Court case W108 2277566-1 – Court Ruling (Austria, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 27 June 2022, the District Court issued a request to the controller — a statutory social insurance carrier — asking for the name and address of the therapy facility where the data subject was undergoing rehabilitation. The request was part of ongoing enforcement proceedings against the data subject. The controller received this request on 11 July 2022. Relying on its statutory duty to provide administrative assistance under Section 360(1) ASVG, in conjunction with Section 129 B-KUVG and Section 89h GOG, the controller disclosed the name and address of the rehabilitation center. The duration of the data subject’s stay had already been communicated to the court separately. On 30 August 2022, the controller informed the data subject in writing about the data disclosure and explained the legal basis for this action. The controller argued that the request did not appear to exceed the court’s lawful authority and that only minimal and necessary data had been shared. Moreover, the controller maintained that if the information disclosed qualified as special category data under Article 9(1) GDPR, the disclosure was nonetheless lawful pursuant to Article 9(2)(f) GDPR, which permits processing necessary for the establishment, exercise, or defense of legal claims or judicial activities. On 10 January 2023, the data subject filed a complaint with DPA under Article 77 GDPR and Section 24 DSG. The data subject alleged a violation of the right to confidentiality under Section 1 DSG and Article 9 GDPR, asserting that the controller had unlawfully transferred sensitive health-related data to the court without a proper legal basis or consent. The data subject emphasized that the location of the rehabilitation facility could allow for inferences about health status, and that the controller failed to clarify exactly what data had been transferred despite multiple requests for access. At the request of the DPA, the controller submitted a response on 17 February 2023, reaffirming that
GDPR Articles Cited
National Law Articles
On 27 June 2022, the District Court issued a request to the controller — a statutory social insurance carrier — asking for the name and address of the therapy facility where the data subject was undergoing rehabilitation. The request was part of ongoing enforcement proceedings against the data subject. The controller received this request on 11 July 2022. Relying on its statutory duty to provide administrative assistance under Section 360(1) ASVG, in conjunction with Section 129 B-KUVG and Section 89h GOG, the controller disclosed the name and address of the rehabilitation center. The duration of the data subject’s stay had already been communicated to the court separately. On 30 August 2022, the controller informed the data subject in writing about the data disclosure and explained the legal basis for this action. The controller argued that the request did not appear to exceed the court’s lawful authority and that only minimal and necessary data had been shared. Moreover, the controller maintained that if the information disclosed qualified as special category data under Article 9(1) GDPR, the disclosure was nonetheless lawful pursuant to Article 9(2)(f) GDPR, which permits processing necessary for the establishment, exercise, or defense of legal claims or judicial activities. On 10 January 2023, the data subject filed a complaint with DPA under Article 77 GDPR and Section 24 DSG. The data subject alleged a violation of the right to confidentiality under Section 1 DSG and Article 9 GDPR, asserting that the controller had unlawfully transferred sensitive health-related data to the court without a proper legal basis or consent. The data subject emphasized that the location of the rehabilitation facility could allow for inferences about health status, and that the controller failed to clarify exactly what data had been transferred despite multiple requests for access. At the request of the DPA, the controller submitted a response on 17 February 2023, reaffirming that
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case W108 2277566-1 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case W108 2277566-1 - Austria (2024). Retrieved from cookiefines.eu
Last updated: