Court case Ra 2023/04/0117 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A data subject received a COVID-19 vaccination information letter sent by the social insurance institution together with the Ministry of Social Affairs, Health, Care and Consumer Protection. Believing that his vaccination status and contact data must have been unlawfully accessed or shared, he filed a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of his right to confidentiality under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1 DSG] and unlawful processing under Articles 5, 6, and 9 GDPR. He further argued that the controller had failed to comply with the information obligations under Article 14 GDPR, had not concluded a joint-controller agreement with the Ministry, and had not carried out a data protection impact assessment. The DSB dismissed the complaint and the data subject appealed to the Federal Administrative Court, and when that court dismissed his appeal and refused to allow an ordinary revision, he filed an extraordinary appeal with the Supreme Administrative Court. The Supreme Administrative Court examined the data subject’s extraordinary appeal and determined that it raised no legal question of fundamental importance. It agreed with the lower court and the DSB that the social insurance institution, classified as a public law institution, was entitled, under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008147&FassungVom=2021-08-31&Artikel=&Paragraf=750&Anlage=&Uebergangsrecht= national law], to process the data subject’s data from the central vaccination register on the basis of explicit statutory authorizations, which required the identification of unvaccinated insured persons and the sending of official information regarding health risks and available free vaccines. Moreover, because this legal basis met the requirements of Articles 6 and 9 GDPR, no violation of the data subject’s righ
GDPR Articles Cited
National Law Articles
A data subject received a COVID-19 vaccination information letter sent by the social insurance institution together with the Ministry of Social Affairs, Health, Care and Consumer Protection. Believing that his vaccination status and contact data must have been unlawfully accessed or shared, he filed a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of his right to confidentiality under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1 DSG] and unlawful processing under Articles 5, 6, and 9 GDPR. He further argued that the controller had failed to comply with the information obligations under Article 14 GDPR, had not concluded a joint-controller agreement with the Ministry, and had not carried out a data protection impact assessment. The DSB dismissed the complaint and the data subject appealed to the Federal Administrative Court, and when that court dismissed his appeal and refused to allow an ordinary revision, he filed an extraordinary appeal with the Supreme Administrative Court. The Supreme Administrative Court examined the data subject’s extraordinary appeal and determined that it raised no legal question of fundamental importance. It agreed with the lower court and the DSB that the social insurance institution, classified as a public law institution, was entitled, under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008147&FassungVom=2021-08-31&Artikel=&Paragraf=750&Anlage=&Uebergangsrecht= national law], to process the data subject’s data from the central vaccination register on the basis of explicit statutory authorizations, which required the identification of unvaccinated insured persons and the sending of official information regarding health risks and available free vaccines. Moreover, because this legal basis met the requirements of Articles 6 and 9 GDPR, no violation of the data subject’s righ
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ra 2023/04/0117 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ra 2023/04/0117 - Austria (2025). Retrieved from cookiefines.eu
Last updated: