Court case Ra 2024/04/0408 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled on a case where a patient's MRI scans were shared without her consent, but the complaint was dismissed. This ruling is important because it clarifies who is responsible for data sharing in medical contexts. Healthcare providers must ensure they have proper consent before sharing sensitive information.
What happened
A patient's MRI scans were shared by her authorized representative without her consent.
Who was affected
The patient, who was unable to provide consent due to her health condition, and her authorized representative.
What the authority found
The court found that the authorized representative acted as the data controller and dismissed the complaint as unfounded.
Why this matters
This ruling sets a precedent for how consent is handled in medical data sharing. Healthcare providers should ensure they have clear consent processes in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject advanced an appeal to a DPA decision concerning an alleged violation of her fundamental right to privacy, as laid out in [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 Article 1(1) of the Austrian Data Protection Act (Datenschutzgesetz – DSG)]. The initial complaint advanced by the data subject related to the sharing of the data subject´s MRI scans without the data subject´s consent, in the context of a treatment procedure at a rehabilitation centre following a hip operation. At the time of the follow-up treatment, the appellant was seventy-seven years old and suffered from dementia and significant cognitive impairment due to two brain operations in 2018. Therefore, the data subject was unable to provide any information about her medication and previous findings and thus had an authorized representative. A few days after the data subject´s admission to the hospital, the data subject´s authorized representative, a doctor, submitted a bundle of radiological images. One of the MRI scan's radiological images was missing so the medical team of the rehabilitation centre asked the data subject´s authorized representative to send a duplicate. The requested MRI was faxed to the rehabilitation centre by the data subject´s authorized representative on the same day without the consent of the data subject, who only learned of this disclosure verbally from doctors at the rehabilitation center. The data subject advanced a complaint, claiming that, in the case at hand, [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 Article 1(1) of the Austrian Data Protection Act (Datenschutzgesetz – DSG)] was violated. The Administrative Court Holding The Administrative Court dismissed the complaint as unfounded due to the following reasons. First, the Administrative Court found that the data subject´s authorized representative was the controller under Article 4(7) GDPR. Then, it proceeded by considering that, while [https://www.jusline.at/gesetz/dsg/paragra
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ra 2024/04/0408 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
26 November 2024
Authority
DPA VwGH
About this data
Cite as: Cookie Fines. Court case Ra 2024/04/0408 - Austria (2024). Retrieved from cookiefines.eu
Last updated: