DSB (Austria) - 2021-0.410.237
From GDPRhub
| DSB (Austria) - 2021-0.410.237 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 9(2)(i) GDPR § 19 4. COVID-19-SchuMaV § 6(1) DSG |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 09.08.2021 |
| Published: | 11.04.2022 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 2021-0.410.237 |
| European Case Law Identifier: | ECLI:AT:DSB:2021:2021.0.410.237 |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in DE) |
| Initial Contributor: | Heiko Hanusch |
The Austrian DPA held that a Covid-19 protection provision does not violate the GDPR by requiring shop owners to ask customers for doctor's certificates if they are not wearing face masks because of health reasons.
English Summary
Facts
The data subject entered the retail store of the controller. Because she did not were a face mask, she was denied entry by an employee of the controller. She explained that she cannot wear a face mask for health reasons. The employee asked her to show an appropriate doctor's certificate which the data subject did.
The data subject lodged a complaint against the controller with the Austrian DPA (Datenschutzbehörde - DSB) asserting that the controller violated her right to privacy because already the fact that she cannot wear a face mask for health reasons is sensitive data. The controller objected to this assertion stating that it was legally bound under § 19 of the forth Austrian Covid-19 protection ordinance (§ 19 4. COVID-19-SchuMaV) to check whether customers are wearing face masks and, if not, to ask for for proof that they cannot for health reasons. The data subject replied to this argument that the ordinance violates EU law and is therefore not to be applied.
Holding
The DPA rejected the complaint. It held that the data subjects' rights are sufficiently safeguarded because according to § 6(1) DSG (Austrian Data Protection Law) the employees of the controller are obliged to secrecy regarding data which they accessed exclusively in their professional occupation. Furthermore, the DPA found that the public interest to protect the health of the people overrides the interest of the data subject to not disclose (part of) her health record and that § 19 4. COVID-19-SchuMaV constitutes an exception of Article 9(1) GDPR according to Article 9(1)(i) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
GZ: 2021-0.410.237 from August 9, 2021 (case number: DSB-D124.4059)
[Note editor: Names and companies, legal forms and product names,
Addresses (incl. URLs, IP and email addresses), file numbers (and the like), etc., as well as
their initials and abbreviations may be abbreviated for reasons of pseudonymization
and/or changed. Obvious spelling, grammar and punctuation errors
have been corrected.]
NOTICE
S P R U C H
The data protection authority decides on the data protection complaint of Mag. Sofia A***
(Appellant) of May 4, 2021 against N*** Austria AG (Respondent)
due to violation of the right to secrecy as follows:
- The complaint is dismissed as unsubstantiated.
Legal basis: Art. 9, Art. 51 (1), Art. 57 (1) lit. f and Art. 77 (1) of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ.
No. L 119 of 4.5.2016 p. 1; §§ 1, 6, 18 para. 1 as well as 24 para. 1 and para. 5 of the
Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 19 4. COVID-19
Protective Measures Ordinance (4th COVID-19-SchuMaV), Federal Law Gazette II No. 58/2021, as amended by Federal Law Gazette II
111/2021; §§ 3, 7 paragraph 1 COVID-19 Measures Act (COVID-19-MG), Federal Law Gazette I No. 12/2020
idgF.
REASON
A. Submissions of the parties and course of the proceedings
1. With the procedural submission dated May 4, 2021, the complainant led
In summary, she was at the N*** Shop in 10*0 Vienna on May 4, 2021
and she was initially denied access because she did not wear mouth and nose protection
have worn. She stated that she could not do this for health reasons
and had she been asked to produce a medical certificate. You told the employee
on her mobile phone the photographed certificate, which also contained a diagnosis,
shown and she was then granted access. The employee said he had
the instruction to have medical certificates presented, especially in the event of a police check
the Respondent could receive a fine. The Respondent was to
The collection of the health data was not justified and they see themselves as right
on secrecy as violated.
2. In a statement dated June 2, 2021, the Respondent essentially stated that
By requesting a medical certificate, she wanted to make sure that the wearing of a mouth and nose protector was actually exempted. the
Submission of a medical diagnosis was not required and also not of interest.
This procedure was carried out in accordance with the applicable legal requirements,
in particular the 4th COVID-19 Protection Measures Ordinance. According to § 19 of this
Regulation have a substantiation of the existence of an exemption from the obligation to
Wearing a mouth and nose protector for health reasons
Respondent as the owner of a business establishment (N*** Shop) by submitting a
to be confirmed by a doctor. Through the demanded and objectively accomplished
The Respondent fulfills this obligation imposed on it within the meaning of Section 19 (3) by providing credible evidence
the said ordinance in conjunction with § 8 para. 4 COVID-19-MG; otherwise she would commit one
administrative violation. For the sake of completeness, it should be stated that such
Evidence can only be viewed and no storage takes place and no information
be noted about this.
3. In a statement dated June 9, 2021, the complainant stated in summary that
already the notification of the fact that she was not able to wear a mouth and nose protector
to wear constitutes sensitive personal data. The fundamental right to
Secrecy is constitutional and the EU General Data Protection Regulation
protected. Due to the primacy of EU law has a contrary national law
such as the Covid-19 Measures Act and the Covid-19 Protective Measures Ordinance
to remain unnoticed and must not be carried out. All entrusted with the execution
Organs - be they public servants or entrusted like the Respondent - have
to disregard these standards; otherwise they would be sued for violation of the
make data protection a punishable offence. The data in question would not have been collected
may.
B. Subject of Complaint
The subject of the complaint is the question of whether the respondent is the complainant in
violated the right to secrecy.
C. Findings of Facts
1. The Respondent is a stock corporation with the
Commercial register number FN *12*4*a.
Evidence assessment: The findings are based on official research by the
Data protection authority in the company register.
2. On May 4, 2021, the complainant visited a business premises of
Respondent in 10*0 Vienna. The complainant was not wearing a face mask.
She was therefore asked by an employee of the respondent to submit a medical certificate to show that she was going to work for health reasons
Couldn't wear mouth and nose protection. The complainant showed the employee her
related medical certificate – which also includes the diagnosis regarding the
Appellant contained - in the form of a photograph on her mobile phone.
Evidence assessment: The findings made are essentially based on the
undisputed statements of the complainant.
D. In legal terms it follows that:
1. Applicable legislation
§ 3 COVID-19-MG reads as follows, including the title (emphasis added).
Data Protection Authority):
Entering and driving on business premises and places of work as well as using
means of transport
§ 3. (1) If COVID-19 occurs, by ordinance
1. Entering and driving on business premises or only certain ones
Business premises for the purpose of purchasing goods or using
Services,
2. Entering and driving on work places or only certain work places
according to § 2 paragraph 3 of the Employee Protection Act (ASchG) by persons,
who are employed there, and
3. Using means of transport or only certain means of transport
regulated to the extent necessary to prevent the spread of COVID-19.
(2) In an ordinance pursuant to para. 1, according to the epidemiological situation
be determined, in what number and at what time or under what conditions
and requirements to enter and drive on business premises or places of work or means of transport
may be used. Furthermore, entering and driving on business premises or
Places of work and the use of means of transport are prohibited, provided they are less severe
measures are not sufficient.
Section 19 of the 4th COVID-19-SchuMaV in the version applicable at the time of the complaint
The version and title are as follows (emphasis added by the data protection authority):
credibility
§ 19. (1) The existence of the requirements according to §§ 2 and 17 is upon request
opposite to
1. organs of the public security service,
2. Authorities and administrative courts in dealings with parties and official acts as well
3. Owners of a business premises or a place of work and operators of a
means of transport to fulfill their obligation according to § 8 para. 4 COVID-19-MG,
to make believable.
(2) The exceptional reason, according to which, for health reasons, wearing a
Respirator of protection class FFP2 (FFP2 mask) without exhalation valve, or one
Mask with at least an equivalent standardized standard or the mouth and nose area
covering and tight-fitting mechanical protection device or the mouth and
mechanical protective device covering the nose area cannot be expected,
as well as the existence of a pregnancy is due to a
self-employed doctor authorized doctor to prove that he is practicing his profession., (3) If the existence of a reason for exception according to para.
is the owner of the business premises or place of work as well as the operator of a
means of transport has fulfilled its obligation in accordance with Section 8 (4) of the COVID-19-MG.
2. Respondent
As a public limited company, the Respondent is a company under private law and -
contrary to the allegations of the complainant - not entrusted with sovereign tasks
or encumbered.
The Respondent is therefore a person responsible for the private
area.
3. Right to Confidentiality
According to § 1 Para. 1 DSG, everyone has the right to confidentiality of the data concerning him
personal data, insofar as there is a legitimate interest in it. The existence
such an interest is excluded if data as a result of their general
availability or due to their lack of traceability to the person concerned
secrecy claim are not accessible.
The GDPR and in particular the principles enshrined therein are to interpret the
Right to secrecy to be taken into account (cf. the decision of the DSB of 31 October
2018, GZ DSB-D123.076/0003-DSB/2018).
In the present case, the scope of § 1 para. 1 DSG is open, since the
Information on the applicant's medical certificate relates to her.
In addition, it is undoubtedly health data within the meaning of Art. 4 Z 15 DSGVO.
Apart from that, there is not one for the scope of § 1 Para. 1 DSG
certain form of processing (ruling of the Administrative Court of 28.
February 2018, Ra 2015/04/0087 with further reference).
Restrictions on the right to secrecy are then in accordance with Section 1 (2) DSG
permissible if personal data is in the vital interest of the person concerned
are used, the data subject has given his or her consent (or in the terminology of the GDPR:
consent) if there is a qualified legal basis for use
exists, or if the use is due to overriding legitimate interests of a third party
is justified.
According to Art. 9 Para. 1 GDPR, the use of data categories that are of their type
according to which are particularly worthy of protection, only under strict conditions, namely according to those
of Art. 9 Para. 2 GDPR, permissible. According to § 9 paragraph 2 lit. i is a processing
lawful if they are in the public interest for reasons of public interest
Health, such as protection against serious cross-border health hazards or to ensure high quality and safety standards
of health care and pharmaceuticals and medical devices, on the basis
of Union law or the law of a Member State, the appropriate and specific
Measures to protect the rights and freedoms of the data subject, in particular
of professional secrecy, is required.
4. In the matter
The Respondent relies on § 19 4. 4. COVID-19-SchuMaV in conjunction with
§ 8 para. 4 COVID-19-MG.
It is therefore necessary to check whether there is a qualified legal basis:
From the provision of § 3 COVID-19-MG cited above, it is clear that by
Ordinance the entry of business premises can be regulated and according to the
epidemiological situation can be determined under what conditions and
Conditions may be entered on premises.
The Federal Minister for Social Affairs, Health, Care and Consumer Protection has
responsible federal minister for health within the meaning of § 7 para. 1 COVID-19-MG from
made use of this authorization and issued the 4th COVID-19-SchuMaV, whereby
specifically § 19 leg. cit. is relevant. According to paragraph 2 of this same provision
is - as can be seen above - the reason for exception, according to which, for health reasons,
Wearing a respirator cannot be reasonably expected, due to an in
Confirmation issued by a doctor authorized to practice independently in Austria
to prove.
In any case, the scope and application of Section 19 4. COVID-19-SchuMaV is clear and precise
and are the respective consequences for affected persons from the wording of these standards
recognizable (cf. recital 41 second sentence GDPR). The respective directly with the control
The respondent's employee involved in the medical certificate is, in accordance with § 6. Para.
1 DSG - without prejudice to other statutory confidentiality obligations - obliged to
personal data provided to him solely on the basis of professional employment
were entrusted or made accessible to keep secret. With that are
appropriate and specific measures to safeguard the rights and freedoms of
complainant provided.
The obligation to provide evidence in the form of a medical certificate, according to which
For health reasons, wearing a respiratory mask cannot be expected,
is to prevent the spread of COVID-19 and thus to maintain the
useful for public health. This, especially since otherwise everyone the presence of one
could claim such a reason and refuse to wear a respirator.,Wearing a respirator in closed rooms appears -
especially with regard to the high at the time of the complaint
New infection rate - as an essential measure to stop the spread of COVID-19
counteract and avoid overloading the Austrian health system or
an imminent collapse of medical care or a similar situation
Holding back an emergency situation would have fatal consequences for society as a whole.
Therefore, this important public interest outweighs the interest of the
complainant, her personal health data not when entering a
Business premises without having to disclose mouth and nose protection.
It can be assumed that the law imposed on the owners of a permanent establishment
Obligation to check proof of the existence of a medical certificate
the mildest means was to maintain public health as best as possible
guarantee. A milder means of achieving this goal is revealed objectively
the data protection authority does not.
The complainant's argument that the 4th COVID-19-SchuMaV and the
COVID-19-MG due to constitutionally protected rights of secrecy
as well as conflicting EU law should not be applied is useless. This
especially since the relevant provision of Section 19 (2) 4. COVID-19-SchuMaV is concerned
a permissible restriction within the meaning of Section 1 (2) DSG and Article 9 (2) (i) GDPR.
In summary of all these statements, the data protection authority comes to that
Result that the data processing in question is based on Section 19 (2) 4. COVID-19-SchuMaV
can be supported and this represents the mildest means. It is therefore a lawful
Data processing in accordance with Article 9 (2) (i) GDPR. It violation in the right to
The Respondent does not keep the Complainant confidential.
It was therefore to be decided accordingly.
