Amt der Tiroler Landesregierung – CJEU Judgment (Austria, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that the Amt der Tiroler Landesregierung did not have the right to access personal data from the vaccination register to send reminder letters during the COVID-19 pandemic. This decision is important because it clarifies the limits of what government offices can do with personal data. Small businesses should be aware that accessing personal data without proper rights can lead to legal issues.
What happened
The Amt der Tiroler Landesregierung accessed personal data from the vaccination register without permission to send vaccination reminder letters.
Who was affected
Adults in the Province of Tyrol who received vaccination reminder letters.
What the authority found
The Court held that the Office lacked a valid legal basis for accessing the vaccination register, violating GDPR requirements.
Why this matters
This ruling emphasizes that even government entities must follow strict rules when handling personal data. It serves as a reminder for all organizations to ensure they have the right permissions before accessing personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
During the COVID-19 pandemic, the Office (Amt der Tiroler Landesregierung), an auxiliary administrative entity in the service of the Governor and the Provincial Government of Tyrol, sent a ‘vaccination reminder letter’ to all adults residing in the Province of Tyrol who had not yet been vaccinated against that virus. For the purpose of identifying the addressees of those letters, the Office appointed two private companies, which conducted a cross-check of data in the central vaccination register and the patient index, which referred to their residential address. One of those addressees of the vaccination reminder letter (the data subject), filed a complaint with the DPA against the Office alleging unlawful processing of his personal data. Before that authority, the Office stated that it had the status of ‘controller’ and that it was responsible for the letter sent to data subject. The DPA found that the Office had violated the GDPR when it had consulted the data of the data subject in the vaccination register to send the ‘vaccination reminder’ even though it did not have a right to access that register or the patient index. The Office appealed that decision before the Federal Administrative Court (Bundesverwaltungsgericht - BVwG) which held that the Office had the status of controller on the basis of national law but did not have a right to consult the vaccination register for the purposes of sending a reminder letter. Consequently the Office brought an appeal before the Supreme Administrative Court (Verwaltungsgerichtshof -VwGH). That court found that, to enable it to rule in the case before it, it must be determined whether the Office, in the context of that case, has the status of ‘controller’, within the meaning of Article 4(7) GDPR and decided to stay the proceedings and to request a preliminary ruling asking in essence: * whether Article 4(7) GDPR must be interpreted as meaning that it precludes national legislation which designates, as controller, an auxiliar
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Amt der Tiroler Landesregierung in AT
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
27 February 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8931About this data
Cite as: Cookie Fines. Amt der Tiroler Landesregierung - Austria (2025). Retrieved from cookiefines.eu
Last updated: