Prisoner (data subject) – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court ruled that a prison did not violate data protection laws regarding a complaint from an inmate about unauthorized sharing of health information. The court found that the prison's legal office acted correctly in handling the situation. This case highlights the importance of understanding who is responsible for data processing in complaints.
What happened
A prison was accused of improperly sharing an inmate's health information without consent.
Who was affected
An inmate whose health data was allegedly shared without their consent by prison staff.
What the authority found
The court upheld that the prison governor was the responsible entity for the data processing, not individual employees acting on instructions.
Why this matters
This ruling clarifies the responsibilities of organizations in handling data complaints. It serves as a reminder for institutions to ensure clear accountability in data processing activities.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject was an inmate in a prison. The controller operated the prison and employed a prison doctor. In a complaint to the Ombudsman board, the data subject said that the shower rooms caused skin irritation during cleaning work. On 27 April 2022, the Ombudsman board asked the Ministry of Justice for information. The prison’s legal office then asked the prison doctor to provide a medical statement to support the prison’s reply. On 04 May 2022, the doctor addressed what happened when the data subject contacted her in December 2021 and disclosed health data about the data subject. On 04 October 2022, the data subject filed a complaint with the Austrian DPA. They argued that there were outdated privacy notices and weak compliance in the prison, unauthorised internal access by prison staff to inmate data as well as unauthorised access to the data subject's phone, and unauthorised disclosure by a former lawyer who allegedly sought file access without a valid mandate and passed material to third parties. The data subject also accused the prison doctor of sharing sensitive health information without their consent and thereby violating Article 5 GDPR and Article 9 GDPR. On 22 February 2023, the DPA rejected the complaint. The data subject appealed to the Federal Administrative Court. First, the court focused on who qualified as the controller for the Ombudsman-related disclosure. It noted that Article 4(7) GDPR assigned controller status to the entity that decided the purposes and means of processing, not to individual employees acting on instructions. Second, the court upheld the DPA’s approach on the identification of the controller in a complaint. Following the national rule on complaint requirements (§ 24(2) DSG), the court held that when a complaint clearly targets a specific person who is not the controller for the processing, the authority has to dismiss the complaint. Third, the court held that the prison governor (as the prison authority) was the controlle
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Prisoner (data subject) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Prisoner (data subject) - Austria (2023). Retrieved from cookiefines.eu
Last updated: