Court case W171 2298465-1 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An ambulance service in Austria was found to have unlawfully used a patient's personal data for marketing after an emergency transport. This is important because it shows that companies cannot use personal data for purposes other than what it was originally collected for without consent. Businesses must be careful about how they use customer information.
What happened
The ambulance service sent a donation request using personal data collected during an emergency transport.
Who was affected
The patient whose data was collected during the ambulance service was affected.
What the authority found
The authority ruled that the ambulance service violated the patient's right to confidentiality by using their data for marketing without consent.
Why this matters
This case underscores the importance of using personal data only for its intended purpose. Companies should ensure they have consent before using customer information for other reasons.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 10 November 2023, an ambulance service (the controller) transported a patient (the data subject) during a medical emergency. In the course of this operation, the controller collected personal data through the data subject's e-card. This included the data subject’s name and address. The stated purpose for this initial data collection was to provide emergency services. On 11 December 2023, the controller sent a postal donation request to the data subject for paramedic training, referencing the prior emergency transport. On 26 December 2023, the data subject filed a complaint with the DPA. They argued that the data used included health data within the meaning of Article 4(15) GDPR, meaning the controller could not rely on legitimate interests (Article 6(1)(f) GDPR) to further process the data. Moreover, the processing for direct marketing without consent violated the GDPR and their right to confidentiality of their personal data. In a response dated 13 March 2024, the controller argued that the change of purpose was permissible under Article 6(4) GDPR. The further processing complied with Article 14 GDPR because said change was noted in the footer of the donation letter. Furthermore, the controller contended that no special category data (Article 9 GDPR) was processed. On 1 July 2024, the DPA upheld the complaint. It found that the further processing of the data subject’s information for the purpose of sending a donation request violated their right to confidentiality under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597 National data protection law (DSG)] and was unlawful under the GDPR. Strikingly, the DPA found that the data constituted personal data under Article 4(1) GDPR and also as health data under Article 4(15) GDPR. None of the exemptions under Article 9(2) GDPR applied, rendering the further processing unlawful under Article 9(1) GDPR. Even if the data in question had not qualified as health data, the DPA fou
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W171 2298465-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W171 2298465-1 - Austria (2025). Retrieved from cookiefines.eu
Last updated: