Court case W171 2298465-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 10 November 2023, an ambulance service (the controller) transported a patient (the data subject) during a medical emergency. In the course of this operation, the controller collected personal data through the data subject's e-card. This included the data subject’s name and address. The stated purpose for this initial data collection was to provide emergency services. On 11 December 2023, the controller sent a postal donation request to the data subject for paramedic training, referencing the prior emergency transport. On 26 December 2023, the data subject filed a complaint with the DPA. They argued that the data used included health data within the meaning of Article 4(15) GDPR, meaning the controller could not rely on legitimate interests (Article 6(1)(f) GDPR) to further process the data. Moreover, the processing for direct marketing without consent violated the GDPR and their right to confidentiality of their personal data. In a response dated 13 March 2024, the controller argued that the change of purpose was permissible under Article 6(4) GDPR. The further processing complied with Article 14 GDPR because said change was noted in the footer of the donation letter. Furthermore, the controller contended that no special category data (Article 9 GDPR) was processed. On 1 July 2024, the DPA upheld the complaint. It found that the further processing of the data subject’s information for the purpose of sending a donation request violated their right to confidentiality under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 National data protection law (DSG)] and was unlawful under the GDPR. Strikingly, the DPA found that the data constituted personal data under Article 4(1) GDPR and also as health data under Article 4(15) GDPR. None of the exemptions under Article 9(2) GDPR applied, rendering the further processing unlawful under Article 9(1) GDPR. Even if the data in question had not qualified as health data, the DPA fou
GDPR Articles Cited
National Law Articles
On 10 November 2023, an ambulance service (the controller) transported a patient (the data subject) during a medical emergency. In the course of this operation, the controller collected personal data through the data subject's e-card. This included the data subject’s name and address. The stated purpose for this initial data collection was to provide emergency services. On 11 December 2023, the controller sent a postal donation request to the data subject for paramedic training, referencing the prior emergency transport. On 26 December 2023, the data subject filed a complaint with the DPA. They argued that the data used included health data within the meaning of Article 4(15) GDPR, meaning the controller could not rely on legitimate interests (Article 6(1)(f) GDPR) to further process the data. Moreover, the processing for direct marketing without consent violated the GDPR and their right to confidentiality of their personal data. In a response dated 13 March 2024, the controller argued that the change of purpose was permissible under Article 6(4) GDPR. The further processing complied with Article 14 GDPR because said change was noted in the footer of the donation letter. Furthermore, the controller contended that no special category data (Article 9 GDPR) was processed. On 1 July 2024, the DPA upheld the complaint. It found that the further processing of the data subject’s information for the purpose of sending a donation request violated their right to confidentiality under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 National data protection law (DSG)] and was unlawful under the GDPR. Strikingly, the DPA found that the data constituted personal data under Article 4(1) GDPR and also as health data under Article 4(15) GDPR. None of the exemptions under Article 9(2) GDPR applied, rendering the further processing unlawful under Article 9(1) GDPR. Even if the data in question had not qualified as health data, the DPA fou
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W171 2298465-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W171 2298465-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: