BVwG - W298 2269087-1

BVwG - W298 2269087-1

Court:	BVwG (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 83 GDPR
Decided:	06.06.2023
Published:	30.06.2023
Parties:
National Case Number/Name:	W298 2269087-1
European Case Law Identifier:	ECLI:AT:BVWG:2023:W298.2269087.1.00
Appeal from:	DSB (Austria)
Appeal to:	Unknown
Original Language(s):	German
Original Source:	BVwG (Austria) (in German)
Initial Contributor:	mg

The Austrian Federal Administrative Court reviewed the assessment of a fine against by the local DPA. Some factors under Article 82 GDPR were considered in a different way, others were added during the court review.

English Summary

Facts

A medical doctor, the controller, used the national health care portal to access information about the vaccination status of a data subject who had applied for a job. The DPA opened an investigation against the controller who, in turn, acknowledged a violation of Article 9 GDPR, as they unlawfully processed health data of the data subject. The DPA imposed a €3,500 fine for the violation of Article 9 GDPR. The fact that the controller was a doctor, that they processed special categories of data and that they did it intentionally were considered aggravating factors in the quantification of the fine. The controller appealed the decision, claiming that the fine was disproportionate.

Holding

In assessing the proportionality of the fine, the Federal Administrative Court examined how the DPA applied Article 83(2) GDPR at the facts at issue.

Concerning Article 83(2)(a) GDPR, it is true that the controller position as a doctor should be considered an aggravating factor. However, the court also found that these data should have been disclosed in any case to the controller during the job interview, according to Austrian law. In this context, the court found particularly relevant that the controller processed only vaccination data and no other special categories of personal data pursuant to Article 9 GDPR.

The court also regarded the fact that the processing occurred during highly stressful times of the pandemic as a mitigating factor pursuant to Article 83(2)(k) GDPR.

Finally, the court disregarded the intentional character of the violation (Article 83(2)(b) GDPR) as an element to determine the amount of the fine.

In light of the above, the court reduced the amount of the fine to €2,000.

Comment

Despite the fact that the EDPB adopted its new Guidelines 04/2022 on the calculation of administrative fines under the GDPR, the court in this case does not seem to take into account such a document when determining the fine, or at least it does not mention it in the legal arguments supporting the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

06/06/2023

standard

B-VG Art133 Para.4
GDPR Art83 Para
DSGVO Art83 para
DSGVO Art83 Abs5 lita
VStG §10
VStG §16
VStG §19
VStG §5
VStG §64
VwGVG §52 paragraph 8

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art 133 valid from 08/01/2014 to 05/24/2018 last modified by Federal Law Gazette I no. 164/2013 B-VG Art. 133 valid from 01/01/2014 to 07/31/2014 last modified by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last changed by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last changed by BGBl. No. 444/1974 B-VG Article 133 valid from December 25, 1946 to December 31, 1974, last amended by Federal Law Gazette No. 211/1946 B-VG Article 133 valid from December 19, 1945 to December 24, 1946, last amended by StGBl No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

VStG § 10 today VStG § 10 valid from 01.01.2008 last changed by Federal Law Gazette I No. 5/2008 VStG § 10 valid from 02.01.1991 to 12.31.2007

VStG § 16 today VStG § 16 valid from 02/01/1991

VStG § 19 today VStG § 19 valid from 01.07.2013 last changed by Federal Law Gazette I No. 33/2013 VStG § 19 valid from 01.01.2012 to 30.06.2013 last changed by Federal Law Gazette I No. 100/2011 VStG § 19 valid from 01.02.1991 to 31. 12.2011

VStG § 5 today VStG § 5 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 57/2018 VStG § 5 valid from February 1st, 1991 to December 31st, 2018

VStG § 64 today VStG § 64 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 57/2018 VStG § 64 valid from August 15th, 2018 to December 31st, 2018 last changed by Federal Law Gazette I No. 57/2018 VStG § 64 valid from January 1st, 2014 to January 14th 8.2018 last changed by Federal Law Gazette I No. 33/2013 VStG § 64 valid from 01.07.2013 to 31.12.2013 last changed by Federal Law Gazette I No. 33/2013 VStG § 64 valid from 01.03.2013 to 30.06.2013 last changed by Federal Law Gazette I No. 33/201 3 VStG § 64 valid from 01.01.2002 to 28.02.2013 last changed by Federal Law Gazette I No. 137/2001 VStG § 64 valid from 02.01.1991 to 12.31.2001

VwGVG § 52 today VwGVG § 52 valid from September 1st, 2018 last amended by Federal Law Gazette I No. 57/2018 VwGVG § 52 valid from January 1st, 2014 to August 31st, 2018

saying

W298 2269087-1/6E

In the name of the republic

The Federal Administrative Court, with the judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Laura Sanjath and Dr. Wolfgang Goricnik, as an associate lay judge on the complaint from XXXX, against the penal decision of the data protection authority of February 10, 2023, GZ: D550.657 2023-0.022.950, rightly recognized: The Federal Administrative Court, through judge Mag. Mathias VEIGL as chairman and the expert lay judges Mag. Laura Sanjath and Dr. Wolfgang Goricnik as lay judge on Roman XXXX's complaint against the penal decision of the data protection authority of February 10, 2023, GZ: D550.657 2023-0.022.950, rightly recognized:

a)

I. The complaint will be followed and the fine imposed will be reduced to a total of EUR 2,000 (alternative imprisonment of 140 hours); Correspondingly, the contribution to the costs of the criminal proceedings before the relevant authority according to § 64 VStG is reduced to EUR 200. Roman one. The complaint is followed and the fine imposed is reduced to a total of EUR 2,000.00 (alternative imprisonment of 140 hours); Correspondingly, the contribution to the costs of the criminal proceedings before the relevant authority is reduced to EUR 200.00 in accordance with Section 64 of the VStG.

II. Pursuant to Section 52 (8) VwGVG, the complainant does not have to bear any costs of the complaints procedure. Roman II. According to Section 52, Paragraph 8, VwGVG, the complainant does not have to bear any costs of the complaints procedure.

b)

The revision is not permitted according to Article 133, Paragraph 4 of the Federal Constitution. The revision is not permitted according to Article 133, Paragraph 4 of the Federal Constitution.

text

Reasons for decision:

I. Procedure: Roman one. Procedure:

1. In a letter dated August 26, 2022, the relevant authority informed the complainant (a resident dermatologist) that he was suspected of having instructed his assistant as the person responsible on September 3, 2021 to use his access to the ELGA portal set up for medical purposes to view data from XXXX’s electronic vaccination card and to find out about their vaccination status or immunization status in relation to COVID-19 - Virus to inform. As a result, he carried out an inappropriate and therefore unlawful data processing of health data (sensitive data according to Art. 9 Para. 1 DSGVO) by accessing the data of the persons concerned in the e-vaccination card. The query in question had not been carried out on behalf of or for purposes related to medical work, but for purposes related to the applicant's application to work as a surgery assistant in the complainant's surgery. There is therefore the suspicion that the complainant has carried out the specific processing of sensitive data inappropriately and on the legal basis pursuant to Art. 9 Para. 2 DSGVO. The administrative offense would affect Art. 5 Para. 1 lit. a, b and c and Art. 9 Para. 1 in conjunction with Art. 83 Para. 1 and 5 lit. The complainant was asked to justify himself and was instructed to disclose his income and assets and any duties of care. 1. In a letter dated August 26, 2022, the relevant authority informed the complainant (a registered dermatologist) that he was suspected of having commissioned his assistant as the person responsible on September 3, 2021 to use his access to the ELGA portal, which was set up for medical purposes, to view data from the electronic vaccination card of roman XXXX and to find out about their vaccination status or immunization status in relation to COVID -19 virus to inform. As a result, he carried out an inappropriate and therefore unlawful data processing of health data (sensitive data according to Article 9, paragraph one, GDPR) by accessing the data of the persons concerned in the e-vaccination card. The query in question had not been carried out on behalf of or for purposes related to medical work, but for purposes related to the applicant's application to work as a surgery assistant in the complainant's surgery. There is therefore the suspicion that the complainant has carried out the specific processing of sensitive data inappropriately and on the legal basis according to Article 9, paragraph 2, GDPR. The administrative violation would affect Article 5, paragraph one, letters a, b and c and Article 9, paragraph one, in conjunction with Article 83, paragraph one and 5 letters a, GDPR. The complainant was asked to justify himself and was instructed to disclose his income and assets and any duties of care.

2. With justification dated September 6, 2022, the complainant, represented by a lawyer, essentially argued that he was aware that he had accessed the data of those affected in an inappropriate and therefore unlawful manner in order to find out about their vaccination status or immunization status. In order to protect his employees and patients as well as his own health, the complainant had acted particularly cautiously during the application process of those affected as a possible future employee. Although there may be no legal justification for this, it is generally understandable and understandable that the applicant tries to obtain reliable information about the vaccination status of those affected who have applied for a job with him. The complainant applied to refrain from imposing a fine and instead to issue a reminder with a notification, pointing out the illegality of his behavior. No submissions were made regarding the income and financial situation or any due diligence requirements.

3. In a letter dated December 7th, 2022, the complainant was asked again (following a corresponding form) to present his income and financial situation as well as any duties of care. He was informed that if he did not provide any information on this again, his income situation would be estimated and, based on the research carried out so far, a monthly gross income of €8,500 would be assumed for the time being.

4. The complainant has not complied with the request to disclose his income and financial circumstances and any duties of care.

5. With the now contested criminal judgment dated February 10, 2023, the complainant was fined EUR 3,500.00 (in the event of uncollectibility, a substitute imprisonment of 230 hours) in accordance with Art 350.00 committed. 5. With the now contested criminal judgment of February 10, 2023, the complainant was fined EUR 3,500.00 (in the event of uncollectability, a substitute imprisonment of 230 hours) in accordance with Article 83, paragraph one and 5 lit of EUR 350.00.

The complainant was accused of having, as the person responsible within the meaning of Art. 4 Z 7 GDPR, on September 3, 2021, intentionally and inappropriately having personal data requested by XXXX in the context of the electronic vaccination card (e-vaccination register) and thereby processing it unlawfully by instructing his ordination assistant to access the personal health data stored by the person concerned in the electronic vaccination card (special category of personal data according to Art. 9 Para. 1 GDPR) access to find out about the vaccination status or immunization status of those affected with regard to the COVID-19 virus. According to the ELGA log, the subject of the proceedings was accessed on September 3rd, 2021 at 10:02 a.m. (“time of the offence”). The processing took place without the knowledge and consent of the person concerned and could not be based on any other justification for data processing under Article 9 (2) GDPR. The complainant was accused of having, as the person responsible within the meaning of Article 4, Item 7, GDPR, on September 3rd, 2021, intentionally and inappropriately having personal data requested by roman XXXX as part of the electronic vaccination card (e-vaccination register) and thereby processing it unlawfully by asking his ordination assistant have given the order to access the personal health data stored by the person concerned in the electronic vaccination card (special category of personal data according to Article 9, paragraph one, GDPR) in order to find out about the vaccination status or immunization status of the person concerned with regard to the COVID-19 virus. According to the ELGA log, the subject of the proceedings was accessed on September 3rd, 2021 at 10:02 a.m. (“time of the offence”). The processing took place without the knowledge and consent of the person concerned and could not be based on any other justification for data processing under Article 9, Paragraph 2, GDPR.

The authority concerned explained that a decision dated January 21, 2022 had established that the current complainant had violated the data subject's right to secrecy through the processing in question and that this decision had become final due to the lack of legal remedies and that the administrative criminal proceedings in question had subsequently been initiated.

Legally, the authority concerned stated that the vaccination status of the persons concerned should be qualified as health data in accordance with Art. 4 Z 15 GDPR and the processing is prohibited in accordance with Art. 9 Para. 1 GDPR and may only take place in the event that one of the exhaustively listed exceptions according to Art. 9 Para. 2 GDPR is present in the specific case. It is undisputed that the complainant is the person responsible within the meaning of Art. 4 Z 7 GDPR. Art. 5 GDPR lays down the principles for the processing of personal data. With regard to the protection of legitimate interests pursuant to Article 6(1)(f) GDPR, it can be pointed out that the justifications put forward by the complainant do not constitute a basis for the processing of sensitive data pursuant to Article 9(2) GDPR. If the complainant further refers to the employer's duty of care according to § 1157 ABGB, it cannot be concluded from this that any processing of data is lawful in accordance with the GDPR, this depends on the individual case. Thus, all principles of data processing according to Art. 5 GDPR must always be fulfilled. There is also no consent from those affected. In addition to the lack of a legal basis, the complainant also disregarded the principle of purpose limitation in accordance with Article 5(1)(b) GDPR. In this context, the Health Telematics Act 2012 (GTelG 2012) stipulates exactly who is allowed to process whose data when and for what purposes for the use of data from the electronic vaccination card in ELGA. The purposes are already precisely determined by law due to the sensitivity of the data used and processing may only take place within the framework of these narrow specifications. In the specific case, the person concerned was not (or no longer) being treated by the complainant at the time of the query. The processing took place on the basis of an application by the data subject and had no connection with treatment by the complainant. As a result, this does not constitute permissible processing. The complainant did not pursue a legitimate purpose with the specific processing and in any case the data subject could not assume that their personal health data would be requested as part of their application. Likewise, the principle of data minimization in accordance with Article 5 (1) (c) GDPR was disregarded, since the specific processing was not relevant at all for the purpose pursued and was also not appropriate. The objective fact side is therefore fulfilled. Legally, the authority concerned explained that the vaccination status of the persons concerned should be qualified as health data in accordance with Article 4, paragraph 15, GDPR and the processing according to Article 9, paragraph one, GDPR is prohibited and may only take place in the event that one of the exhaustively listed exceptions according to Article 9, paragraph 2, GDPR is present in the specific case. It is undisputed that the complainant is the person responsible within the meaning of Article 4, Item 7, GDPR. Article 5 GDPR lays down the principles for the processing of personal data. With regard to the protection of legitimate interests according to Article 6, paragraph one, lit. f, GDPR, it can be pointed out that the justifications put forward by the complainant would not constitute a basis according to Article 9, paragraph 2, GDPR for the processing of sensitive data. If the complainant further refers to the employer's duty of care under Section 1157 of the ABGB, it cannot be concluded from this that any processing of data is lawful in accordance with the GDPR, this depends on the individual case. All principles of data processing according to Article 5 GDPR must always be fulfilled. There is also no consent from those affected. In addition to the lack of a legal basis, the complainant also disregarded the principle of purpose limitation according to Article 5, paragraph one, letter b, GDPR. In this context, the Health Telematics Act 2012 (GTelG 2012) stipulates exactly who is allowed to process whose data when and for what purposes for the use of data from the electronic vaccination card in ELGA. The purposes are already precisely determined by law due to the sensitivity of the data used and processing may only take place within the framework of these narrow specifications. In the specific case, the person concerned was not (or no longer) being treated by the complainant at the time of the query. The processing took place on the basis of an application by the data subject and had no connection with treatment by the complainant. As a result, this does not constitute permissible processing. The complainant did not pursue a legitimate purpose with the specific processing and in any case the data subject could not assume that their personal health data would be requested as part of their application. Likewise, the principle of data minimization according to Article 5, paragraph one, litera c, GDPR was disregarded, since the specific processing was not relevant at all for the purpose pursued and was also not appropriate. The objective fact side is therefore fulfilled.

From a subjective point of view, it should be noted that the complainant made a conscious decision to access the vaccination data of those affected in order to find out about their vaccination status (vaccination against COVID-19), which he himself conceded. As a result, there was also fault in the form of intent within the meaning of Article 83(2)(b) GDPR on the subjective side. Subjectively, it should be noted that the complainant made a conscious decision to access the vaccination data of those affected in order to find out about their vaccination status (vaccination against COVID-19), which he himself admitted. As a result, there is also fault on the subjective side in the form of intent within the meaning of Article 83, paragraph 2, lit. b, GDPR.

In connection with the sentencing, the authority concerned stated that the complainant's income and financial circumstances had not been determined due to a lack of information and were therefore not taken into account and that an official assessment had therefore been made. In addition to the intentional act, the fact that the complainant seriously interfered with the fundamental right of the data subjects to secrecy through the processing in question, as well as the abusive query in the e-vaccination card application by the complainant as a doctor practicing in Austria (Art. 83 para. 2 lit. a and k GDPR) aggravated the situation. The applicant's lack of criminal record and full confession was assessed as mitigating. The sentence imposed was proportionate to the crime and guilt in relation to the actual value of the crime measured against the range of penalties. In connection with the sentencing, the authority concerned stated that the complainant's income and financial circumstances had not been determined due to a lack of information and were therefore not taken into account and that an official assessment had therefore been made. In addition to the intentionally committed act, the complainant had seriously interfered with the fundamental right of the data subjects to secrecy through the processing in question, as well as the abusive query in the e-vaccination card application by the complainant as a doctor practicing in Austria (Article 83, paragraph 2, letters a and k GDPR). The applicant's lack of criminal record and full confession was assessed as mitigating. The sentence imposed was proportionate to the crime and guilt in relation to the actual value of the crime measured against the range of penalties.

6. A complaint was filed against the penalty decision on March 13, 2023, initially stating that only the amount of the fine imposed was contested. It was argued that, contrary to the legal opinion of the authority concerned, it was not a case of serious misconduct. The health data requested from the complainant would be limited exclusively to the vaccination or immunization status of the person concerned. The complainant's reason or motive and the associated purpose of finding out about this circumstance was solely to protect himself as a specialist, his employees and his patients from possible infection during the absolute peak phase of the pandemic. The alleged act was an isolated case and not a systematic inquiry and the complainant's action, although not justified in the legal sense, was carried out for a "legitimate purpose" for generally understandable motives. The person concerned did not suffer any financial or other damage and he did not gain any advantage from the act. All of this should have been taken into account as mitigating by the authority concerned. In addition, the complainant had meanwhile taken organizational precautions in his specialist medical practice to ensure that no more unlawful data processing could take place in the future. In summary, the fine imposed was not appropriate.

7. By letter dated March 23, 2023, the authority concerned submitted the complaint and the administrative act to the Federal Administrative Court.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. Findings:

The procedure listed under point I. is used as a basis for the findings. The Roman one under point. The stated procedure is used as a basis for the findings.

The following key facts are clear:

1. The complainant is a registered dermatologist and operates a private or health insurance practice in XXXX .1. The complainant is a resident dermatologist and runs a private or health insurance practice in Roman XXXX.

2. The complainant accessed the e-vaccination pass data application on September 3, 2021 at 10:02 a.m. by way of instructions to his office assistant and queried the electronic vaccination data of those affected regarding the COVID-19 vaccination.

3. The complainant subsequently helped to clarify the course of events, but did not disclose his income and financial situation or any duties of care.

4. In the proceedings before the Federal Administrative Court, the complainant announced that he was responsible for his wife and two minor children.

2. Evidence assessment:

The findings result from the administrative act, the contested criminal decision and the complaint.

3. Legal assessment:

To A):

3.1. Regarding point I.3.1. At the point of the roman one.

3.1.1. In the present case, the complainant, in his complaint to the Federal Administrative Court, exclusively addresses the extent of the fine imposed with the contested decision.

According to § 27 Administrative Court Procedure Act Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2018/57 (hereinafter: "VwGVG"), the administrative court has to review the contested decision on the basis of the complaint or on the basis of the declaration on the scope of the challenge, unless there is illegality due to the authority's lack of competence. 33 in the version of Federal Law Gazette Roman one 2018/57 (hereinafter: "VwGVG"), unless there is illegality due to the authority's lack of jurisdiction, the administrative court must review the contested decision on the basis of the complaint or on the basis of the declaration on the scope of the challenge.

In view of the factual and legal situation at hand, the subject of the present proceedings can and may therefore only be the pronouncement of the sentence, but not a further review of the guilty verdict and thus the punishment itself. With regard to the question of criminal liability, partial legal force has come into force (see expressly VwGH, 27.10.2014, Ra 2014/02/0053; VwGH 24.07.2019, Ra 2018/02/0034 and many more).

3.1.2. The provisions of Art. 83 GDPR relevant to the assessment of the penalty are as follows: 3.1.2. The provisions of Article 83, GDPR, which are relevant for the assessment of the penalty, are as follows:

Article 83 paragraph 1, 2 and 5 lit. a GDPR:Article 83, paragraph ,, 2 and 5 lit. a, GDPR:

"Article 83

General conditions for imposing fines

1. Each supervisory authority shall ensure that the imposition of fines pursuant to this Article for breaches of this Regulation pursuant to paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case.

2. Fines shall be imposed in addition to or instead of measures under Article 58(2)(a) to (h) and (j), depending on the circumstances of the case. When deciding whether to impose a fine and its amount, due account will be taken of the following in each individual case:

a)

the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question and the number of persons affected by the processing and the extent of the damage suffered by them;

b)

intentional or negligent breach;

c)

any measures taken by the controller or processor to mitigate the harm caused to data subjects;

d)

Degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have taken pursuant to Articles 25 and 32;

e)

any relevant previous breaches by the controller or processor;

f)

extent of cooperation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;

G)

categories of personal data affected by the breach;

H)

How the breach became known to the supervisory authority, in particular whether and, if so, to what extent the person responsible or the processor reported the breach;

i)

compliance with measures previously ordered under Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;

j)

Compliance with approved codes of conduct under Article 40 or approved certification procedures under Article 42 and

k)

any other aggravating or mitigating circumstances in the case at hand, such as any financial benefit gained or loss avoided, directly or indirectly, as a result of the breach.

5. In accordance with paragraph 2, fines of up to EUR 20 000 000 or, in the case of a company, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is greater, shall be imposed for breaches of the following provisions:

a)

the principles for processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9, […]

3.1.3. The legal basis according to the VStG is as follows:

§ 5 VStG: Paragraph 5, VStG:

(1) If an administrative regulation on fault does not determine otherwise, negligent behavior is sufficient to be punishable. Negligence is to be assumed without further ado in the event of violation of a prohibition or non-compliance with a commandment if the occurrence of damage or danger is not part of the offense of an administrative violation and the perpetrator does not credibly demonstrate that he is not at fault for the violation of the administrative regulation.

(1a) Paragraph 1 second sentence does not apply if the administrative violation is threatened with a fine of more than EUR 50,000. (1a) Paragraph one, second sentence does not apply if the administrative violation is threatened with a fine of more than EUR 50,000.

(2) Ignorance of the administrative regulation that the perpetrator violated is only excused if it can be proven that it was not his fault and the perpetrator could not see that his behavior was illegal without knowledge of the administrative regulation.

§ 10 VStG: Paragraph 10, VStG:

(1) The type and rate of punishment are based on the administrative regulations, insofar as they are contained in these

Federal law does not provide otherwise.

(2) Insofar as no special penalty has been set for administrative violations, in particular for violations of local police regulations, they will be punished with a fine of up to 218 euros or with imprisonment for up to two weeks.

§ 16 VStG: Paragraph 16, VStG:

(1) If a fine is imposed, a fine shall also apply in the event that it cannot be collected

imprisonment in replacement.

(2) The substitute imprisonment may not exceed the maximum imprisonment threatened for the administrative offense and, if no imprisonment is threatened and nothing else has been stipulated, two weeks. A substitute custodial sentence of more than six weeks is not permitted. It is to be determined without regard to § 12 according to the rules of the calculation of punishment. (2) The substitute imprisonment may not exceed the maximum imprisonment threatened for the administrative violation and, if no imprisonment is threatened and nothing else is stipulated, two weeks. A substitute custodial sentence of more than six weeks is not permitted. It is to be determined without regard to paragraph 12, according to the rules of punishment.

§ 19 VStG: Paragraph 19, VStG:

(1) The basis for assessing the penalty is the importance of the legal interest protected under criminal law and the intensity of its impairment by the offence.

(2) In ordinary proceedings (Sections 40 to 46), the aggravating and mitigating reasons that are relevant to the purpose of the penalty are to be weighed up against each other, provided they do not already determine the penalty. Particular attention should be paid to the degree of culpability. Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis, taking into account the specific nature of administrative criminal law. The income and financial circumstances and any duties of care of the accused are to be taken into account when assessing fines. (2) In the ordinary procedure (paragraphs 40 to 46), the aggravating and mitigating reasons which are possible according to the purpose of the penalty are to be weighed up against each other, insofar as they do not already determine the penalty. Particular attention should be paid to the degree of culpability. Paragraphs 32 to 35 of the Criminal Code are to be applied analogously, taking into account the specific nature of administrative criminal law. The accused's income and assets and any duties of care must be taken into account when assessing fines.

3.2. The assessment of the penalty within a statutory penalty framework is a discretionary decision that must be made according to the criteria laid down by the legislator in Section 19 of the VStG (VwGH September 5th, 2013, 2013/09/0106). 3.2. The penalty assessment within a legal penalty framework is a discretionary decision that must be made according to the criteria set by the legislator in paragraph 19 of the VStG (VwGH September 5th, 2013, 2013/09/0106).

The range of penalties for non-companies is up to EUR 20,000,000 in accordance with Article 83, Paragraph 5 of the GDPR.

The basis for assessing the penalty is the importance of the legal interest protected under criminal law and the intensity of its impairment by the act (section 19 (1) of the VStG). In addition, the possible aggravating and mitigating factors must be weighed against each other. Particular attention should be paid to the degree of culpability. Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis, taking into account the nature of administrative criminal law. The accused’s income and assets and any duties of care must be taken into account when assessing fines (Section 19 (2) VStG). The basis for assessing the penalty is the importance of the legal interest protected under criminal law and the intensity of its impairment by the offense (Section 19, paragraph one, VStG). In addition, the possible aggravating and mitigating factors must be weighed against each other. Particular attention should be paid to the degree of culpability. Paragraphs 32 to 35 of the Criminal Code are to be applied analogously, taking into account the nature of administrative criminal law. The accused's income and assets and any duties of care must be taken into account when determining fines (paragraph 19, paragraph 2, VStG).

3.2.1. Penalty assessment by the relevant authority:

With regard to the facts at hand, the authorities concerned have already taken the following into account when assessing the penalty:

- Through the processing in question, the complainant has seriously interfered with the fundamental right of those affected to secrecy. The data subject should have been able to rely on the fact that her (health) data would not be improperly requested and processed by authorized persons or licensed doctors, but exclusively and only within the framework of the legal requirements of the GTelG 2012. The data subject was initially treated as a patient by the complainant. At a later point in time she applied for a vacancy as an ordination assistant. In this context, the vaccination status was then queried. Since the data subject was not informed about the processing, she could under no circumstances expect her vaccination status against COVID-19 to be processed. The person concerned was therefore violated in her right to secrecy according to § 1 Para. 1 DSG as well as respect for private and family life and the right to protection of personal data according to Art. 7 and 8 EU-GRC. The abusive query in the e-vaccination card application by the complainant as the person responsible and as a doctor established in Austria was rated as particularly aggravating (Art. 83 para. 2 lit. a and k GDPR); The complainant has seriously interfered with the fundamental right of the data subjects to secrecy through the processing in question. The data subject should have been able to rely on the fact that her (health) data would not be improperly requested and processed by authorized persons or licensed doctors, but exclusively and only within the framework of the legal requirements of the GTelG 2012. The data subject was initially treated as a patient by the complainant. At a later point in time she applied for a vacancy as an ordination assistant. In this context, the vaccination status was then queried. Since the data subject was not informed about the processing, she could under no circumstances expect her vaccination status against COVID-19 to be processed. The person concerned was therefore violated in her right to secrecy according to paragraph one, paragraph one, DSG as well as respect for private and family life and the right to protection of personal data according to Articles 7 and 8 EU-GRC. The abusive query in the e-vaccination card application by the complainant as the person responsible and as a doctor established in Austria was assessed as particularly aggravating (Article 83, paragraph 2, lit. a and k GDPR);

- Special categories of personal data or health data were affected by the violation (Article 83 (2) lit. g GDPR); Special categories of personal data or health data were affected by the violation (Article 83 (2) lit. g GDPR);

- The violation was intentionally committed by the complainant (Article 83(2)(b) GDPR).The violation was intentionally committed by the complainant (Article 83(2)(b) GDPR).

The following was taken into account in mitigating the sentencing:

- To date, the complainant has not had any relevant prior convictions due to violations of the GDPR or the DSG;

- The complainant fully confessed to both the complaint and the administrative penal proceedings.

In the absence of disclosure by the complainant of his income and financial circumstances and any duties of care, the authority concerned estimated a monthly gross income of €8,500 and used this as the basis for assessing the penalty. The complainant did not provide any information about his income and financial circumstances in the complaint brief either, which is why it can be assumed that he at least does not earn a lower income. The court did not overlook the later disclosure of the unspecified maintenance obligations towards his wife and his two minor children.

3.2.2. Sentence assessment by the Federal Administrative Court:

The authority concerned must be agreed that the position of the complainant as a doctor in private practice must be included in the assessment of the sentence: not only is the role model effect in connection with compliance with the legal provisions relevant, but also the possibilities that the basic access rights to the electronic health record (ELGA) give him, which must go hand in hand with trust that the possibilities of viewing third-party data are not abused. According to this, his position within the meaning of Article 83 (2) (a) GDPR must be regarded as aggravating, as the authority concerned stated. However, it should be noted here that at the time of the crime (high phase of the Covid-19 pandemic) the person concerned was obliged to provide information about her vaccination or immunization status and the complainant's query only asked for the data that had to be disclosed to him in the course of the job interview anyway. The authority concerned must be agreed that the position of the complainant as a doctor in private practice must be included in the assessment of the sentence: not only is the role model effect in connection with compliance with the legal provisions relevant, but also the possibilities that the basic access rights to the electronic health record (ELGA) give him, which must go hand in hand with trust that the possibilities of viewing third-party data are not abused. Accordingly, as the authority concerned has stated, his position within the meaning of Article 83, paragraph 2, lit. a, GDPR must be regarded as aggravating. However, it should be noted here that at the time of the crime (high phase of the Covid-19 pandemic) the person concerned was obliged to provide information about her vaccination or immunization status and the complainant's query only asked for the data that had to be disclosed to him in the course of the job interview anyway.

In the present case, the authority concerned also rightly considered it to be an aggravating factor that the breach accused of the complainant affected personal health data and thus data that is particularly worthy of protection under the GDPR (see Art. 9 GDPR, which provides for restrictions or special requirements for the processing of special categories of personal data such as health data, among others; as well as recital 51, according to which personal data, which by their very nature are particularly sensitive with regard to fundamental rights and freedoms, deserve special protection because there are significant risks to fundamental rights and freedoms may arise). However, the authority concerned did not take into account that the complainant's one-off query only referred to the vaccination or immunization status of those affected and other or further (health) data were not requested. In addition, it is of decisive relevance that the requested data are by definition considered to be particularly worthy of protection within the meaning of Art. 9 GDPR, but were also subject to disclosure and the data subject should have provided suitable evidence of his or her own accord. In the present case, the relevant authority rightly considered it to be an aggravating factor that the breach accused of the complainant affected personal health data and thus data that is particularly worthy of protection under the GDPR (see Article 9 GDPR, which provides for restrictions or special requirements for the processing of special categories of personal data such as health data, among other things; as well as recital 51, according to which personal data, which by their nature are particularly sensitive with regard to fundamental rights and freedoms, deserve special protection, since in connection with their processing significant risks to fundamental rights and freedoms may arise). However, the authority concerned did not take into account that the complainant's one-off query only referred to the vaccination or immunization status of those affected and other or further (health) data were not requested. In addition, it is of decisive relevance that the requested data is by definition considered to be particularly worthy of protection within the meaning of Article 9 GDPR, but was also subject to disclosure and the data subject should have provided suitable evidence of his or her own accord.

The aggravating factor of the intentional inspection has already been pointed out.

The mitigating reasons brought forward by the authority concerned, namely the lack of relevant criminal records and that the complainant has confessed both in the complaint and in the administrative criminal proceedings, are also taken into account as such by the Federal Administrative Court.

In addition, the recognizing Senate also refers to the particularly challenging and emotional situation, which undoubtedly existed at the peak of the Covid-19 pandemic, as a mitigating factor in accordance with Article 83 (2) (k) GDPR. The fear of infection and the uncertain overall situation with regard to the Covid-19 virus obviously led to a particularly stressful situation for the complainant. The complainant explained understandably and credibly that his motive was simply to protect himself as a specialist, his employees and his patients from possible infection. The complainant's well-founded concern is naturally reinforced by the fact that the complainant, as a specialist (dermatologist) and his staff in the surgery, in some cases maintain very close or close contact with patients. Furthermore, doctors have special duties of care when dealing with their patients, which also affects the selection of reliable people as employees. The complainant can also be credited with the fact that his motive of preventing the spread of the COVID-19 virus among particularly vulnerable people (such as cancer patients), who typically visit doctors' surgeries more frequently, is not reprehensible if the abuse of a power to process data entrusted to him due to his position is to be regarded as fundamentally aggravating. In addition, the recognizing Senate also refers to the particularly challenging and emotional situation that undoubtedly existed at the peak of the Covid-19 pandemic in terms of Article 83, Paragraph 2, Litera k, GDPR as mitigating. The fear of infection and the uncertain overall situation with regard to the Covid-19 virus obviously led to a particularly stressful situation for the complainant. The complainant explained understandably and credibly that his motive was simply to protect himself as a specialist, his employees and his patients from possible infection. The complainant's well-founded concern is naturally reinforced by the fact that the complainant, as a specialist (dermatologist) and his staff in the surgery, in some cases maintain very close or close contact with patients. Furthermore, doctors have special duties of care when dealing with their patients, which also affects the selection of reliable people as employees. The complainant can also be credited with the fact that his motive of preventing the spread of the COVID-19 virus among particularly vulnerable people (such as cancer patients), who typically visit doctors' surgeries more frequently, is not reprehensible if the abuse of a power to process data entrusted to him due to his position is to be regarded as fundamentally aggravating.

