DSB (Austria) - DSB-D770.1336

From GDPRhub
DSB - DSB-D770.1336
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(e) GDPR
§ 750 ASVG
§1(2) DSG
Type: Complaint
Outcome: Rejected
Started:
Decided: 15.06.2022
Published: 12.12.2023
Fine: n/a
Parties: n/a
National Case Number/Name: DSB-D770.1336
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: co

The Austrian DPA held that the sending of letters inviting data subjects to get a covid-19 vaccine did not consitute a violation of data subject's rights under Austrian Data Protection Law.

English Summary

Facts

A data subject received a letter from the umbrella association of Austrian social insurance institutions - the controller - suggesting him to show up for an appointment for a vaccine against covid-19. The data subject believed that the letter had been sent to him on the basis of unlawful processing of his personal data by the controller. He thus filed a complaint with the Austrian DPA (Datenschutzbehörde, DSB) on 23 December 2021, asking the DSB to prohibit such processing and impose a fine on the controller.

Given the high number of similar complaints, the DSB took for granted that the umbrella association was the controller and asked it to provide its submission on the matter.

On 14 January 2022, the controller submitted as sole controller it sent letters about the possibility of getting a covid-19 vaccine to those people who had not been vaccinated before a certain date. In the controller’s view, this was legitimate as it occurred on the basis of § 750(1a) and (2) of the Austrian General Law on Social Insurance (ASVG).

Holding

First of all, the DSB considered that the controller in this case is an entity under public law. The controller checked the central vaccination register whether the data subject had been vaccinated against covid-19 before 22 November 2021, and, as he had not, the controller retrieved the address of the data subject from the central patient register and sent him the letter.

The DSB also found that the sending of the letter with information about the risk of covid-19 and a suggestion of an appointment for a free vaccine were not unlawfully transmitted to third parties, in this case, a printing service provider. As a matter of fact, the latter, as a processor, later confirmed deletion of the data.

Further, the DSB concluded that, since the controller is a public entity acting in accordance with § 750(1a) and (2) ASVG, this justified a restriction of the right to data protection under §1(2) DSG, in compliance with Article 8(2) of the Charter of Fundamental Rights of the European Union (CFREU) and Article 6(1)(e) GDPR.

The DSB thus rejected the whole complaint as unfounded, since no rasons for ordering to cease processing nor to impose a fine on the controller were given.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.432.117 from June 15, 2022 (procedure number: DSB-D770.1336)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

The name of the respondent has not been pseudonymized here because it is a corporation under public law whose identity emerges from applied and cited legal provisions.]

NOTICE

SAYING

The data protection authority decides on the data protection complaint from Mr. Martin A*** (complainant) dated December 23, 2021 against the umbrella organization of social insurance providers (respondent) due to the alleged violation of the right to confidentiality as follows:

1.   The complaint is dismissed as unfounded.

2.   The complainant's request that the data protection authority prohibit data processing in accordance with Section 22, Paragraph 4 of the DSG is rejected. The complainant's request that the data protection authority prohibit data processing in accordance with Section 22, Paragraph 4 of the DSG is rejected.

3.   The complainant's request that the data protection authority impose a fine on the respondent is rejected.

Legal basis: Section 1 Paragraph 1 and Paragraph 2, Section 22 Paragraph 4, Section 24 Paragraph 1 and Paragraph 5 as well as Section 30 Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para .2016, p. 1; § 750 of the General Social Insurance Act (ASVG), Federal Law Gazette No. 189/1955 as amended; § 18 of the Health Telematics Act 2012 (GTelG 2012), Federal Law Gazette I No. 111/2012 as amended; § 25 Para. 1 of the Administrative Penalties Act 1991 (VStG), Federal Law Gazette No. 52/1991 as amended. : Paragraph one, paragraph one and paragraph 2, paragraph 22, paragraph 4, paragraph 24, paragraph one and paragraph 5, as well as paragraph 30, paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, idgF; Article 51, paragraph one, Article 57, paragraph one, letter f, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 04.05 .2016, p. 1; Paragraph 750, of the General Social Insurance Act (ASVG), Federal Law Gazette No. 189 from 1955, as amended; Paragraph 18 of the Health Telematics Act 2012 (GTelG 2012), Federal Law Gazette Part One, No. 111 from 2012, as amended; Paragraph 25, paragraph one, of the Administrative Penalties Act 1991 (VStG), Federal Law Gazette No. 52 from 1991, as amended.

