Court case Ra 2023/04/0117 – Court Ruling (Austria, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Austria's Supreme Administrative Court dismissed a complaint from a person who believed their vaccination data was mishandled. The court found that the social insurance institution had the legal right to process the person's data for sending vaccination information. This ruling clarifies the legal grounds for processing health-related data during public health initiatives.
What happened
A person complained that their vaccination data was unlawfully accessed or shared by a social insurance institution.
Who was affected
The individual who received a COVID-19 vaccination information letter from the social insurance institution.
What the authority found
The court determined that the social insurance institution had a valid legal basis to process the individual's data under national law and GDPR.
Why this matters
This case illustrates that public health institutions can process personal data when legally authorized. It highlights the need for clear legal frameworks during health emergencies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A data subject received a COVID-19 vaccination information letter sent by the social insurance institution together with the Ministry of Social Affairs, Health, Care and Consumer Protection. Believing that his vaccination status and contact data must have been unlawfully accessed or shared, he filed a complaint with the Austrian Data Protection Authority (DSB), alleging a violation of his right to confidentiality under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&Artikel=1&Paragraf=1&Anlage=&Uebergangsrecht= § 1 DSG] and unlawful processing under Articles 5, 6, and 9 GDPR. He further argued that the controller had failed to comply with the information obligations under Article 14 GDPR, had not concluded a joint-controller agreement with the Ministry, and had not carried out a data protection impact assessment. The DSB dismissed the complaint and the data subject appealed to the Federal Administrative Court, and when that court dismissed his appeal and refused to allow an ordinary revision, he filed an extraordinary appeal with the Supreme Administrative Court. The Supreme Administrative Court examined the data subject’s extraordinary appeal and determined that it raised no legal question of fundamental importance. It agreed with the lower court and the DSB that the social insurance institution, classified as a public law institution, was entitled, under [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008147&FassungVom=2021-08-31&Artikel=&Paragraf=750&Anlage=&Uebergangsrecht= national law], to process the data subject’s data from the central vaccination register on the basis of explicit statutory authorizations, which required the identification of unvaccinated insured persons and the sending of official information regarding health risks and available free vaccines. Moreover, because this legal basis met the requirements of Articles 6 and 9 GDPR, no violation of the data subject’s righ
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case Ra 2023/04/0117 in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case Ra 2023/04/0117 - Austria (2025). Retrieved from cookiefines.eu
Last updated: