DSB (Austria) - 2021-0.119.956

From GDPRhub
Revision as of 15:40, 18 January 2024 by Ar (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2021-0.119.956
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(e) GDPR
Article 9 GDPR
Article 15(1) GDPR
Article 15(2) GDPR
Article 15(3) GDPR
Article 51(1) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
§§1 DSG
§17a (2)(g) Wr. KAG
§18(1) DSG
§24(1)DSG
§24(5) DSG
Type: Complaint
Outcome: Partly Upheld
Started: 30.12.2019
Decided: 22.02.2021
Published:
Fine: n/a
Parties: Corina A***
City of Vienna
National Case Number/Name: 2021-0.119.956
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
German
Original Source: DSB (in DE)
RIS (in DE)
Initial Contributor: n/a

The Austrian DPA ordered the controller to provide the data subject with the complete personal data of her medical history within a period of four weeks for a violation of Article 15 GDPR, since the controller withheld personal data from the data subject to which she had a right.

English Summary

Facts

On 14 November 2019, the legal guardian of the data subject, a minor, and a patient at the hospital, submitted a request via e-mail for information about the data subject’s data. In the e-mail to the controller, the City of Vienna, the guardian relied on his request on §158 General Civil Code of Austria and Article 15 GDPR. The legal guardian wanted a free copy in a common electronic form of all personal data of the data subject.

The legal guardian also requested the name and address of the controller’s processor if the data was processed in accordance with Article 28 GDPR. He inquired if the controller carried out processing with pseudonymized data or other data processing without personal identification and asked about the recipients or categories of recipients who have already received or will receive the data subject’s data in the future. He further requested to be provided with all available information about the origin of the data if the data was not collected directly.

The legal guardian demanded that his request be dealt with immediately or at the latest in a month, under Article 12(3) GDPR.

On 19 November 2019, the controller replied and requested an extract from the civil register to prove the power of representation and an official photo ID for identification purposes from the legal guardian. The guardian complied with the request regarding the civil register and provided a copy of his ID.

In its response, the controller provided information on the data subject’s personal data, the purpose of processing, the duration of storage, the origin of the data, the information on outpatient visits and inpatient hospital stays, the recipient of the data and the result of the examination by the clinics and institutes.

On 30 December 2019, the legal guardian filed a complaint with the DPA claiming that his right to information was violated by the controller since it did not fully comply with the initial request. The information provided by the controller did not contain all the documents relating to the data subject's treatment. In addition, he claimed that the controller´s request for a copy of an ID had been unlawful. Lastly, the data subject asked for an assertion that it was reasonable for the controller to obtain further civil registration information directly from the registration service of the city of Vienna (Meldeservice - MA 62).

Holding

The Austrian DPA decided on the complaint of the data subject, represented by her legal guardian against the data controller.

The DPA partially granted the complaint and concluded that the controller violated the data subject’s right to information by providing her with incomplete information regarding her medical history. The DPA stated that Article 15(3) GDPR gives no right to the disclosure of a copy of all documents containing the personal data of a person requesting information. Concerning this article, it is therefore not possible to demand the release of entire documents. Article 15(3) GDPR only standardizes the right to receive a "copy of the personal data undergoing processing." Therefore, its goal is not to reproduce entire documents and make them available free of charge. Article 15 GDPR guarantees the right to obtain information about personal data, either in the form of a copy or in the form of a description of the content or context in which personal data is processed.

Thus, the controller was ordered to provide the data subject with the complete personal data of her medical history within a period of four weeks.

Moreover, the DPA decided to dismiss the claim that the demand for a copy of the legal guardian’s identity card was unlawful, as well as the request for an assertion that it would have been reasonable for the controller to obtain the civil registration information themselves.

Consequently, the controller was found to have responded insufficiently to the request for information and was ordered to provide the complainant with a copy of the complete personal data of her medical history within a period of four weeks, under Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2021-0.119.956 from February 22, 2021 (Procedure number: DSB-D124.1965)

[Editor's note: The name of the respondent is reflected in this notice. The person concerned is a corporation under public law, whose name can also be derived from a cited legal provision (the Vienna Hospital Act 1987 only applies in the state of Vienna, which in turn only consists of a single municipality, the respondent). A meaningful and meaningful pseudonymization of the name of the respondent in this decision, which was to be published in accordance with Section 23 Para. 2 DSG, was therefore not possible.] [Editor's note: The name of the respondent is reproduced in this decision. The person concerned is a corporation under public law, whose name can also be derived from a cited legal provision (the Vienna Hospital Act 1987 only applies in the state of Vienna, which in turn only consists of a single municipality, the respondent). A meaningful and meaningful pseudonymization of the respondent's name in this decision, which was to be published in accordance with paragraph 23, paragraph 2, DSG, was therefore not possible.]

NOTICE

SAYING

The data protection authority decides on the data protection complaint from my wife Corina A*** (complainant), represented by the legal guardian Dr. Gustav A***, dated December 30, 2019 against the city of Vienna (respondent), represented by the magistrate of the city of Vienna, for violation of the right to information as follows:

1.   The complaint is partially upheld and it is found that the respondent violated the complainant's right to information by providing the complainant with incomplete information regarding her medical history.

2.   The respondent is ordered to provide complete information about the complainant's personal data in her medical history within a period of four weeks.

3.   The Complainant's application for a declaration that the Respondent's request to provide a copy of her ID was unlawful is dismissed.

4.   The complainant's application for a declaration that it would have been reasonable for the respondent to obtain registration information herself is rejected.

Legal bases: Art. 5 Para. 1 lit. e, Art. 9, Art. 15 Para. 1, Para. 2 and Para. 3, Art. 51 Para. 1, Art. 77 paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of May 4, 2016, p. 1; §§ 1, § 18 paragraph 1 and § 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 17a paragraph 2 lit Paragraph 3, Article 51, paragraph one, Article 57, paragraph one, letter f, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of May 4, 2016 p. 1; Paragraph one, paragraph 18, paragraph one, as well as paragraph 24, paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended; Paragraph 17 a, Paragraph 2, Litera g, Vienna Hospital Act 1987 (Wr. KAG), State Law Gazette No. 19 from 1988, as amended

REASON

A. Submissions of the parties and course of proceedings

1. In the complaint initiating the procedure dated December 30, 2019, the complainant stated that the respondent's right to information had been violated by the respondent not fully complying with her request for information dated November 14, 2019. The respondent's information dated December 12, 2019 did not include all documents relating to the complainant's treatment in Hospital N*** in 2019. According to Art. 15 Para. 3 GDPR, you have the right to receive a copy of the stored data. Exp.Gr. 63 explicitly included health-related data (patient files, diagnoses, examination results, etc.). In addition, the complainant asked for a declaration that the respondent's request to provide a copy of his ID, even though a qualified electronic signature had already been submitted, was not legal. She further asked for a finding that it was reasonable for the respondent to obtain further additional registration information from MA 62. alleges that the respondent's right to information was violated by not fully complying with its request for information dated November 14, 2019. The respondent's information dated December 12, 2019 did not include all documents relating to the complainant's treatment in Hospital N*** in 2019. According to Article 15, Paragraph 3, GDPR, you have the right to receive a copy of the stored data. Exp.Gr. 63 explicitly included health-related data (patient files, diagnoses, examination results, etc.). In addition, the complainant asked for a declaration that the respondent's request to provide a copy of his ID, even though a qualified electronic signature had already been submitted, was not legal. She further asked for a finding that it was reasonable for the respondent to obtain further additional registration information from MA 62.

2. In its submission dated March 27, 2020, the respondent commented on the complaint and stated that the personal data contained in the information dated December 12, 2019 was both information about the processed personal data relating to the complainant (Article 15 paragraph 1 GDPR), as well as a copy of the personal data that is the subject of processing, within the meaning of Art. 15 Para. 3 GDPR. The right to information pursuant to Article 15 Para. 3 GDPR only includes the right to receive a copy of the personal data stored about the person concerned, i.e. a list of them, but this is not a right to receive entire files or copies of files. Accordingly, under the GDPR, the complainant has no right to receive “all patient files […] in full as a copy”. Statement and stated in relation to the complaint that the personal data contained in the information dated December 12, 2019 was both information about the personal data processed concerning the complainant (Article 15, paragraph one, GDPR), and a copy of the personal data that The subject of the processing is within the meaning of Article 15, Paragraph 3, GDPR. The right to information pursuant to Article 15, Paragraph 3, GDPR only includes the right to receive a copy of the personal data stored about the person concerned, i.e. a list of them, but this is not a right to receive entire files or copies of files. Accordingly, under the GDPR, the complainant has no right to receive “all patient files […] in full as a copy”.

In addition, in the case of the patient file, there is the possibility of inspecting the medical history or making a copy of the medical history against reimbursement of costs in accordance with Section 17a Paragraph 2 Letter g Wr. CAG. The right to information according to Art. 15 GDPR is also based on the principle In the case of the patient file, there is the possibility of inspecting the medical history or making a copy of the medical history against reimbursement of costs in accordance with paragraph 17 a, paragraph 2, litera g, Wr. CAG. The right to information according to Article 15, GDPR is also based on the principle lex specialis derogat legi generali of more specific rights in the area of the right to information and also the right of inspection of the Wr. KAG repressed.

The area of hospital law at issue here, namely the exercise of patients' rights, has a European law foundation in Directive 2011/24/EU (see also Füszl in Aigner/Kletečka/Kletečka-Pulker/Memmer, Handbook of Medical Law (2019) Chapter IV. 1.10), which is why there was another legal act at the same level in addition to the GDPR. The only special feature was that the directive was not generally directly applicable, but had to be implemented through domestic law. However, this did not change the equality of the EU regulation and the EU directive (or the national provisions implementing the EU directive)., Handbook of Medical Law (2019) Chapter. Roman IV.1.10), which is why there was another legal act at the same level in addition to the GDPR. The only special feature was that the directive was not generally directly applicable, but had to be implemented through domestic law. However, this did not change the equality of the EU regulation and the EU directive (or the national provisions implementing the EU directive).

Insofar as the complaint (implicitly) referred to patient files in an analogue form, it should be noted that manual files do not qualify as a file system within the meaning of Art. 4 Z 6 GDPR, which is why the GDPR (and consequently also your right to information) is not applicable in this regard. Insofar as the complaint (implicitly) referred to patient files in an analogue form, it should be noted that manual files do not qualify as a file system within the meaning of Article 4, Paragraph 6, GDPR, which is why the GDPR (and consequently also your right to information) is not applicable in this regard .

Regarding the requested determination as to whether the request for a copy of the ID was lawful, the respondent stated that since the complainant had been given information in accordance with the GDPR, only this could be the subject of the complaint and not the modalities.

3. In a submission dated June 30, 2020, the complainant requested that the proceedings be continued and stated in summary that she was of the opinion that the provisions of the GDPR, as secondary Union law, were of a higher rank in the hierarchy of norms than the Wr. CAG. In addition, she assumes that all resulting files, unless they are already recorded electronically, must be structured and sorted due to legal obligations, which means that the GDPR continues to apply to these documents.

4. In a submission dated February 2021, the respondent stated that the information contained in the files had been digitally archived. Accordingly, the GDPR is directly applicable as (partially) automated data processing.

5. In her submission dated February 16, 2021, the complainant essentially repeated her previous statements.

B. Subject of the complaint

The subject of the complaint is the question of whether the respondent violated the complainant's right to information by not providing the complainant with complete information about her health-related data.

Furthermore, the applications submitted by the complainant with regard to the exercise of the right to information must be discussed.

C. Findings of Fact

1. In an application dated November 14, 2019, the complainant's legal guardian sent an email request for information about the complainant's personal data: (formatting not reproduced 1:1)

Dr. Gustav A*** as

as legal guardian of Corina A***

Email: ds***@***.at

L***strasse 5*

**** N***

Magistrate of the City of Vienna

Data protection officer <***datenschutzpflichter@wien.gv.at >

N***, on November 14, 2019

Subject: Request for information in accordance with Article 15 of the GDPR Subject: Request for information in accordance with Article 15 of the GDPR

Ladies and Gentlemen!

As a person entitled to custody of my daughter in accordance with Section 177 of the General Civil Code (ABGB), of my daughter

Corina A***, social security number 3**5 17**06

In accordance with Section 158 ABGB and Article 15 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of the Directive 95/46/EC, GDPR) I submit a request for information about my daughter's personal data in connection with her treatment at Hospital N***, I***gasse *7, 1**0 Vienna in 2019 hereby in accordance with paragraph 158, ABGB and Article 15, General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing the Directive 95/46/EC, GDPR) a request for information about my daughter's personal data in connection with her treatment at Hospital N***, I***gasse *7, 1**0 Vienna in 2019.

a. Please provide me with a copy of all personal data stored in this context in a common electronic format free of charge.

You are requested to provide information about all data that is contained in all files and can also be directly or indirectly linked to the personal data via key, search and reference terms (Article 4 GDPR). You are requested to provide all data information that is located in all files and can also be linked directly or indirectly to the personal data via key, search and reference terms (Article 4, GDPR).

This includes in particular, but not only: all data from the patient file such as diagnoses, notes, examination results (including all imaging procedures such as X-rays or MRI), surgical protocols, e-journal entries, findings from the treating doctors, information on treatments or procedures (see Recital 63 GDPR).

b. If the data is processed in accordance with Article 28 of the GDPR, I request that you additionally provide the name and address of your processor. If the data is processed in accordance with Article 28 of the GDPR, I request that you additionally provide the name and address of your processor.

c. Do you process pseudonymized data or other data processing without personal identification (Article 11 GDPR)? If yes, which ones? Do you process pseudonymized data or other data processing without personal identification (Article 11, GDPR)? If yes, which?

d. Please tell me the recipients or categories of recipients who have already received my data or will receive them in the future.

e. If the data was not collected directly, I ask you to provide me with all available information about the origin of the data.

Please send the data or the information for retrieving it via remote access to a secure system to my email address: ds***@***.at.