REASON

A. Submissions of the parties and course of proceedings

1. In his complaint dated December 23, 2021, the complainant claimed that his right to secrecy had been violated by the respondent and the “Ministry of Social Affairs / Service for Citizens” because he had received a letter addressed to him regarding an appointment for a Corona treatment. received a vaccination, but he assumes that this letter is based on unlawful processing of his personal data.

In addition, the complainant requested that the data protection authority prohibit data processing in accordance with Section 22 Paragraph 4 of the DSG and against the respondent and against the Impose a fine on the respondent and on the “Ministry of Social Affairs / Service for Citizens”.

2. Due to a large number of identical complaints, the data protection authority called for the respondent to be ho. Letter dated December 15, 2021 to provide a statement because the data protection authority assumed its responsibility under data protection law based on the complaints and the documents submitted.

3. In his statement of January 14, 2022, the respondent stated in summary that he, as the sole person responsible for data protection - as provided for in Section 750 Paragraph 1a ASVG - on behalf of the Federal Minister for Social Affairs, Health, Care and Consumer Protection, to certain persons who had not received a vaccination against SARS-CoV-2 by a deadline, sent a letter in which he informed about the risk of becoming seriously ill with COVID-19 and the possibility of receiving a free vaccination against SARS-CoV-2 . The data collection required to send the letters would have been carried out on the basis of a clear legal basis, namely in accordance with Section 750 Paragraph 1a and Paragraph 2 ASVG. The complainant's alleged violation of his right to secrecy would therefore not exist. In summary, he is the sole person responsible for data protection - as provided for in paragraph 750, paragraph one a, ASVG - on behalf of the Federal Minister for Social Affairs, Health, Care and Consumer Protection to certain people who have not yet been vaccinated against SARS-CoV by a deadline -2, sent a letter in which he informed about the risk of becoming seriously ill with COVID-19 and the possibility of receiving a free vaccination against SARS-CoV-2. The data collection required to send the letters would have been carried out on the basis of a clear legal basis, namely in accordance with paragraph 750, paragraph one a and paragraph 2, ASVG. The complainant's alleged violation of his right to secrecy would therefore not exist.

4. The data protection authority granted the complainant a hearing on the respondent's statement and also announced that the proceedings were being conducted against him based on the respondent's statements that he was the sole data controller responsible for the data processing in question.

5. During the hearing, the complainant made no further statements. A corresponding forwarding report is included with the file and there is no error message from an email server.

B. Subject of the complaint

The subject of the complaint is the question of whether the respondent violated the complainant's right to confidentiality by using the complainant's data for the purpose of sending a letter in which the respondent informed the respondent about the risk of becoming seriously ill with COVID-19 and the possibility informed about the use of a free vaccination against SARS-CoV-2, unlawfully processed.

C. Findings of Fact

The respondent is a corporation under public law and has legal personality in accordance with Section 32, Paragraph 1 of the ASVG. The respondent is a corporation under public law in accordance with Section 32, Paragraph 1 of the ASVG and has legal personality.

The respondent processed the complainant's data and sent him a letter informing him about the risk of becoming seriously ill with COVID-19 and the possibility of receiving a free vaccination against SARS-CoV-2.

To determine the complainant's data, the respondent checked the central vaccination register to see whether there was at least one vaccination entry for the complainant as of November 22, 2021 and, since no such vaccination entry was available, in a next step determined the complainant's home address in the central patient index .

As a result, the respondent sent a gap letter with the general text of the letter and a vaccination suggestion as well as the complainant's data to a printing service provider as part of order data processing.

The vaccination suggestion is not a personal appointment, which is why no data from the complainant was passed on to third parties in this context.

After transmitting the data to the printing service provider, the respondent deleted the complainant's data. The printing service provider confirmed to the respondent that the complainant's data had been deleted.

Assessment of evidence: The findings result from the submissions of the parties to the proceedings, the harmless documents submitted and from Section 32 Paragraph 1 ASVG. : The findings result from the submissions of the parties to the proceedings, the harmless documents submitted and from paragraph 32, paragraph one, ASVG.

D. From a legal point of view it follows:

D1. Regarding the alleged violation of the right to secrecy

Section 750 ASVG including the heading reads: Paragraph 750, ASVG including the heading reads:

“Information letter vaccination against SARS-CoV-2

(1) The umbrella organization has the persons insured under federal law and their eligible relatives who were assigned to the COVID-19 risk group on March 1, 2021 according to the COVID-19 Risk Group Ordinance, Federal Law Gazette II No. 203/2020 , and who have not yet received a vaccination against SARS-CoV-2 by April 1, 2021, about their increased risk of becoming seriously ill with COVID-19 and the options for receiving the free vaccination against SARS-CoV-2. This does not apply to persons under the age of 16 as of March 1, 2021. The federal government must reimburse the umbrella organization for the resulting expenses from the COVID-19 crisis management fund. (1) The umbrella organization must reimburse the persons with health insurance under federal law and their eligible relatives who are in the COVID-19 risk group on March 1, 2021 COVID-19 Risk Group Ordinance, Federal Law Gazette Part 2, No. 203 from 2020, and had not yet received a vaccination against SARS-CoV-2 by April 1, 2021, about their increased risk of severe COVID-19 to become ill and to provide information about the options for taking advantage of the free vaccination against SARS-CoV-2. This does not apply to persons under the age of 16 as of March 1, 2021. The federal government must reimburse the umbrella organization for the resulting expenses from the COVID-19 crisis management fund.

(1a) On behalf of the Federal Minister for Social Affairs, Health, Care and Consumer Protection, the umbrella organization has informed people with health insurance under federal law and their eligible relatives who have not yet received a vaccination against SARS-CoV-2 by November 22, 2021 about the risk , seriously ill with COVID-19, and to provide information about the options for receiving the free vaccination against SARS-CoV-2. Paragraph 1 last sentence applies. (1a) On behalf of the Federal Minister for Social Affairs, Health, Care and Consumer Protection, the umbrella organization has the persons with health insurance under federal law and their eligible relatives who have not yet been vaccinated against SARS-CoV by November 22, 2021 -2, about the risk of becoming seriously ill with COVID-19 and the options for receiving the free vaccination against SARS-CoV-2. Paragraph one, last sentence applies.

(2) For the purpose of determining the persons eligible in accordance with paragraph 1 and paragraph 1a, the umbrella organization is entitled to link the data on COVID-19 vaccinations stored in the central vaccination register (Section 24c GTelG 2012) with its own data on a one-off basis (to compare). The bPK-SV must be used for the link. Processing this data for other purposes is not permitted. After processing, this data must be deleted immediately. ELGA GmbH, as the person responsible for the vaccination register (Section 27 Paragraph 17 GTelG 2012 in conjunction with Section 4b eHealth Ordinance, Federal Law Gazette II No. 449/2020), is obliged to provide the umbrella organization with the necessary data. When logging in accordance with Section 24f Paragraph 5 GTelG, a reference must be made to the fact that the data processing was carried out for the purpose of determining the persons eligible in accordance with Paragraph 1 and Paragraph 1a. (2) For the purpose of determining the persons in accordance with paragraph one and paragraph one a, the umbrella organization is entitled to link (compare) the data on COVID-19 vaccinations stored in the central vaccination register (Section 24 c, GTelG 2012) with its own data once. The bPK-SV must be used for the link. Processing this data for other purposes is not permitted. After processing, this data must be deleted immediately. ELGA GmbH, as the person responsible for the vaccination register (Section 27, Paragraph 17, GTelG 2012 in conjunction with Section 4 b, eHealth Ordinance, Federal Law Gazette Part 2, No. 449 from 2020), is obliged to provide the umbrella organization with the necessary data. When logging in accordance with paragraph 24 f, paragraph 5, GTelG, a reference must be made to the fact that the data processing was carried out for the purpose of determining the persons eligible in accordance with paragraph one and paragraph one a.

(3) The umbrella organization operates in the transferred sphere of activity in accordance with the instructions of the Federal Minister for Social Affairs, Health, Care and Consumer Protection.”

§ 18 GTelG including the heading reads: Paragraph 18, GTelG including the heading reads:

“Verification of the identity of ELGA participants

§ 18. (1) The umbrella organization must set up and operate a patient index in the transferred area of responsibility. This serves: Paragraph 18, (1) The umbrella organization must set up and operate a patient index in the transferred area of activity. This serves:

1. checking the unique identity (§ 2 Z 2 E-GovG) of natural persons within the framework of ELGA or other eHealth applications and1. the verification of the unique identity (Section 2, Number 2, E-GovG) of natural persons within the framework of ELGA or other eHealth applications as well

2. the location of reference registers in which references to ELGA health data of these natural persons can be found.

(2) The following data from natural persons must be processed in the patient index:

1. Name details:

a) First name(s)

b) family name

c) Birth name

d) academic degrees

2. Personal characteristics:

a) Date of birth

b) Place of birth, if available

c) Gender

d) Date of death, if available

e) Nationality

3. Address details

4. Identity data:

a) Social security number

b) local patient(s)/identifiers

c) bPK-GH

d) data of the European health insurance card that goes beyond numbers 1 to 3) data of the European health insurance card that goes beyond numbers one to 3

e) other government identifiers.

(3) The data in accordance with paragraph 2 is to be collected primarily from the applications of the umbrella organization in accordance with Section 30c Paragraph 1 Z 2 lit. a ASVG and the supplementary register in accordance with Section 6 Paragraph 4 E-GovG. (3) The data in accordance with paragraph 2, are to be collected primarily from the applications of the umbrella organization in accordance with paragraph 30 c, paragraph one, number 2, litera a, ASVG and the supplementary register in accordance with paragraph 6, paragraph 4, E-GovG.

(4) The verification of the identity of the ELGA participants (§ 14 Para. 1 Z 1) must be carried out in electronic form with the participation of the ELGA participant. The identity data stored in the patient index must be compared with the identity data collected as part of the identification. The collection of identity data can be carried out by (4) The verification of the identity of the ELGA participants (paragraph 14, paragraph one, number one) must be carried out in electronic form with the participation of the ELGA participant. The identity data stored in the patient index must be compared with the identity data collected as part of the identification. The collection of identity data can be done by

1. an electronic check of the validity of the e-card and the reading of data from the e-card using the e-card system (§§ 31a ff ASVG) or1. an electronic check of the validity of the e-card and the reading of data from the e-card using the e-card system (paragraphs 31 a, ff ASVG) or

2. Using an E-ID (§ 2 Z 10 E-GovG) or2. Using an E-ID (Section 2, Number 10, E-GovG) or

3. Processing identity data of a natural person clearly identified in accordance with Section 4 Paragraph 2, which is stored by an ELGA health service provider in accordance with Section 2 Z 10 lit. Participants must be technically secured for the purpose of processing ELGA health data in accordance with Section 14 Paragraph 2 Number 1 or 3. Processing identity data of a natural person clearly identified in accordance with paragraph 4, paragraph 2, which is stored at an ELGA health service provider in accordance with paragraph 2, number 10, letters d, and e, whereby the IT security concept in accordance with paragraph 8, the verification of the identity of the ELGA participants must be technically secured for the purpose of processing ELGA health data in accordance with paragraph 14, paragraph 2, number one, or

4. Processing data from an electronic or otherwise clearly identifiable regulation or assignment (§ 14 Para. 2 Z 1 lit. b), unless the collection of identity data takes place in accordance with Z 1 to 3, or4. Processing data from an electronic or otherwise clearly identifiable regulation or assignment (Section 14, Paragraph 2, Number One, Letter b), unless the collection of the identity data takes place in accordance with Numbers One to 3, or

5. the reading of data from the e-card or an official photo ID in ID-1 format using suitable technology for identification within the framework of the electronic vaccination certificate, whereby official photo ID in this sense is documents issued by a state authority that are not interchangeable bear a recognizable headshot of the person concerned and contain the name, gender, date of birth and signature of the person as well as the issuing authority, apply,

take place.

(5) In the course of collecting identity data using the e-card system (§§ 31a ff ASVG), any objection in accordance with § 16 para . 2 Z 2 to be documented. (5) In the course of collecting the identity data using the e-card system (paragraphs 31 a, ff ASVG) is in the same work step, but technically separate from the data flows of the ELSY (paragraphs 31 a, ff ASVG). , any objection in accordance with paragraph 16, paragraph 2, number 2 must also be documented.

(6) The verification of the identity of the ELGA participants (paragraph 4) may be used to access and process the ELGA health data for the purposes specified in Section 14 paragraph 2. (6) The verification of the identity of the ELGA participants Participants (paragraph 4) may access and process ELGA health data for the purposes specified in paragraph 14, paragraph 2

1. ELGA health service providers in accordance with Section 2 Z 10 lit. a, b, d and e and the ELGA ombudsman office in accordance with Section 2 Z 14 for no longer than 90 days and1. ELGA health service providers in accordance with paragraph 2, number 10, letters a,, b, d and e and the ELGA ombudsman office in accordance with paragraph 2, number 14, not longer than 90 days and

2. ELGA health service provider in accordance with § 2 Z 10 lit. c was not more than two hours ago.2. ELGA health service provider in accordance with paragraph 2, number 10, letter c, not more than two hours ago.

(7) Deviating from paragraph 6, an ELGA participant can contact one or more ELGA health service providers of special trust in accordance with Section 2 Z 10 lit. a, b, c and e in conjunction with Section 21 Paragraph 2 his consent, a period of up to 365 days. (7) Deviating from paragraph 6, an ELGA participant can one or more ELGA health service providers of special trust in accordance with paragraph 2, number 10, litera a,, b, c and e in conjunction with paragraph 21, paragraph 2, with its consent, grant a period of up to 365 days.

(8) Apart from the cases according to Section 17 Paragraph 4, representations of ELGA participants in electronic communication may only be registered in accordance with Section 5 Paragraph 1 E-GovG, whereby: (8) Apart from the cases according to Paragraph 17, paragraph 4, representations of ELGA participants in electronic traffic may only be registered in accordance with paragraph 5, paragraph one, E-GovG, whereby:

1. a bPK of the ELGA participant must be entered instead of the master number and

2. the authorization to access ELGA must be entered separately.

(9) Ten years after knowing the date of death of an ELGA participant, the umbrella organization must automatically delete the data of the deceased stored in the patient index.

In the matter:

The fundamental right to data protection enshrined in § 1 DSG, according to the first paragraph of which everyone has a right to confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is a legitimate interest in doing so, includes the protection of the Those affected before their data is determined and the data determined about them is passed on. The fundamental right to data protection enshrined in paragraph one of the DSG, according to the first paragraph of which everyone, especially with regard to respect for their private and family life, has a right to confidentiality the personal data concerned, insofar as there is an interest worthy of protection, includes the protection of the data subject from the determination of his or her data and the disclosure of the data determined about him or her.

However, the fundamental right to data protection is not absolute, but may be limited by certain, permissible interventions. According to Section 1 Para. 2 DSG, restrictions on the right to secrecy are only permissible to protect the overriding legitimate interests of another, provided that the use of personal data is not in the vital interest of the person concerned or with his or her consent, whereby the fundamental right to data protection applies in the event of interference However, this is not absolute, but may be limited by certain, permissible interventions. According to paragraph one, paragraph 2, DSG, restrictions on the right to secrecy are only permissible to protect the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, whereby in the event of intervention by a state authority may only be carried out on the basis of laws which are necessary for the reasons stated in Article 8 Paragraph 2 ECHR. which are necessary for the reasons stated in Article 8 Paragraph 2 ECHR.

As established, the respondent, who is a corporation under public law, processed the processing as an authority within the meaning of Section 1 Para The processing in question is to be qualified as an authority within the meaning of paragraph one, paragraph 2, DSG, see Pollirer/Weiss/Knyrim, Data Protection Act2 § 1 Note 13), for the purpose of sending an information letter regarding the risk of becoming seriously ill with COVID-19 and the possibility of receiving a free vaccination against SARS-CoV-2, the complainant's data from the central vaccination register and their own data, specifically from the central patient index. Paragraph one, note 13), for the purpose of sending an information letter regarding the risk of becoming seriously ill with COVID-19 and the possibility of receiving free vaccination against SARS-CoV-2, the complainant's data from the central vaccination register and his or her own data , specifically from the central patient index.

Since the respondent was able to rely in this context on Section 750 Paragraph 1a and Paragraph 2 ASVG and thus on a fundamental encroachment in accordance with Section 1 Paragraph 2 DSG, the complaint turned out to be unfounded, which is why it was filed in accordance with Section 24 Paragraph. 5 DSG Since the respondent was able to rely in this context on paragraph 750, paragraph one a and paragraph 2, ASVG and thus on a fundamental encroachment in accordance with paragraph one, paragraph 2, DSG, the complaint has proven to be unfounded, which is why it is filed in accordance with Paragraph 24, paragraph 5, DSG had to be rejected.

D2. On the request for a ban on data processing

Insofar as the complainant requested that the data protection authority prohibit the respondent from processing his data in accordance with Section 22 Paragraph 4 of the Data Protection Act, it should first be noted that the prerequisite for such a prohibition is the existence of a significant Paragraph 4, DSG prohibits the respondent from processing his data, it should first be pointed out that the prerequisite for such a prohibition is the existence of a significant immediate danger, i.e. “imminent danger”. However, since the processing in question had already been completed at the time the complaint was lodged, for this reason alone it can no longer be assumed that there is any significant immediate danger or that there is “imminent danger”, which is why the prerequisites for a prohibition in accordance with Section 22 Paragraph 4 of the Data Protection Act also include danger or . “Imminent danger” can no longer be assumed, which is why the requirements for a prohibition in accordance with paragraph 22, paragraph 4, DSG were not met.

The application in this regard was therefore rejected.

D3. On the application for the imposition of a fine

To the extent that the complainant requested that the data protection authority impose a fine on the respondent, it should be noted that no fine can be imposed on a person responsible as part of an administrative procedure. While no subjective right to initiate criminal proceedings against a certain person responsible can be derived from Art. 77 Para. 1 GDPR or Section 24 Para. Fister in To the extent that the complainant requested that the data protection authority impose a fine on the respondent, it should be noted that no fine can be imposed on a controller in the context of an administrative procedure. While from Article 77, paragraph one, GDPR or paragraph 24, paragraph one, and 5 DSG no subjective right to initiate criminal proceedings against a certain person responsible can be derived; in this regard, according to paragraph 25, paragraph one, VStG, the principle of official authority applies, see Fister in Lewisch/Fister/Weilguni (eds), VStG Commentary 2 [2017 ] § 25 Rz 1), it should also be noted that, according to § 30 Para. 5 DSG, no fines can be imposed on corporations under public law. [2017] Paragraph 25, paragraph 1), it should also be noted that, according to paragraph 30, paragraph 5, DSG, no fines can be imposed on public corporations.

The application in this regard was therefore rejected.

It had to be decided according to the saying.