DSB (Austria) - 2021-0.410.237

From GDPRhub
DSB (Austria) - 2021-0.410.237
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 9(2)(i) GDPR
§ 19 4. COVID-19-SchuMaV
§ 6(1) DSG
Type: Complaint
Outcome: Rejected
Decided: 09.08.2021
Published: 11.04.2022
Fine: None
Parties: n/a
National Case Number/Name: 2021-0.410.237
European Case Law Identifier: ECLI:AT:DSB:2021:2021.0.410.237
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: Heiko Hanusch

The Austrian DPA held that a COVID-19 provision requiring shop owners to ask customers for medical certificates if they are not wearing face masks due to health reasons does not violate GDPR.

English Summary


The data subject entered the retail store of the controller. Because she did not were a face mask, she was denied entry by an employee of the controller. She explained that she could not wear a face mask for health reasons. The employee asked her to show an appropriate doctor's certificate which the data subject did. The data subject lodged a complaint against the controller with the Austrian DPA (Datenschutzbehörde - DSB) asserting that the controller violated her right to privacy because already the fact that she cannot wear a face mask for health reasons is sensitive data. The controller objected to this assertion stating that, under § 19 of the forth Austrian Covid-19 Protection Ordinance (§ 19 4. COVID-19-SchuMaV), it had to check whether customers are wearing face masks and, if not, verify which health reason prevents them from doing so. The data subject replied to this argument that the ordinance violates the GDPR and is therefore not to be applied according to the principle of Primacy of EU Law.


The DPA rejected the complaint. It held that the data subjects' rights are sufficiently safeguarded because according to § 6(1) DSG (Austrian Data Protection Law) the employees of the controller are obliged to secrecy regarding data which they accessed exclusively in their professional occupation. Furthermore, the DPA found that the protection of public health overrides the interest of the data subject to not disclose (part of) her health record and that § 19 4. COVID-19-SchuMaV constitutes an exception under Article 9(1)(i) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

GZ: 2021-0.410.237 from August 9, 2021 (case number: DSB-D124.4059)

[Note editor: Names and companies, legal forms and product names,
Addresses (incl. URLs, IP and email addresses), file numbers (and the like), etc., as well as
their initials and abbreviations may be abbreviated for reasons of pseudonymization

and/or changed. Obvious spelling, grammar and punctuation errors
have been corrected.]

                                      S P R U C H

The data protection authority decides on the data protection complaint of Mag. Sofia A***

(Appellant) of May 4, 2021 against N*** Austria AG (Respondent)
due to violation of the right to secrecy as follows:

       -  The complaint is dismissed as unsubstantiated.

Legal basis: Art. 9, Art. 51 (1), Art. 57 (1) lit. f and Art. 77 (1) of the

Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ.
No. L 119 of 4.5.2016 p. 1; §§ 1, 6, 18 para. 1 as well as 24 para. 1 and para. 5 of the

Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 19 4. COVID-19

Protective Measures Ordinance (4th COVID-19-SchuMaV), Federal Law Gazette II No. 58/2021, as amended by Federal Law Gazette II
111/2021; §§ 3, 7 paragraph 1 COVID-19 Measures Act (COVID-19-MG), Federal Law Gazette I No. 12/2020



A. Submissions of the parties and course of the proceedings

1. With the procedural submission dated May 4, 2021, the complainant led

In summary, she was at the N*** Shop in 10*0 Vienna on May 4, 2021

and she was initially denied access because she did not wear mouth and nose protection
have worn. She stated that she could not do this for health reasons

and had she been asked to produce a medical certificate. You told the employee

on her mobile phone the photographed certificate, which also contained a diagnosis,
shown and she was then granted access. The employee said he had

the instruction to have medical certificates presented, especially in the event of a police check

the Respondent could receive a fine. The Respondent was to

The collection of the health data was not justified and they see themselves as right
on secrecy as violated.

2. In a statement dated June 2, 2021, the Respondent essentially stated that

By requesting a medical certificate, she wanted to make sure that the wearing of a mouth and nose protector was actually exempted. the

Submission of a medical diagnosis was not required and also not of interest.

This procedure was carried out in accordance with the applicable legal requirements,
in particular the 4th COVID-19 Protection Measures Ordinance. According to § 19 of this

Regulation have a substantiation of the existence of an exemption from the obligation to

Wearing a mouth and nose protector for health reasons

Respondent as the owner of a business establishment (N*** Shop) by submitting a
to be confirmed by a doctor. Through the demanded and objectively accomplished

The Respondent fulfills this obligation imposed on it within the meaning of Section 19 (3) by providing credible evidence

the said ordinance in conjunction with § 8 para. 4 COVID-19-MG; otherwise she would commit one
administrative violation. For the sake of completeness, it should be stated that such

Evidence can only be viewed and no storage takes place and no information

be noted about this.

3. In a statement dated June 9, 2021, the complainant stated in summary that

already the notification of the fact that she was not able to wear a mouth and nose protector

to wear constitutes sensitive personal data. The fundamental right to
Secrecy is constitutional and the EU General Data Protection Regulation

protected. Due to the primacy of EU law has a contrary national law

such as the Covid-19 Measures Act and the Covid-19 Protective Measures Ordinance

to remain unnoticed and must not be carried out. All entrusted with the execution
Organs - be they public servants or entrusted like the Respondent - have

to disregard these standards; otherwise they would be sued for violation of the

make data protection a punishable offence. The data in question would not have been collected

B. Subject of Complaint

The subject of the complaint is the question of whether the respondent is the complainant in

violated the right to secrecy.

C. Findings of Facts

1. The Respondent is a stock corporation with the

Commercial register number FN *12*4*a.

Evidence assessment: The findings are based on official research by the

Data protection authority in the company register.

2. On May 4, 2021, the complainant visited a business premises of

Respondent in 10*0 Vienna. The complainant was not wearing a face mask.

She was therefore asked by an employee of the respondent to submit a medical certificate to show that she was going to work for health reasons

Couldn't wear mouth and nose protection. The complainant showed the employee her

related medical certificate – which also includes the diagnosis regarding the
Appellant contained - in the form of a photograph on her mobile phone.

Evidence assessment: The findings made are essentially based on the
undisputed statements of the complainant.

D. In legal terms it follows that:

1. Applicable legislation

§ 3 COVID-19-MG reads as follows, including the title (emphasis added).

Data Protection Authority):

   Entering and driving on business premises and places of work as well as using
                                     means of transport

    § 3. (1) If COVID-19 occurs, by ordinance
    1. Entering and driving on business premises or only certain ones
       Business premises for the purpose of purchasing goods or using
    2. Entering and driving on work places or only certain work places
       according to § 2 paragraph 3 of the Employee Protection Act (ASchG) by persons,
       who are employed there, and
    3. Using means of transport or only certain means of transport
regulated to the extent necessary to prevent the spread of COVID-19.

    (2) In an ordinance pursuant to para. 1, according to the epidemiological situation
be determined, in what number and at what time or under what conditions
and requirements to enter and drive on business premises or places of work or means of transport
may be used. Furthermore, entering and driving on business premises or
Places of work and the use of means of transport are prohibited, provided they are less severe
measures are not sufficient.

Section 19 of the 4th COVID-19-SchuMaV in the version applicable at the time of the complaint
The version and title are as follows (emphasis added by the data protection authority):

    § 19. (1) The existence of the requirements according to §§ 2 and 17 is upon request
opposite to
    1. organs of the public security service,
    2. Authorities and administrative courts in dealings with parties and official acts as well
    3. Owners of a business premises or a place of work and operators of a
       means of transport to fulfill their obligation according to § 8 para. 4 COVID-19-MG,

to make believable.
    (2) The exceptional reason, according to which, for health reasons, wearing a
Respirator of protection class FFP2 (FFP2 mask) without exhalation valve, or one
Mask with at least an equivalent standardized standard or the mouth and nose area
covering and tight-fitting mechanical protection device or the mouth and
mechanical protective device covering the nose area cannot be expected,
as well as the existence of a pregnancy is due to a
self-employed doctor authorized doctor to prove that he is practicing his profession., (3) If the existence of a reason for exception according to para.
is the owner of the business premises or place of work as well as the operator of a
means of transport has fulfilled its obligation in accordance with Section 8 (4) of the COVID-19-MG.

2. Respondent

As a public limited company, the Respondent is a company under private law and -

contrary to the allegations of the complainant - not entrusted with sovereign tasks

or encumbered.

The Respondent is therefore a person responsible for the private


3. Right to Confidentiality

According to § 1 Para. 1 DSG, everyone has the right to confidentiality of the data concerning him

personal data, insofar as there is a legitimate interest in it. The existence

such an interest is excluded if data as a result of their general
availability or due to their lack of traceability to the person concerned

secrecy claim are not accessible.

The GDPR and in particular the principles enshrined therein are to interpret the

Right to secrecy to be taken into account (cf. the decision of the DSB of 31 October

2018, GZ DSB-D123.076/0003-DSB/2018).

In the present case, the scope of § 1 para. 1 DSG is open, since the

Information on the applicant's medical certificate relates to her.
In addition, it is undoubtedly health data within the meaning of Art. 4 Z 15 DSGVO.

Apart from that, there is not one for the scope of § 1 Para. 1 DSG
certain form of processing (ruling of the Administrative Court of 28.

February 2018, Ra 2015/04/0087 with further reference).

Restrictions on the right to secrecy are then in accordance with Section 1 (2) DSG

permissible if personal data is in the vital interest of the person concerned

are used, the data subject has given his or her consent (or in the terminology of the GDPR:
consent) if there is a qualified legal basis for use

exists, or if the use is due to overriding legitimate interests of a third party

is justified.

According to Art. 9 Para. 1 GDPR, the use of data categories that are of their type

according to which are particularly worthy of protection, only under strict conditions, namely according to those

of Art. 9 Para. 2 GDPR, permissible. According to § 9 paragraph 2 lit. i is a processing
lawful if they are in the public interest for reasons of public interest

Health, such as protection against serious cross-border health hazards or to ensure high quality and safety standards

of health care and pharmaceuticals and medical devices, on the basis

of Union law or the law of a Member State, the appropriate and specific
Measures to protect the rights and freedoms of the data subject, in particular

of professional secrecy, is required.

4. In the matter

The Respondent relies on § 19 4. 4. COVID-19-SchuMaV in conjunction with
§ 8 para. 4 COVID-19-MG.

It is therefore necessary to check whether there is a qualified legal basis:

From the provision of § 3 COVID-19-MG cited above, it is clear that by

Ordinance the entry of business premises can be regulated and according to the
epidemiological situation can be determined under what conditions and

Conditions may be entered on premises.

The Federal Minister for Social Affairs, Health, Care and Consumer Protection has

responsible federal minister for health within the meaning of § 7 para. 1 COVID-19-MG from

made use of this authorization and issued the 4th COVID-19-SchuMaV, whereby
specifically § 19 leg. cit. is relevant. According to paragraph 2 of this same provision

is - as can be seen above - the reason for exception, according to which, for health reasons,

Wearing a respirator cannot be reasonably expected, due to an in

Confirmation issued by a doctor authorized to practice independently in Austria
to prove.

In any case, the scope and application of Section 19 4. COVID-19-SchuMaV is clear and precise
and are the respective consequences for affected persons from the wording of these standards

recognizable (cf. recital 41 second sentence GDPR). The respective directly with the control

The respondent's employee involved in the medical certificate is, in accordance with § 6. Para.
1 DSG - without prejudice to other statutory confidentiality obligations - obliged to

personal data provided to him solely on the basis of professional employment

were entrusted or made accessible to keep secret. With that are

appropriate and specific measures to safeguard the rights and freedoms of
complainant provided.

The obligation to provide evidence in the form of a medical certificate, according to which
For health reasons, wearing a respiratory mask cannot be expected,

is to prevent the spread of COVID-19 and thus to maintain the

useful for public health. This, especially since otherwise everyone the presence of one
could claim such a reason and refuse to wear a respirator.,Wearing a respirator in closed rooms appears -

especially with regard to the high at the time of the complaint

New infection rate - as an essential measure to stop the spread of COVID-19
counteract and avoid overloading the Austrian health system or

an imminent collapse of medical care or a similar situation

Holding back an emergency situation would have fatal consequences for society as a whole.

Therefore, this important public interest outweighs the interest of the

complainant, her personal health data not when entering a

Business premises without having to disclose mouth and nose protection.

It can be assumed that the law imposed on the owners of a permanent establishment

Obligation to check proof of the existence of a medical certificate
the mildest means was to maintain public health as best as possible

guarantee. A milder means of achieving this goal is revealed objectively

the data protection authority does not.

The complainant's argument that the 4th COVID-19-SchuMaV and the

COVID-19-MG due to constitutionally protected rights of secrecy
as well as conflicting EU law should not be applied is useless. This

especially since the relevant provision of Section 19 (2) 4. COVID-19-SchuMaV is concerned

a permissible restriction within the meaning of Section 1 (2) DSG and Article 9 (2) (i) GDPR.

In summary of all these statements, the data protection authority comes to that

Result that the data processing in question is based on Section 19 (2) 4. COVID-19-SchuMaV
can be supported and this represents the mildest means. It is therefore a lawful

Data processing in accordance with Article 9 (2) (i) GDPR. It violation in the right to

The Respondent does not keep the Complainant confidential.

It was therefore to be decided accordingly.