In accordance with Article 12 Para. 3 GDPR, information must be provided immediately, but at the latest within one month. If I do not receive any information from you within this period, I will contact the responsible supervisory authority. If you are of the opinion that you do not have to respond to the request, you must inform me of the reasons for this and of the possibility of lodging a complaint with a supervisory authority no later than one month after receipt of the request. Information must be provided in accordance with Article 12, Paragraph 3, GDPR must be done immediately, but no later than within one month. If I do not receive any information from you within this period, I will contact the responsible supervisory authority. If you are of the opinion that you do not have to respond to the application, you must inform me of the reasons for this and of the possibility of lodging a complaint with a supervisory authority no later than one month after receipt of the application.

To confirm my identity, this document is provided with a qualified electronic signature in accordance with Article 25 Paragraph 2 of EU Regulation No. 910/2014 (eIDAS), which clearly identifies me as a person and also provides a clear connection to me via the insurance data available to you can be made with my co-insured daughter. To confirm my identity, this document is provided with a qualified electronic signature in accordance with Article 25, Paragraph 2, of EU Regulation No. 910/2014 (eIDAS), which clearly identifies me and you available insurance data, a clear connection can be established with my daughter, who is also insured with me.

You will also find a picture of my daughter's eCard enclosed.

If, contrary to expectations, you consider this to be insufficient, you have the option of having the authenticity of this request confirmed using the telephone number noted in your patient file and therefore known to you.

Best regards

Dr. Gustav A***

(as Corina A***'s legal guardian)

Appendix: Figure eCard

[Note from the clerk: The graphic files of the images (front and back) of the eCard as well as the digital signature have been removed because they cannot be displayed in the RIS.]

2. On November 19, 2019, the respondent replied and requested from the complainant's legal guardian a current extract from the registration register as proof of the power of representation as well as an official photo ID for identification.

3. On November 20, 2019, the complainant complied with the request regarding the registration form but complained about the unjustified request for a copy of the parent's ID card because there was a qualified electronic signature.

4. On November 26, 2019, the complainant's legal guardian complied with the requests for a copy of her ID.

5. On December 12, 2019, the respondent sent the complainant the following information: (excerpt, formatting not reproduced 1:1)

Magistrate of the City of Vienna

Mr



Dr. Gustav A***

S*** alley *5

**** Vienna

Telephone +4314000***375

post@***wien.gv.at

wien.gv.at

By email: ds***@***.at



Department D*** -3****

Vienna, December 12, 2019



Request for information in accordance with Article 15 of the GDPR Request for information in accordance with Article 15 of the GDPR

Dear Doctor. A***,

By email dated November 14, 2019, you sent a request for information to the data protection officer for the city council of the city of Vienna in accordance with Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons Processing of personal data, the free movement of data and the repeal of Directive 95/46/EC (GDPR). You sent an email dated November 14, 2019 to the data protection officer for the city council of the city of Vienna with a request for information in accordance with Article 15 of the regulation ( EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (GDPR).

The content of your request was to receive information about the data processed about your minor daughter Corina A*** at Hospital N*** in connection with her treatment in 2019.

According to the business division of the City of Vienna City Council, Department D*** Data Protection*** is responsible for coordinating the response to requests for information in accordance with Art. 15 GDPR, which is why your request was forwarded to them. Department D*** Data Protection** * is responsible, according to the business division of the City of Vienna Magistrate, for coordinating the response to requests for information in accordance with Article 15, GDPR, which is why your request was forwarded to them.

Since no copy of proof of identity was attached to this request and the applicant's identity could therefore not be determined, you were asked to provide proof of your identity in a letter from the D***Data Protection*** department dated November 19, 2019. You were also asked to provide a current extract from the registration register of you and your minor daughter Corina A*** as proof of your power of representation.

You complied with this request by email dated November 26, 2019 and November 28, 2019. Processing your request for information was only possible from this point onwards; the deadline in accordance with Article 12 Paragraph 3 was suspended until this point in time. You complied with this request by email dated November 26th, 2019 and November 28th, 2019. Processing your request for information was only possible from this point onwards; the deadline in accordance with Article 12, Paragraph 3 was suspended until this point in time.

It is stated at the outset that the right of access pursuant to Article 2 Paragraph 1 of the GDPR only applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored in a file system. At the outset it is noted that the right to information pursuant to Article 2, Paragraph one of the GDPR only applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data stored in a file system

Health monitoring at work (VGÜ) Federal Law Gazette II No. 27/1997; Health monitoring at work (VGÜ) Federal Law Gazette Roman II No. 27/1997;

Federal law on the protection of personal freedom while staying in

Homes and other care and care facilities (Home Stay Act - HeimAufG), Federal Law Gazette I No. 11/2004 as amended; Homes and other care and care facilities (Home Stay Act - HeimAufG), Federal Law Gazette Part One, No. 11 from 2004, as amended;

Accommodation of mentally ill people in hospitals (Accommodation Act - UbG), BGBI. No. 155/1990 as amended.

I) The following data from your daughter appears in the processing as part of the patient administration: Roman one) The following data from your daughter appears in the processing as part of the patient administration:

Overview of master data:

Number of patients: 36**19*

Last name: A***

First name: Corina

Salutation: Ms

Date of birth: June 17th

Gender Female

National: Austria

Overview of addresses:

Address type: primary residence

Country: Austria

Zip code: **** N***

Street: L***straße 5*

Telephone: 06**38562***

Other patient data:

Marital status Unmarried

Language: German

Place of birth: Vienna

VSNR: 3**5 17**06

Document type: father's driver's license

Document number: 07*****34

Relatives: Gustav A***

Insurance group: 0*.kaufst/arb.los/selbstv/Asylw/Flücht

Type of insurance (A,S): Social insurance

Insurance details:

KTR (= cost bearer): 7*** insurance company for ***

Membership type: Co-insured

Occupation:   Student

KTR for special class/multiple bed: ***Insurance (additional insurance)

Membership type: Self-insured

Purpose of processing:

Administrative recording of patient data to clearly identify those to be treated

Person for medical care and for service billing in accordance with Section 17, Paragraph 1, Vienna Person for medical care and for service billing in accordance with Section 17, Paragraph One, Vienna

Hospitals Act 1987

Category of data processed:

Administrative patient data

Duration of storage:

At least 10 years for data from outpatient care in accordance with Section 17, Paragraph 2, Vienna. At least 10 years for data from outpatient care in accordance with Paragraph 17, Paragraph 2, Vienna

Hospital Act 1987.

After completion of the medical history, at least 30 years for inpatient data

Stays in accordance with Section 17 Paragraph 2 of the Vienna Hospital Act 1987. Stays in accordance with Section 17, Paragraph 2 of the Vienna Hospital Act 1987.

Up to 30 years in accordance with Section 16a of the Vienna Hospital Act 1987. Up to 30 years in accordance with Section 16a of the Vienna Hospital Act 1987.

The patient master data is the link to everyone's medical documents

further stays of a patient.

Origin of data:

E-card, information from the patient or relatives

II) Information about outpatient visits and inpatient hospital stays (sorted chronologically ascending) of your daughter: Roman II) Information about outpatient visits and inpatient hospital stays (sorted chronologically ascending) of your daughter:

[Note from the clerk: The graphic file of the illustration of the periods of inpatient and outpatient stays in the hospital with the names of the wards was removed because it cannot be displayed in the RIS.]

III) Recipient of the data from I) and Il):Roman III) Recipient of the data from Roman one) and Roman one l):

To determine the insurance claim (outpatient and inpatient) the

Treatments in 2019, the insurance number and e-card number or policy number

(during inpatient stay) the insurance company for *** and the *** insurance company.

IV) Survey results from the clinics and institutes: Roman IV) Survey results from the clinics and institutes:

In the medical departments, the master data (such as name, date of birth, gender, address,

Marital status, insurance carrier) and the following specific data is documented:

1) N*** Department of Orthopedics and Trauma Surgery

Visits/stays on:

Ambulance Date         Time

Amb. Pediatric Orthopedics

0*.0*.2019

08:30:52

Amb. Pediatric Orthopedics

0*.0*.2019

08:29:47

Amb. Pediatric Orthopedics

1*.0*.2019

07:43:49

Inpatient stay:

Children's ward V*: inpatient stay from **.**.2019 to **.**.2019

Outpatient documents: document date

eJournal 2019****

Accident/Orthopedics - OP reservation 2019****

eJournal 2019****

eJournal 2019****

Cash register recipe 2019****

eJournal 2019****

eJournal 2019****

eJournal 2019****

Documents for inpatient stay:

Document  Date

External laboratory findings (from patient 1*.**.2019

brought)

External operation clearance (from patient

brought 2*.**.2019

Admission form 2*.**.2019

Tissue samples, information on storage

preservation, analysis and further use

of tissue - cell and other samples 2*.**.2019

Information for patients

regarding declaration of consent 2*.**.2019

Confirmation of acceptance of patient information

mation folder including information on the

Health status 2*.**.2019

Surgical lapel 2*.**.2019

Transcript of special class 2*.**.2019

Surgical safety checklist simplified 2*.**.2019

Preoperative checklist 2*.**.2019

Patient information anesthesia 2*.**.2019

Surgery report 2*.**.2019

Implant 2*.**.2019

Radiometer ABL 800 Flex (blood analysis) 2*.**.2019

Nursing process 2*.**.2019

Cash register recipe 3*.**.2019

Documentation of bland wounds, wound

Healing, drainage, catheters (PLL30) 3*.**.2019

Documentation of bland wounds, wound

healing, drainage, catheters (PLL30) 2*.**.2019 to 2*.**.2019

Fever curve 2*.**.2019 to 1*.**.2019

Progress documentation of pain 2*.**.2019 to 2*.**.2019

Progress documentation of pain 2*.**.2019 to 1*.**.2019



Origin of data:

Information from you or your relatives

Recipient of the data:

No recipients

Commissioning of processors:

No processors

2) N*** Department of Physical Medicine, Rehabilitation and Occupational Medicine

Visits/stays on:

Ambulance date time

Physical Therapies LS 5L 2*.**.2019 10:49:00

Konsile Physical Med. 2*.**.2019 1:35:36 p.m

Physical Therapies LS 5L 2*.**.2019 1:36:00 p.m

Physical Therapies LS 5L 3*.**.2019 12:44:000

Konsile Physical Med 3*.**.2019 07:23:00

Physical Therapies LS 5L 0*.**.2019 10:02:00

6. In the ongoing proceedings before the data protection authority, the respondent submitted the following information on February 3, 2021 (formatting not reproduced 1:1):

Regarding the information in question, it is stated that the following existing documents were not cited by mistake:

-    Inpatient letter 0*.**.2019

-     *** Outpatient questionnaire 2*.**.2019

Assessment of evidence: Evidence on the facts that were not in dispute were included through the parties' submissions, which are available in the file.

D. From a legal point of view it follows:

At the outset the following should be noted:

Although the complaint is directed against the “City of Vienna, Department D***”, it obviously means the Vienna Health Association as the operator of the N*** Hospital of the City of Vienna. The Vienna Health Association is a dependent company of the City of Vienna. The magistrate (Department D***) represents the City of Vienna in data protection matters, in particular before the data protection authority.

It follows that the respondent is the “City of Vienna, represented by the Magistrate of the City of Vienna”. However, the vagueness of the name of the original respondent cannot be blamed on the complainant (cf. also the decision of the Federal Administrative Court of May 27, 2020, GZ W214 2228346-1 regarding “Wiener Wohnen”). It follows from this that the The respondent is the “City of Vienna, represented by the Magistrate of the City of Vienna”. However, the vagueness of the name of the original respondent cannot be blamed on the complainant (see also the decision of the Federal Administrative Court of May 27, 2020, GZ W214 2228346-1 regarding “Wiener Wohnen”).

It should also be noted at the outset that the data processed in relation to the complainant is health data in accordance with Art also the decision of November 19, 2020, GZ: 2020-0.743.659). It should also be noted at the outset that the data processed in relation to the complainant is health data in accordance with Article 4, paragraph 15, in conjunction with Article 9, paragraph one, GDPR, because these data are processed (exclusively) in the context of the complainant's medical history (see also the decision dated November 19, 2020, GZ: 2020-0.743.659).

1. 2. On the question of Directive 2011/24/EU as a lex specialis

As data protection information, the complainant demands the (free) provision of information that the respondent has, specifically the content of the medical history.

The respondent argued that the right to information pursuant to Article 15 of the GDPR was based on the principle of lex specialis derogat legi generali Wr. KAG, which stipulates an obligation to pay for patient files, has been displaced. The present area of hospital law, namely the exercise of patients' rights, has a European law foundation in Directive 2011/24/EU.

This objection is not valid because, according to Article 2 lit. c of this directive, Directive 95/46/EC remains unaffected. According to Art. 94 Para. 2 GDPR, references to Directive 95/46/EC are considered references to the GDPR. This objection is unfounded because, according to Article 2, Litera c, of this Directive, Directive 95/46/EC remains unaffected. According to Article 94, paragraph 2, GDPR, references to Directive 95/46/EC are considered references to the GDPR.

For this reason alone, it cannot be said that Directive 2011/24/EU supersedes the GDPR according to the principle lex specialis derogat legi generali.

Apart from that, Art f, Directive 2011/24/EU provides that the Member State of treatment shall guarantee the right of treated patients to have a written or electronic medical record relating to the treatment and - in accordance with and subject to national measures implementing Union rules on the protection of personal data, in particular Directives 95 /46/EC and 2002/58/EC — access to at least one copy of this file.

Even under this provision - which expressly regulates access to patient files - the requirements of the GDPR are considerable.

Directive 2011/24/EU was adopted by LGBl. No. 33/2014, among other things, in Section 17a Paragraph 2 Letter g Wr. KAG implemented. Directive 2011/24/EU was implemented by State Law Gazette No. 33 from 2014, including in paragraph 17 a, paragraph 2, litera g, Wr. KAG implemented.

Art. 15 GDPR does not contain any regulation similar to Section 26 Para. 6 DSG 2000, according to which the request for information under data protection law can only be exercised as a subsidiary to other rights of inspection. Rather, there is a fundamental right to information pursuant to Art. 15 GDPR, provided there is no permissible restriction pursuant to Art. 23 GDPR. If, on the other hand, a more specific substantive regulation applies under Union law, this is based on the principle of Article 15; the GDPR does not contain any regulation equivalent to Section 26, Paragraph 6, DSG 2000, according to which the request for information under data protection law can only be exercised as a subsidiary to other rights of inspection. Rather, there is a fundamental right to information in accordance with Article 15, GDPR, unless there is a permissible restriction under Article 23, GDPR. However, if a more specific substantive regulation applies under Union law, this applies according to the principle lex specialis derogat legis generalis. The GDPR cannot be interpreted as if it conclusively regulates the rights of those affected. Rather, the GDPR, in accordance with its scope of application, regulates the rights of those affected in a general manner, although it cannot be ruled out that other legal acts of the Union provide for more specific regulations on the rights of those affected (cf. the decision of June 21, 2018, GZ: DSB- D122.844/0006-DSB/2018). before. The GDPR cannot be interpreted as if it conclusively regulates the rights of those affected. Rather, the GDPR, in accordance with its scope, regulates the rights of those affected in a general manner, although it cannot be ruled out that other legal acts of the Union provide for more specific regulations on the rights of those affected; see the decision of June 21, 2018, GZ: DSB-D122. 844/0006-DSB/2018).

Since in the present case § 17a paragraph 2 lit. g Wr. KAG (which was issued in implementation of Directive 2011/24/EU) Since in the present case paragraph 17 a, paragraph 2, litera g, Wr. KAG (which was issued in implementation of Directive 2011/24/EU) does not standardize a special right to information (in relation to the GDPR) without reimbursement of costs, and therefore cannot be limited to the right to general data protection information about one's own data. On the contrary, the aforementioned directive refers – as explained – to Directive 95/46/EC (now GDPR), which is relevant for the processing of personal data.

From all of this it follows that Section 17a Paragraph 2 Letter g Wr. KAG does not derogate from Art. 15 GDPR. It follows from all of this that paragraph 17 a, paragraph 2, letter g, Wr. KAG does not derogate from Article 15, GDPR.

2. Regarding points 1 and 2

a) Basic information about Article 15 GDPRa) Basic information about Article 15 GDPR

Pursuant to Article 15 Para. 1 GDPR, the data subject has the right to request confirmation from the person responsible as to whether personal data concerning him or her is being processed and, if this is the case, to receive information about this personal data and to be entitled to the information in accordance with lit. a to h leg. cit. According to Art. 15 Para. 3 GDPR, the controller must provide the data subject with a copy of the personal data that is the subject of processing. If the data subject submits the request electronically, the information must be provided in a common electronic format unless the data subject states otherwise. According to Article 15, paragraph one, GDPR, the data subject has the right to request confirmation of this from the controller , whether personal data concerning you is being processed and, if this is the case, to receive information about this personal data and the right to the information in accordance with Litera a, up to h leg. cit. According to Article 15, paragraph 3, GDPR, the controller must provide the data subject with a copy of the personal data that is the subject of processing. If the data subject submits the application electronically, the information must be provided in a common electronic format unless the data subject states otherwise.

In principle, the respondent must provide the complainant with information about the personal data it processes, unless there is another exception to the right to information.

b.) On the right to a copy (Article 15, Paragraph 3, GDPR)b.) On the right to a copy (Article 15, Paragraph 3, GDPR)

The right to a copy of data in accordance with Art. 15 Para. 3 GDPR exists independently of the right to information about the content of the processed data in accordance with Para. 1 Leg. Cit. (cf. The right to a copy of data according to Article 15, paragraph 3, GDPR exists independently of the right to information about the content of the processed data according to paragraph one, leg. cit. cf. Franck in Gola [ed.], General Data Protection Regulation2 Art. 15 para 27). Article 15, paragraph 27).

In summary, the complainant believes that she can obtain information about the contents of the patient files, or information about diagnoses, examination results, findings of the treating doctors and information about treatments or procedures, essentially a copy of the medical history, by asserting the right to information.

The data protection authority has, with reference to the Recommendation Act. 63 as well as the judgment of the ECJ of July 17, 2014, YS et al., C-141/12 and C-372/12, have already stated that from Art. 15 Para. 3 GDPR the data protection authority, with reference to the recital. 63 as well as the judgment of the ECJ of July 17, 2014, YS et al., C-141/12 and C-372/12, have already stated that Article 15, paragraph 3, GDPR does not give rise to a right to the release of a copy of documents that contain personal data of a person requesting information. With reference to Art. 15 Para. 3 GDPR, it is therefore not possible to demand the release of entire documents, even if the personal data of a person providing information appears in them (cf. in this sense also the ruling of the BG für Handelssachen Vienna of October 7, 2019 , GZ 18 C 263/19m regarding the delivery of an insurance policy). Art. 15 Para. 3 GDPR simply norms the right to receive a “copy of the personal data that is the subject of processing” (see also the decision of August 10, 2020, GZ: 2020-0.204.456 mwN). contain personal data of a person requesting information. With reference to Article 15, Paragraph 3, GDPR, it is therefore not possible to demand the release of entire documents, even if the personal data of a person providing information appears in them. In this sense, also compare the judgment of the BG für Handelssachen Vienna of October 7, 2019, GZ 18 C 263/19m regarding delivery of an insurance policy). Article 15, paragraph 3, GDPR only norms the right to receive a “copy of the personal data that is the subject of processing” (see also the decision of August 10, 2020, GZ: 2020-0.204.456 mwN).

Contrary to the complainant's opinion, it can also be seen from recital. 63 cannot be deduced that there is a right to the (free) release of entire documents: it speaks of “data in your patient files that contain information such as diagnoses, examination results, findings of the treating doctors and information on treatments or procedures” and not of “ Data from patient records”.

From all of this it can be deduced that there is no right to copies of the entire patient files according to the GDPR, but the information from the ErwGr can still be obtained by means of a request for information. 63 2nd sentence of the GDPR can be requested in the patient files.

In all of the respondent's information, apart from the names of the files/findings and therapies with dates, there was no complete information about the complainant's health-related data in the patient files, such as diagnoses, examination results, and findings from the treating doctors.

Taking the above into account, it is therefore not important to reproduce entire documents and make them available free of charge; However, Art. 15 GDPR still guarantees that you will receive information about this data, be it in the form of a print (facsimile) or in the form of a description of the content or context in which personal data is processed. Taking the above statements into account Therefore, it is not intended to reproduce entire documents and make them available free of charge; However, Article 15, GDPR still guarantees that you will receive information about this data, be it in the form of a print (facsimile) or in the form of a description of the content or context in which personal data is processed.

In any case, the information must be provided precisely in such a way that the data subject can assert their rights to deletion, rectification and, if necessary, objection on the basis of this information (cf. the ECJ judgment of May 7, 2009 on Directive 95/46/EC , C-553/07, Rz 49 and 51).In any case, the information must be provided precisely in such a way that the data subject can, on the basis of this information, assert their rights to deletion, rectification and, if necessary, objection (see Directive 95/46). /EC the judgment of the ECJ of May 7, 2009, C-553/07, paragraphs 49 and 51).

As a result, the respondent responded inadequately to the request for information and was required to provide the complainant with complete information in accordance with Article 15 of the GDPR and to provide the health-related data in the patient files in accordance with Art. Exp.Gr. 63 2nd sentence of the GDPR to provide the complainant with information. As a result, the respondent responded inadequately to the request for information and was ordered to provide the complainant with complete information in accordance with Article 15 of the GDPR and to include the health-related data in the Patient files in the sense of Exp.Gr. 63 2nd sentence of the GDPR to inform the complainant.

Point 2 is based on Article 58 Paragraph 2 Letter c GDPR. The restriction in accordance with Section 24 Paragraph 5 of the GDPR must be disregarded because this is not covered by Article 58 of the GDPR (cf. BVwG of May 28, 2020, GZ W211 221 6385-1). Point 2 is based on Article 58, paragraph 2, letter c, GDPR. The restriction according to paragraph 24, paragraph 5, DSG must be ignored because it is not covered by Article 58, DSGVO (see BVwG of May 28, 2020, GZ W211 221 6385-1).

Therefore, the decision had to be made according to the verdict.

Regarding points 3 and 4:

The complainant lodged a complaint because of inadequate information and not because the information was not provided.

The aim of the complaint procedure based on Article 15 GDPR is to obtain information about the processing of personal data by the respondent. The aim of the complaint procedure based on Article 15 GDPR is to obtain information about the processing of personal data by the respondent.

With regard to the complainant's application for a declaration that the copy of the ID card requested by the respondent was not legal, even though a qualified electronic signature had already been submitted, and that it was reasonable for the respondent to obtain further additional registration information from MA 62 , it should be noted that only the right to lodge a complaint with a supervisory authority can be derived from Art. 77 GDPR (in conjunction with Section 24 DSG) and thereby enable the enforcement of subjective rights - if necessary by means of an official service mandate. A right to establish that the respondent had allegedly unlawfully requested a copy of her ID in the past or that it was reasonable for her to obtain registration information herself cannot be derived from the right to information pursuant to Article 15 GDPR. With regard to the complainant's application for a declaration that the copy of the ID card requested by the respondent was not legal, even though a qualified electronic signature had already been submitted, and that it was reasonable for the respondent to obtain further additional registration information from MA 62 , it should be noted that only the right to lodge a complaint with a supervisory authority can be derived from Article 77, GDPR in conjunction with Paragraph 24, GDPR, thereby enabling the enforcement of subjective rights - if necessary by means of an official service mandate. A right to establish that the respondent had allegedly unlawfully requested a copy of her ID in the past or that it was reasonable for her to obtain registration information herself cannot be derived from the right to information pursuant to Article 15, GDPR.

Regardless of this, the respondent cannot be accused of having obtained more detailed information because the request for information - and thus also the digitally signed documents - did not come from the complainant herself, but from the person entitled to custody. The proof of identity thus provided relates exclusively to him, but not to the complainant and person providing information.

Therefore, the decision had to be made according to the verdict.