Amt der Tiroler Landesregierung – CJEU Judgment (Austria, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
During the COVID-19 pandemic, the Office (Amt der Tiroler Landesregierung), an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address. One of those addressees of the vaccination reminder letter (the data subject), filed a complaint with the DPA against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was responsible for the letter sent to data subject. The DPA found that the Office had violated the GDPR when it had consulted the data of the data subject in the vaccination register to send the ‘vaccination reminder’ even though it did not have a right to access that register or the patient index. The Office appealed that decision before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) which held that the Office had the status of controller on the basis of national law but did not have a right to consult the vaccination register for the purposes of sending a reminder letter. Consequently the Office brought an appeal before the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH). That court found that, to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR and decided to stay the proceedings and to request a preliminary ruling asking in essence: * whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliar
GDPR Articles Cited
During the COVID-19 pandemic, the Office (Amt der Tiroler Landesregierung), an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address. One of those addressees of the vaccination reminder letter (the data subject), filed a complaint with the DPA against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was responsible for the letter sent to data subject. The DPA found that the Office had violated the GDPR when it had consulted the data of the data subject in the vaccination register to send the ‘vaccination reminder’ even though it did not have a right to access that register or the patient index. The Office appealed that decision before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) which held that the Office had the status of controller on the basis of national law but did not have a right to consult the vaccination register for the purposes of sending a reminder letter. Consequently the Office brought an appeal before the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH). That court found that, to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR and decided to stay the proceedings and to request a preliminary ruling asking in essence: * whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliar
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Amt der Tiroler Landesregierung in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
27 February 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8931About this data
Cite as: Cookie Fines. Amt der Tiroler Landesregierung - Austria (2025). Retrieved from cookiefines.eu
Last updated: