austrian DPA (DSB) held that the controller processed personal data of the data subject by publishing his response online. Moreover, the DPA held that the information regarding a personal’s vaginal infection is data concerning health data under Article 4(15) GDPR. This is a special category of personal data according to Article 9(1) GDPR and whose processing is prohibited unless one of the exceptions in Article 9(2) GDPR applies. The DPA found that this was not the case. Thus, the controller violated Article 9 GDPR and the principle of lawfulness under Article 5(1)(a) GDPR. Secondly, the controller violated the principle of purpose limitation under Article 5(1)(b) GDPR. The DPA found that there was no concrete link between the purpose of the data collection (the diagnosis) and the further processing of the data. Moreover, it was not foreseeable to the data subject that the controller would collect data on her medical diagnosis and publish this in a response to the data subject’s review. Thirdly, the controller violated the principle of data minimisation under Article 5(1)(c) GDPR, as the purpose to create a truthful image for readers could have been fulfilled without mentioning the diagnosis. The DPA issued a fine of €10,000 under Article 83(1) GDPR based on the estimated income of the controller, as he did not disclose his financial circumstances. The decision regarding the amount of the penalty has been challenged at the Federal Administrative Court (Bundesverwaltungsgericht, BVwG).