Prisoner (data subject) – Court Ruling (Austria, 2023)

The data subject was an inmate in a prison. The controller operated the prison and employed a prison doctor. In a complaint to the Ombudsman board, the data subject said that the shower rooms caused skin irritation during cleaning work. On 27 April 2022, the Ombudsman board asked the Ministry of Justice for information. The prison’s legal office then asked the prison doctor to provide a medical statement to support the prison’s reply. On 04 May 2022, the doctor addressed what happened when the data subject contacted her in December 2021 and disclosed health data about the data subject. On 04 October 2022, the data subject filed a complaint with the Austrian DPA. They argued that there were outdated privacy notices and weak compliance in the prison, unauthorised internal access by prison staff to inmate data as well as unauthorised access to the data subject's phone, and unauthorised disclosure by a former lawyer who allegedly sought file access without a valid mandate and passed material to third parties. The data subject also accused the prison doctor of sharing sensitive health information without their consent and thereby violating Article 5 GDPR and Article 9 GDPR. On 22 February 2023, the DPA rejected the complaint. The data subject appealed to the Federal Administrative Court. First, the court focused on who qualified as the controller for the Ombudsman-related disclosure. It noted that Article 4(7) GDPR assigned controller status to the entity that decided the purposes and means of processing, not to individual employees acting on instructions. Second, the court upheld the DPA’s approach on the identification of the controller in a complaint. Following the national rule on complaint requirements (§ 24(2) DSG), the court held that when a complaint clearly targets a specific person who is not the controller for the processing, the authority has to dismiss the complaint. Third, the court held that the prison governor (as the prison authority) was the controlle