Court case W108 2277566-1 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court case in Austria involved a social insurance carrier that shared a user's rehabilitation facility details with a court without proper consent. This matters because it raises questions about how sensitive health data should be handled and the importance of user privacy.
What happened
The social insurance carrier disclosed a user's rehabilitation facility information to a court during legal proceedings.
Who was affected
A user undergoing rehabilitation whose sensitive health information was shared without consent.
What the authority found
The court found that the disclosure of the user's health-related data lacked proper legal basis and violated privacy rights.
Why this matters
This ruling underscores the need for strict adherence to privacy laws when handling sensitive information. Organizations must be transparent about data sharing, especially when it involves health-related data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 27 June 2022, the District Court issued a request to the controller — a statutory social insurance carrier — asking for the name and address of the therapy facility where the data subject was undergoing rehabilitation. The request was part of ongoing enforcement proceedings against the data subject. The controller received this request on 11 July 2022. Relying on its statutory duty to provide administrative assistance under Section 360(1) ASVG, in conjunction with Section 129 B-KUVG and Section 89h GOG, the controller disclosed the name and address of the rehabilitation center. The duration of the data subject’s stay had already been communicated to the court separately. On 30 August 2022, the controller informed the data subject in writing about the data disclosure and explained the legal basis for this action. The controller argued that the request did not appear to exceed the court’s lawful authority and that only minimal and necessary data had been shared. Moreover, the controller maintained that if the information disclosed qualified as special category data under Article 9(1) GDPR, the disclosure was nonetheless lawful pursuant to Article 9(2)(f) GDPR, which permits processing necessary for the establishment, exercise, or defense of legal claims or judicial activities. On 10 January 2023, the data subject filed a complaint with DPA under Article 77 GDPR and Section 24 DSG. The data subject alleged a violation of the right to confidentiality under Section 1 DSG and Article 9 GDPR, asserting that the controller had unlawfully transferred sensitive health-related data to the court without a proper legal basis or consent. The data subject emphasized that the location of the rehabilitation facility could allow for inferences about health status, and that the controller failed to clarify exactly what data had been transferred despite multiple requests for access. At the request of the DPA, the controller submitted a response on 17 February 2023, reaffirming that
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W108 2277566-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
7 October 2024
Authority
DPA BVwG
About this data
Cite as: Cookie Fines. Court case W108 2277566-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: