DSB (Austria) - 2021-0.410.237: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 18: | Line 18: | ||
|Outcome=Rejected | |Outcome=Rejected | ||
|Date_Started= | |Date_Started= | ||
|Date_Decided= | |Date_Decided=09.08.2021 | ||
|Date_Published= | |Date_Published=11.04.2022 | ||
|Year= | |Year= | ||
|Fine=None | |Fine=None | ||
Line 53: | Line 53: | ||
}} | }} | ||
The Austrian DPA held that a | The Austrian DPA held that a COVID-19 provision requiring shop owners to ask customers for medical certificates if they are not wearing face masks due to health reasons does not violate GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject entered the retail store of the controller. Because she did not were a face mask, she was denied entry by an employee of the controller. She explained that she | The data subject entered the retail store of the controller. Because she did not were a face mask, she was denied entry by an employee of the controller. She explained that she could not wear a face mask for health reasons. The employee asked her to show an appropriate doctor's certificate which the data subject did. The data subject lodged a complaint against the controller with the Austrian DPA (Datenschutzbehörde - DSB) asserting that the controller violated her right to privacy because already the fact that she cannot wear a face mask for health reasons is sensitive data. The controller objected to this assertion stating that, under § 19 of the forth Austrian Covid-19 Protection Ordinance ([https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011470&FassungVom=2021-05-05 § 19 4. COVID-19-SchuMaV]), it had to check whether customers are wearing face masks and, if not, verify which health reason prevents them from doing so. The data subject replied to this argument that the ordinance violates the GDPR and is therefore not to be applied according to the principle of Primacy of EU Law. | ||
The data subject lodged a complaint against the controller with the Austrian DPA (Datenschutzbehörde - DSB) asserting that the controller violated her right to privacy because already the fact that she cannot wear a face mask for health reasons is sensitive data. The controller objected to this assertion stating that | |||
=== Holding === | === Holding === | ||
The DPA rejected the complaint. It held that the data subjects' rights are sufficiently safeguarded because according to [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 6(1) DSG] (Austrian Data Protection Law) the employees of the controller are obliged to secrecy regarding data which they accessed exclusively in their professional occupation. Furthermore, the DPA found that the public | The DPA rejected the complaint. It held that the data subjects' rights are sufficiently safeguarded because according to [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597 § 6(1) DSG] (Austrian Data Protection Law) the employees of the controller are obliged to secrecy regarding data which they accessed exclusively in their professional occupation. Furthermore, the DPA found that the protection of public health overrides the interest of the data subject to not disclose (part of) her health record and that [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011470&FassungVom=2021-05-05 § 19 4. COVID-19-SchuMaV] constitutes an exception under [[Article 9 GDPR#1i|Article 9(1)(i) GDPR]]. | ||
== Comment == | == Comment == |
Latest revision as of 16:05, 20 April 2022
DSB (Austria) - 2021-0.410.237 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 9(2)(i) GDPR § 19 4. COVID-19-SchuMaV § 6(1) DSG |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 09.08.2021 |
Published: | 11.04.2022 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 2021-0.410.237 |
European Case Law Identifier: | ECLI:AT:DSB:2021:2021.0.410.237 |
Appeal: | n/a |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in DE) |
Initial Contributor: | Heiko Hanusch |
The Austrian DPA held that a COVID-19 provision requiring shop owners to ask customers for medical certificates if they are not wearing face masks due to health reasons does not violate GDPR.
English Summary
Facts
The data subject entered the retail store of the controller. Because she did not were a face mask, she was denied entry by an employee of the controller. She explained that she could not wear a face mask for health reasons. The employee asked her to show an appropriate doctor's certificate which the data subject did. The data subject lodged a complaint against the controller with the Austrian DPA (Datenschutzbehörde - DSB) asserting that the controller violated her right to privacy because already the fact that she cannot wear a face mask for health reasons is sensitive data. The controller objected to this assertion stating that, under § 19 of the forth Austrian Covid-19 Protection Ordinance (§ 19 4. COVID-19-SchuMaV), it had to check whether customers are wearing face masks and, if not, verify which health reason prevents them from doing so. The data subject replied to this argument that the ordinance violates the GDPR and is therefore not to be applied according to the principle of Primacy of EU Law.
Holding
The DPA rejected the complaint. It held that the data subjects' rights are sufficiently safeguarded because according to § 6(1) DSG (Austrian Data Protection Law) the employees of the controller are obliged to secrecy regarding data which they accessed exclusively in their professional occupation. Furthermore, the DPA found that the protection of public health overrides the interest of the data subject to not disclose (part of) her health record and that § 19 4. COVID-19-SchuMaV constitutes an exception under Article 9(1)(i) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2021-0.410.237 from August 9, 2021 (case number: DSB-D124.4059) [Note editor: Names and companies, legal forms and product names, Addresses (incl. URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for reasons of pseudonymization and/or changed. Obvious spelling, grammar and punctuation errors have been corrected.] NOTICE S P R U C H The data protection authority decides on the data protection complaint of Mag. Sofia A*** (Appellant) of May 4, 2021 against N*** Austria AG (Respondent) due to violation of the right to secrecy as follows: - The complaint is dismissed as unsubstantiated. Legal basis: Art. 9, Art. 51 (1), Art. 57 (1) lit. f and Art. 77 (1) of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ. No. L 119 of 4.5.2016 p. 1; §§ 1, 6, 18 para. 1 as well as 24 para. 1 and para. 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 19 4. COVID-19 Protective Measures Ordinance (4th COVID-19-SchuMaV), Federal Law Gazette II No. 58/2021, as amended by Federal Law Gazette II 111/2021; §§ 3, 7 paragraph 1 COVID-19 Measures Act (COVID-19-MG), Federal Law Gazette I No. 12/2020 idgF. REASON A. Submissions of the parties and course of the proceedings 1. With the procedural submission dated May 4, 2021, the complainant led In summary, she was at the N*** Shop in 10*0 Vienna on May 4, 2021 and she was initially denied access because she did not wear mouth and nose protection have worn. She stated that she could not do this for health reasons and had she been asked to produce a medical certificate. You told the employee on her mobile phone the photographed certificate, which also contained a diagnosis, shown and she was then granted access. The employee said he had the instruction to have medical certificates presented, especially in the event of a police check the Respondent could receive a fine. The Respondent was to The collection of the health data was not justified and they see themselves as right on secrecy as violated. 2. In a statement dated June 2, 2021, the Respondent essentially stated that By requesting a medical certificate, she wanted to make sure that the wearing of a mouth and nose protector was actually exempted. the Submission of a medical diagnosis was not required and also not of interest. This procedure was carried out in accordance with the applicable legal requirements, in particular the 4th COVID-19 Protection Measures Ordinance. According to § 19 of this Regulation have a substantiation of the existence of an exemption from the obligation to Wearing a mouth and nose protector for health reasons Respondent as the owner of a business establishment (N*** Shop) by submitting a to be confirmed by a doctor. Through the demanded and objectively accomplished The Respondent fulfills this obligation imposed on it within the meaning of Section 19 (3) by providing credible evidence the said ordinance in conjunction with § 8 para. 4 COVID-19-MG; otherwise she would commit one administrative violation. For the sake of completeness, it should be stated that such Evidence can only be viewed and no storage takes place and no information be noted about this. 3. In a statement dated June 9, 2021, the complainant stated in summary that already the notification of the fact that she was not able to wear a mouth and nose protector to wear constitutes sensitive personal data. The fundamental right to Secrecy is constitutional and the EU General Data Protection Regulation protected. Due to the primacy of EU law has a contrary national law such as the Covid-19 Measures Act and the Covid-19 Protective Measures Ordinance to remain unnoticed and must not be carried out. All entrusted with the execution Organs - be they public servants or entrusted like the Respondent - have to disregard these standards; otherwise they would be sued for violation of the make data protection a punishable offence. The data in question would not have been collected may. B. Subject of Complaint The subject of the complaint is the question of whether the respondent is the complainant in violated the right to secrecy. C. Findings of Facts 1. The Respondent is a stock corporation with the Commercial register number FN *12*4*a. Evidence assessment: The findings are based on official research by the Data protection authority in the company register. 2. On May 4, 2021, the complainant visited a business premises of Respondent in 10*0 Vienna. The complainant was not wearing a face mask. She was therefore asked by an employee of the respondent to submit a medical certificate to show that she was going to work for health reasons Couldn't wear mouth and nose protection. The complainant showed the employee her related medical certificate – which also includes the diagnosis regarding the Appellant contained - in the form of a photograph on her mobile phone. Evidence assessment: The findings made are essentially based on the undisputed statements of the complainant. D. In legal terms it follows that: 1. Applicable legislation § 3 COVID-19-MG reads as follows, including the title (emphasis added). Data Protection Authority): Entering and driving on business premises and places of work as well as using means of transport § 3. (1) If COVID-19 occurs, by ordinance 1. Entering and driving on business premises or only certain ones Business premises for the purpose of purchasing goods or using Services, 2. Entering and driving on work places or only certain work places according to § 2 paragraph 3 of the Employee Protection Act (ASchG) by persons, who are employed there, and 3. Using means of transport or only certain means of transport regulated to the extent necessary to prevent the spread of COVID-19. (2) In an ordinance pursuant to para. 1, according to the epidemiological situation be determined, in what number and at what time or under what conditions and requirements to enter and drive on business premises or places of work or means of transport may be used. Furthermore, entering and driving on business premises or Places of work and the use of means of transport are prohibited, provided they are less severe measures are not sufficient. Section 19 of the 4th COVID-19-SchuMaV in the version applicable at the time of the complaint The version and title are as follows (emphasis added by the data protection authority): credibility § 19. (1) The existence of the requirements according to §§ 2 and 17 is upon request opposite to 1. organs of the public security service, 2. Authorities and administrative courts in dealings with parties and official acts as well 3. Owners of a business premises or a place of work and operators of a means of transport to fulfill their obligation according to § 8 para. 4 COVID-19-MG, to make believable. (2) The exceptional reason, according to which, for health reasons, wearing a Respirator of protection class FFP2 (FFP2 mask) without exhalation valve, or one Mask with at least an equivalent standardized standard or the mouth and nose area covering and tight-fitting mechanical protection device or the mouth and mechanical protective device covering the nose area cannot be expected, as well as the existence of a pregnancy is due to a self-employed doctor authorized doctor to prove that he is practicing his profession., (3) If the existence of a reason for exception according to para. is the owner of the business premises or place of work as well as the operator of a means of transport has fulfilled its obligation in accordance with Section 8 (4) of the COVID-19-MG. 2. Respondent As a public limited company, the Respondent is a company under private law and - contrary to the allegations of the complainant - not entrusted with sovereign tasks or encumbered. The Respondent is therefore a person responsible for the private area. 3. Right to Confidentiality According to § 1 Para. 1 DSG, everyone has the right to confidentiality of the data concerning him personal data, insofar as there is a legitimate interest in it. The existence such an interest is excluded if data as a result of their general availability or due to their lack of traceability to the person concerned secrecy claim are not accessible. The GDPR and in particular the principles enshrined therein are to interpret the Right to secrecy to be taken into account (cf. the decision of the DSB of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018). In the present case, the scope of § 1 para. 1 DSG is open, since the Information on the applicant's medical certificate relates to her. In addition, it is undoubtedly health data within the meaning of Art. 4 Z 15 DSGVO. Apart from that, there is not one for the scope of § 1 Para. 1 DSG certain form of processing (ruling of the Administrative Court of 28. February 2018, Ra 2015/04/0087 with further reference). Restrictions on the right to secrecy are then in accordance with Section 1 (2) DSG permissible if personal data is in the vital interest of the person concerned are used, the data subject has given his or her consent (or in the terminology of the GDPR: consent) if there is a qualified legal basis for use exists, or if the use is due to overriding legitimate interests of a third party is justified. According to Art. 9 Para. 1 GDPR, the use of data categories that are of their type according to which are particularly worthy of protection, only under strict conditions, namely according to those of Art. 9 Para. 2 GDPR, permissible. According to § 9 paragraph 2 lit. i is a processing lawful if they are in the public interest for reasons of public interest Health, such as protection against serious cross-border health hazards or to ensure high quality and safety standards of health care and pharmaceuticals and medical devices, on the basis of Union law or the law of a Member State, the appropriate and specific Measures to protect the rights and freedoms of the data subject, in particular of professional secrecy, is required. 4. In the matter The Respondent relies on § 19 4. 4. COVID-19-SchuMaV in conjunction with § 8 para. 4 COVID-19-MG. It is therefore necessary to check whether there is a qualified legal basis: From the provision of § 3 COVID-19-MG cited above, it is clear that by Ordinance the entry of business premises can be regulated and according to the epidemiological situation can be determined under what conditions and Conditions may be entered on premises. The Federal Minister for Social Affairs, Health, Care and Consumer Protection has responsible federal minister for health within the meaning of § 7 para. 1 COVID-19-MG from made use of this authorization and issued the 4th COVID-19-SchuMaV, whereby specifically § 19 leg. cit. is relevant. According to paragraph 2 of this same provision is - as can be seen above - the reason for exception, according to which, for health reasons, Wearing a respirator cannot be reasonably expected, due to an in Confirmation issued by a doctor authorized to practice independently in Austria to prove. In any case, the scope and application of Section 19 4. COVID-19-SchuMaV is clear and precise and are the respective consequences for affected persons from the wording of these standards recognizable (cf. recital 41 second sentence GDPR). The respective directly with the control The respondent's employee involved in the medical certificate is, in accordance with § 6. Para. 1 DSG - without prejudice to other statutory confidentiality obligations - obliged to personal data provided to him solely on the basis of professional employment were entrusted or made accessible to keep secret. With that are appropriate and specific measures to safeguard the rights and freedoms of complainant provided. The obligation to provide evidence in the form of a medical certificate, according to which For health reasons, wearing a respiratory mask cannot be expected, is to prevent the spread of COVID-19 and thus to maintain the useful for public health. This, especially since otherwise everyone the presence of one could claim such a reason and refuse to wear a respirator.,Wearing a respirator in closed rooms appears - especially with regard to the high at the time of the complaint New infection rate - as an essential measure to stop the spread of COVID-19 counteract and avoid overloading the Austrian health system or an imminent collapse of medical care or a similar situation Holding back an emergency situation would have fatal consequences for society as a whole. Therefore, this important public interest outweighs the interest of the complainant, her personal health data not when entering a Business premises without having to disclose mouth and nose protection. It can be assumed that the law imposed on the owners of a permanent establishment Obligation to check proof of the existence of a medical certificate the mildest means was to maintain public health as best as possible guarantee. A milder means of achieving this goal is revealed objectively the data protection authority does not. The complainant's argument that the 4th COVID-19-SchuMaV and the COVID-19-MG due to constitutionally protected rights of secrecy as well as conflicting EU law should not be applied is useless. This especially since the relevant provision of Section 19 (2) 4. COVID-19-SchuMaV is concerned a permissible restriction within the meaning of Section 1 (2) DSG and Article 9 (2) (i) GDPR. In summary of all these statements, the data protection authority comes to that Result that the data processing in question is based on Section 19 (2) 4. COVID-19-SchuMaV can be supported and this represents the mildest means. It is therefore a lawful Data processing in accordance with Article 9 (2) (i) GDPR. It violation in the right to The Respondent does not keep the Complainant confidential. It was therefore to be decided accordingly.