3.3. Art. 83 (1) GDPR stipulates that fines under this provision should be effective, proportionate and dissuasive. A complete waiver of the penalty is therefore out of the question in the present case.3.3. Article 83, paragraph one, GDPR provides that fines under this provision should be effective, proportionate and dissuasive. A complete waiver of the penalty is therefore out of the question in the present case.

Due to the circumstances set out above and the consideration of a further mitigating reason, the penalty imposed by the authority concerned must be adjusted and the Federal Administrative Court thus finally comes to the conclusion that a fine of EUR 2,000 is proportionate to the guilt and the crime and that the penalty imposed by the authority concerned should be reduced accordingly. The court also does not overlook the fact that a penalty also has general preventive purposes. However, in this respect, too, the sentence seems to be sufficient in the amount pronounced to deter the commission of similar crimes.

There are no special general or special preventive factors. The legal obligations to prevent the spread of the COVID-19 virus have ended. It is therefore no longer possible to speak of a pandemic situation like the present case, which is why there are no longer any factors that deserve special consideration.

In accordance with the new penalty level, the cost contribution to the proceedings before the administrative authority, which was assessed at 10% of the penalty imposed, had to be adjusted.

3.3.1. If a fine is imposed, according to Section 16 (1) of the VStG, a substitute imprisonment must also be imposed in the event that it cannot be collected. The substitute imprisonment may not exceed the maximum of the imprisonment threatened for the administrative offense and, if no imprisonment is threatened and nothing else has been stipulated, two weeks. A substitute custodial sentence of more than six weeks is not permitted. It is to be determined according to the rules of punishment without regard to § 12 VStG. 3.3.1. If a fine is imposed, according to paragraph 16, paragraph one, of the VStG, a substitute imprisonment must also be imposed in the event that it cannot be collected. The substitute imprisonment may not exceed the maximum of the imprisonment threatened for the administrative offense and, if no imprisonment is threatened and nothing else has been stipulated, two weeks. A substitute custodial sentence of more than six weeks is not permitted. It is to be determined according to the rules of punishment without regard to paragraph 12, VStG.

With regard to the assessment of substitute imprisonment sentences, the Administrative Court ruled that the amount of the substitute imprisonment sentence is to be calculated according to the guilt of the perpetrator, taking into account the aggravating and mitigating reasons; on the other hand - as here - the personal circumstances and the economic capacity of the perpetrator are only decisive when assessing the fine, but not the substitute imprisonment (VwGH 28.05.2013, 2012/17/0567).

The determination of the substitute imprisonment had to be corrected in accordance with the adjustment of the fine.

3.3.2. For the above reasons, the complaint regarding the verdict on the sentence imposed was partially upheld.

The costs of the appeal proceedings before the Federal Administrative Court were not to be charged to the complainant pursuant to Section 52 (8) VStG because his complaint was upheld.

3.34. According to § 44 para. 3 no. 2 VwGVG, this decision could be made without holding an oral hearing, since the complaint - as explained above - is only directed against the amount of the penalty and the holding of an oral hearing was also not requested by any party in the proceedings.3.34. According to Section 44, paragraph 3, number 2, VwGVG, this decision could be made without an oral hearing, since the complaint - as explained above - is only directed against the amount of the penalty and the holding of an oral hearing was also not requested by any party in the proceedings.

3.5. Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified. The case law in question is consistent with the case law of the highest courts. Due to the clear legal situation, this is not a legal question of fundamental importance. There are also no other indications of a fundamental importance of the legal question to be solved. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is permissible according to article 133, paragraph 4, B-VG. The statement must be briefly justified. The case law in question is consistent with the case law of the highest courts. Due to the clear legal situation, this is not a legal question of fundamental importance. There are also no other indications of a fundamental importance of the legal question to be solved.

It was therefore to be decided by the Senate in accordance with the verdict.

Payment information:

You have to pay the total amount of EUR 2,200 (penalty, costs of the administrative procedure and the administrative court complaint procedure) within 2 weeks into the account of the Federal Administrative Court (BVwG) with the IBAN AT840100000005010167 (BIC BUNDATWW) stating the number of the procedure free of charge for the recipient or pay it to the Federal Administrative Court taking this knowledge with you. In the event of default, it must be expected that the amount will be forcibly collected after a reminder has been issued.